The Dutch Advisory Council on International Affairs (AIV), which in 2012 published advice on cyber warfare, has now published advice on internet freedom (.pdf, in Dutch). The report follows a request for advice that the Minister of Foreign Affairs sent to the AIV in February 2014. The AIV is an independent agency that administratively resides in the Ministry of Foreign Affairs.

The 97-page report is written by well-read people: references are made to, among others, DARPA’s Total Information Awareness program of 2002, the NSA’s Bullrun project, writings from Evgeny Morozov and Jonathan Zittrain, opinions expressed by the US PCLOB, and so on — in addition to explaining the history and politics of ICANN and the ITU, and the complex concepts of privacy, freedom and censorship.

Three questions are addressed (official translation; emphasis is mine):

1. How can the Dutch government ensure that internet freedom is embedded and further operationalized in Dutch domestic and foreign policy as effectively as possible, against the background of:
   1. the challenge facing governments, including the Dutch government, in weighing the right to privacy — as formulated in the UN resolution on this right — against other interests to be protected by those governments as they look for solutions to issues raised by digital communications;
   2. the leading role of the Netherlands in foreign policy concerning internet freedom, as illustrated by the Freedom Online Coalition (FOC), and the opportunities which the Netherlands has to influence the international debate, including the International Conference on Cyberspace in the spring of 2015; [=the Global Conference on Cyberspace 2015 (GCCS2015) – on 16 and 17 April, 2015]
      
   3. an international playing field in which more and more countries are seeking to exert tighter control over the internet (and its architecture) and are developing initiatives to that end;
      
   4. the right to protection of personal data, which is addressed in different ways by the UN, the Council of Europe and the EU.
2. Is Dutch jurisdiction over internet freedom limited to activities in the Netherlands, or does it, by virtue of the increased technological possibilities, extend to situations outside the country? If such jurisdiction does not extend this far, how can the Dutch government help to effectively safeguard internet freedom beyond the Netherlands’ borders?  
3. To what extent are businesses responsible for protecting citizens’ internet freedom in countries where they operate, and how can the Dutch government, both by itself and in cooperation with other countries, encourage businesses to assume such responsibility? [spoiler alert: the AIV defers this to corporate social responsibility, such as pursued by the Ruggie Framework]

The report makes the following eleven recommendations (my translation; emphasis is mine; ~1400 words):

Recommendation 1

Paragraphs III.2, III.4 and IV.3.2 explain that data of Dutch internet users is often stored on servers outside the Dutch jurisdiction. The countries where the servers are located are usually authorized to demand access to that data under certain conditions. Because computers cannot process encrypted data very well, and the data are stored outside the realm of Dutch legal protections, the cloud is potentially completely vulnerable. Safe Harbor agreements do not provide sufficient protection, because they are inadequate, hardly enforceable, and have large exceptions concerning national security. These risks deserve the cabinet’s full attention.

The Dutch government’s policy intends to make all domestic government-citizen relations happen via cyberspace: government records, registers and transactions must all take place electronically by 2017 [see a statement by the Minister of the Interior]. The AIV finds it to be urgent that clarity be sought on whether the storage and processing of these data risks the data to end up outside Dutch jurisdiction, where they cannot be sufficiently protected technically and legally. Policy measures and legal measures must be taken to prevent that, at least providing legal guarantees concerning access to the data equivalent to the legal safeguards that apply in the Netherlands (see paragraphs III.5.1 and III.5.2). Furthermore, it is important that the legal protection is sufficiently guaranteed.

Recommendation 2

The Netherlands has a good economic position on the internet market. It can improve this position by creating a positive business climate by means of optimal protection of internet freedom in all ways and facets discussed in the present advice. The organization of international conferences and institutes has a positive spin-off, but that remains ephemeral if it is not anchored in the Dutch internet community. As part of the international promotion of optimal internet freedom, the Netherlands could create a positive business climate in the Netherlands for internet companies, and stimulate the concentration of internet specialists in innovative science centers in the universities. Furthermore, the Ministry of Economic Affairs, that has a key role in this, could have better coordination between the directorates that deal with the internet.

Recommendation 3

The principle of human rights policy (one of the corner stones of the foreign policy) is that the Netherlands itself, without pretending to be perfect, wants to set an example, mostly in terms of openness and accountability: local democracy and freedom is the measure. This implies that the Netherlands must strive for the same high level of protection nationally as it promotes internationally. This is a responsibility of all Ministries, notably the Ministries dealing with internet topics.

In the pending constitutional amendment, the planned renewal of the Dutch Intelligence & Security Act of 2002, and the draft proposal Computer Crime III, it must be especially considered whether the Dutch government is following a policy and/or creates regulation that it can uphold internationally [in Dutch: “voor de dag kan komen”]. [note: essentially, this recommendation states that the Dutch govt should practice what is preaches, or else risks losing credibility. Dutch readers: see p.61 and p.68]

Recommendation 4

The ensuring of effective and independent oversight on intelligence and security services has got a lot of attention in the US following the Snowden affair, and it has also been discussed in the Netherlands by the review of the Dutch Intelligence & Security Act of 2002, among others by the motion filed by the Christian Democratic Appeal (CDA) party in the Senate that was adopted on October 7th 2014 (Eerste Kamer der Staten-Generaal, vergaderjaar 2014-2015, CVIII, D). The UN resolution “The promotion, protection and enjoyment of Human Rights on the Internet“, adopted in July 2012 by the UN Human Rights Council, according to which individuals have the same rights online as they have offline, must be guiding for Dutch policy. If, because of the permanent terror threat, means must be used against (categories of) persons that are not specifically suspected of anything, doing so can only be justified if effective and independent oversight exists. The AIV finds the strengthening of effective and independent oversight by the Dutch Data Protection Authority and the Dutch Review Committee on the Intelligence and Security Services (CTIVD) on the lawful and proportional use of investigatory and preventative powers, of great importance to internet freedom, as defined in the present advice, in the current state of technology and the changed international relations. [note, here, that the AIV does not rule out mass surveillance per se; it only states that mass surveillance can only be justified if “effective and independent oversight” exists.]

Recommendation 5

In 2014, the Netherlands will spend approximately 53.5 million euro on human rights policy (including Radio Netherlands Worldwide). Part of that is spent on promoting internet freedom. The Netherlands supports various important projects concerning internet freedom by providing man power and money. However, a coherent vision of the internet and the various facets that must be distinguished and emphasized, is lacking. Choices made concerning the support of such activities should be preceded by a general substantiation and prioritization, aimed at the facets of the internet problems that are relevant to the Netherlands. The government could, in consultation with those involved, develop specific measures that promote the freedom and security of the internet, such as the development and publishing of open source software. The AIV considers the lack of attention for improving international policy-making (such as the Internet Governance Forum and the reorganization of ICANN) to be a clear omission. [note: also see Recommendation 8: in the context of companies and internet organizations dominated by companies, the AIV considers it to be the government’s role to monitor whether new software and protocols infringe upon the European interpretation of the freedom of expression, privacy, and data protection.]

Recommendation 6

Much is happening concerning the EU issues as well. The Netherlands has a wait-and-see attitude concerning the upholding — or not — of the Safe Harbor agreement and the negotiations about the Umbrella agreement. The Netherlands has ample knowledge to play a more leading role in these topics. The Netherlands must take the view that upholding of the Safe Harbor agreement can not, without significant improvements, be a basis for data exchange with the US in the private sector. The Netherlands can use its chairmanship of the EU in 2016 to develop proposals for the EU with the purpose of renewing the existing, outdated legislation that has effects on internet freedoms.

Recommendation 7

A point of special attention is to provide better safeguards in the exchange of data between national intelligence and security services within Europe and beyond. In the renewal of the Dutch Intelligence & Security Act of 2002, the exchange of data between Dutch and foreign intelligence and security services should be legally regulated, in which sufficient safeguards must be provided for citizens, as explained in paragraph III.2.

Recommendation 8

The activities of companies and internet organizations dominated by companies can have a significant influence on internet freedom. Companies are primarily guided by profit considerations, and have to deal with various national and international legal frameworks. It is the government’s role to monitor whether new software, protocols, and such, infringe upon the European interpretation of the freedom of expression, privacy, and data protection. NGOs can have a signaling role. The question of how internationally operating companies can be involved in the Dutch human rights policy has been on the agenda for a long time. In the context of the present advice, the question is very urgent, because a small number of international companies is responsible for the international confidential and public communications, and the safeguards that should be provided. The government must therefore address the responsibility of these companies on international forums, and enter into a dialogue about human rights, such as the government also intends to do with foreign governments.

Recommendation 9

Questions related to internet freedom, as apparent in numerous places in the present advice, transcend governments departments, and are increasingly connected to responsibilities that must be carried by the private sector and other stakeholders. The transcending issues make the execution of the Dutch human rights policy, especially in this domain, into a shared responsibility. The AIV therefore recommends that coordination and shared responsibility is striven for during decision preparation and decision making concerning internet issues.

Recommendation 10

The Netherlands must have a more consistent policy concerning the question of the internet views it wants to express at which international forums, and in what coalitions. The Ministry must spend more money and man power in the Internet Governance Forum. Furthermore, it could promote privacy-enhancing measures within the ICANN and other internet organizations. An example is given in paragraph V.1: the WHOIS database of the SIDN, that registers domain names for the .nl domain, does not show address information of the domain name holder; bailiffs and lawyers can however request that data. The Netherlands could promote such a solution internationally.

Recommendation 11

In the policy-making concerning internet freedom, various Ministries are involved: the Ministry of Foreign Affairs, the Ministry of Security & Justice, the Ministry of Economic Affairs, the Ministry of the Interior, and the Ministry of Defense. The Ministry of Economic Affairs regularly consults with Dutch stakeholders in preparation for international meetings. This is an example that other Ministries can follow. Interviews with experts give the impression that the Ministry of Foreign Affairs has little connection with the Dutch internet community. It is desirable that the Ministry of Foreign Affairs assigns more personnel to bring knowledge of the internet up to standard, and to strengthen contacts with the domestic and foreign internet communities, also considering the EU.

We’ll have to wait and see how the government will respond to this advice, i.e., which recommendations they will (not) follow. The report does not address net neutrality; on page 9 it is stated that net neutrality is out of scope “because it relates to (European) competition law”. I don’t know how to interpret that (perhaps the AIV, which resides in the Ministry of Foreign Affairs, does not want to interfere with an issue that primarily resides in the Ministry of Economic Affairs).

These are ongoing developments in the Netherlands in which internet freedom can be at risk (probably a non-exhaustive list):

• In November 2014, the Dutch govt announced it proposal is being drafted to grant Dutch intelligence & security agencies bulk cable-interception power: the government is drafting a legislative proposal, conceptually described here, to update the Dutch Intelligence & Security Act of 2002, that would expand the existing bulk interception power of the Dutch intelligence agencies AIVD and MIVD from ether-only to also include cable communications. (Note: the latter already happened in Sweden in 2009: the FRA used to only be allowed bulk intercept of ether communications, but as of 2009 is also allowed to carry out bulk interception of cable communications, if tasked to do so. The Netherlands would, AFAIK, be the first country to contemplate introducing bulk cable interception in the post-Snowden era.)
• In November 2014, the Dutch govt expressed its intent to uphold telecom data retention: in April 2014, the ECJ ruled the EU Data Retention Directive to be invalid. In November 2014, the Dutch govt expressed its intent to uphold the Dutch implementation, i.e., the Dutch Telecommunications Data Retention Act of  2009, with some cosmetic changes. They also intend to proceed with implementing a nation-wide ANPR database.
• In January 2015, the Dutch govt will propose hacking powers for Dutch LE: there is the legislative proposal “Computer Crime III”, described here, that would provide law enforcement remote hacking powers to, under certain conditions, break into systems of which the geographic location is unknown (thus including systems that reside outside the Dutch jurisdiction);
• In August 2014, the Dutch govt announced anti-jihadism plans that include voluntary censorship imposed on ISPs: in August 2014, the Dutch govt expressed its intent to implement a sort-of-voluntary censorship regime, in which the govt asks Dutch ISPs to voluntarily take content offline without involving a judge. This evolved from, among other, the controversial Clean IT Project, describe here, that the Netherlands was chair of. From leaked documents of Clean IT, it turns out that one of the ideas that was going to be discussed internally was to exclude non-conforming ISPs from government tenders.
• The Pirate Bay was blocked for three years in the Netherlands: in 2011, Dutch ISPs were ordered to block access to The Pirate Bay following a court ruling in a case started by Dutch anti-piracy organization BREIN. In January 2014, a court decided (.pdf, in Dutch) that the blocking was ineffective and disproportional, and the blockade was lifted. The point of this: Dutch citizens were subject to a three year long court-imposed blockade that only eventually was ruled to be ineffective and disproportionate.

The Netherlands will be hosting the fourth international Cyberspace Conference — Global Conference on Cyberspace 2015 (GCCS2015) — on April 16-17th 2015, and will be chair of the EU in 2016; these are opportunities for the Dutch government to pursue its stated human rights objectives; for instance by following the AIV’s recommendations. According to the National Cyber Security Strategy 2 – From awareness to capability (.pdf, 2013) , the Netherlands seeks to be a diplomacy hub for expertise on international law and cyber security (quote from page 25):

It would be nice to see the Dutch national developments — many of which have international implications — be discussed at the Cyberspace Conference in 2015. I’m not aware whether that is the case.

The remainder of this post consists of a translation of the press release (Dec 19, in Dutch) and of the paragraph “Summary and conclusions”. Hyperlinks and parts in [] are mine.

WARNING: THESE ARE UNOFFICIAL TRANSLATIONS.

Here is a translation of the AIV’s press release (~400 words):

The internet: a global free space with limited state control

The internet was initially seen as a new technology that would provide a large contribution to the freedom of expression, but it also has consequences for other human rights, notably the right to privacy. This is of importance to a number of current legislative proposals, such as the renewal of the Dutch Intelligence & Security Act of 2002 (Wiv2002), the renewal of Article 13 of the Dutch Constitution concerning the postal secret [in Dutch: “briefgeheim”], and the proposals to extend powers of the police to fight computer crime.

Nearly everything that individuals do on the internet leaves trails, the so-called traffic data. The collection and analysis of very large amounts of traffic data has become possible thanks to increased computational power. While such data by itself does not say a lot about the internet user, by combining various traffic data a profile can often be made of an individual. That can threaten the privacy of internet users.

Governments and companies are increasingly offering services via the internet. The government, for instance, wants citizens to apply for a scholarship or housing benefits via the internet, because it is cheaper. The storage and processing of digital data in the cloud risks data ending up in a location outside the jurisdiction of Dutch authorities. In the US, where the large internet companies are located, the protection of privacy for foreigners is weaker than in the EU. In the cloud, data can not technically and legally be sufficiently protected. Other governments or companies, who have nothing to do with the scholarship or housing benefits of Dutch citizens, can then sometimes obtain access to that data. The Netherlands and the EU must take policy measures and legal measures to prevent that, for instance by making better arrangements with other countries.

Due to the permanent terror threat, intelligence and security services in various countries also increasingly make use of these possibilities. They also collect data about individuals who are not suspected of terrorism or other crimes. The AIV finds that this is only justifiable if effective and independent oversight exists on the intelligence and security services.

Companies play an increasingly large role in internet freedom in various ways. They can thwart governmental censorship, or cooperate with it. Some companies intend to collect data about individuals, threatening the right to privacy. Internet companies can design their technology in a way that increases internet freedom, or not pay attention to that. The legal role of companies in these aspects is not yet established. The AIV believes it is useful if the Human Rights Ambassador would not only consult with other countries, but also has human right dialogues with large internet companies.

Here is a translation of the paragraph “Summary and conclusions” of the advice report (~1400 words):

Summary and conclusions

Chapter II explains that the internet has disembodied itself from the classic structure of international law of a treaty (that laid down global agreements about telecommunication), an international organization (the ITU) and the national states cooperating therein. A semi-private multistakerholder model replaced it, consisting of the ICANN (naming and addressing) and a set of technical groups that deal with internet standards and protocols. This was accompanied by a technical revolution in the way of sending data and a social revolution in the way of communication. Formally, the ICANN is still part of the US Department of Commerce. After the Snowden affair, the general feeling is that this association can no longer be upheld. A new structure needs to be found, based on the multistakeholder model.

This form of governance limits itself to the technical layers of the internet, although no consensus exists within the internet community even about this narrow definition of governance (see Chapter V.2). Besides this new internet structure, the old organization ITU actively keeps trying to expand its influence, recently in attempt to change the International Telecommunications Regulations during the World Conference on International Telecommunications in Dubai, so far without success. Within the ITU, states such as Russia and China attempt to increase their control over internet communications, also its content. However, the UN started a new development with the Internet Governance Forum. In this global platform, states, in cooperation with other stakeholders, attempt to achieve consensus about the meaning of internet governance. So far with partial success, because it is very difficult — outside of the more technical issues — to reach consensus on topics that involve various views on values. The government’s questions are answered against this background.

The first question was: how can the Dutch government ensure that internet freedom is embedded and further operationalized in Dutch domestic and foreign policy as effectively as possible? Chapter III discusses this question at a conceptual level. First, it is explained that the current constitutional communications and privacy framework no longer suits today’s technology. At the same time, it is evident that such change must involve deliberation and carefulness, because a change can result in decreased protection.

This is demonstrated by, among others, the communication secret [in Dutch: “communicatiegeheim”] in relation to traffic data. In a network society, the communications secret is no longer a fixed given, but a protection of how and in what context an individual can communicate freely. A second aspect is that legal concepts are either designed for a different technical reality than the current internet (for instance the concept of “processing” in the data protection law), or assume a situation in which a clear distinction can be made between the “transport of a message” and “expressing a message” (from media and telecommunications law). Two other entangled questions are the international jurisdiction and universality versus national sovereignty. This contradiction is best seen in the difficult negotiations between the EU and US about the Safe Harbor principles in data protection. Another important aspect is the ongoing erosion of the concept of personal data, as a result of developments such as Big Data and mass or targeted surveillance of citizens. Many incorrectly assume that traffic data are, by definition, not personal data, while a collection of traffic data can allow establishment of (individual) profiles. The assumption that anonymous data can be collected on a large scale without effective oversight, is thus incorrect.

In addition, it is found that security must be understood in the context of the rule of law. Striving for the unattainable ideal of precluded event security can result in measures that are disproportional and harm the balance of the rule of law.

Furthermore, the present advice points out the ongoing battle concerning the broadening of the concept of internet governance; this too is important for the anchoring of internet freedom. This battle is fought in, among others, the ITU (paragraph II.3). The debate about the new organization that will replace ICANN is also of great importance, because control over the root is critical to internet freedom, and because ICANN is central to internet governance (paragraph V.1). The Internet Governance Forum seems like a suitable forum to discuss issues concerning the operationalization of internet freedom, but the secretariat of this forum suffers from a lack of personnel and financial means.

Moreover, the government can contribute to promoting internet freedom by applying the same normative principles in domestic policy discussions as those it promotes abroad. There is a risk that free constitutional democracies develop a Janus Face of legally protected freedom and insufficiently legal limitations of freedom, such as explained in paragraph V.2. That currently undermines the credibility of the US, as criticized in the Foreign Policy study “Begins At Home” by Richard Haass, president of the Council of Foreign Relations.

The second question was whether Dutch jurisdiction over internet freedom is limited to activities in the Netherlands, or Dutch jurisdiction, by virtue of the increased technological possibilities, extends to situations outside the country? If such jurisdiction does not extend this far, how can the Dutch government help to effectively safeguard internet freedom beyond the Netherlands’ borders? On the internet, the production, storage and distribution of information is no longer restricted by time and location. The internet does not have national boundaries. Although the technical possibilities have increased, this does not imply that powers are extended. In paragraph V.2.2 this question is focused on the legislative proposal Computer Crime III. The AIV finds that the draft proposal provides extended powers that exceed what is permissible by international law.

Nonetheless, national states have an important role because the physical infrastructure of the internet starts and ends within a territory over which the states have factual and legal power. The questions concerning access and free and uncontrolled communication are thus focused within national law. Chapters III and V, in which questions of access, surveillance and censorship are addressed, show that it concerns national decisions that must be tested against international (or regional: ECHR and EU) treaties. Paragraph V.4, on the other hand, explains that the large international enterprises, who have a key role in access and free use of the internet, are only very partially within Dutch jurisdiction, namely only when acts take place within the Dutch jurisdiction. It is regularly discussed when this precisely is the case in internet services. The Google Spain arrest of the European Court of Justice is a breakthrough on this aspect.

The third question was whether companies are responsible for protecting citizen’s internet freedom in countries where the companies operate, and how the Dutch government, by itself and in cooperation with other countries, can call upon companies to take that responsibility. The present advice explains that the organization of modern electronic communication strongly differs from the era in which the fixed phone and telex where the most important means of communication. State monopolies in international legal structure are replaced by a system of many players. In this system, the role of companies is large; this is discussed in several places in this advice, notably in Chapter II and in paragraph V.4. Companies have an important role in internet governance, and are provides of various services such as search engines, cloud (paragraph III.4.1 and IV.3.2) and email. Sometimes, companies are forced to act as an extension of the government, such as in data retention (paragraph III.2) or censorship, that they may or may not oppose (paragraph V.3). Companies thus have a considerable influence on internet freedom.

It can be concluded that the position of internet companies is not always clear legally. For instance, in the Netherlands, it is not clear for social media whether they are subject to telecommunication law or to media law. The answer to that question has important consequences for the extent to which those companies can be called to take responsibility concerning the contents of communications and publications. Furthermore, companies can be stuck between national jurisdictions with various legal regimes. For companies, commercial considerations are usually decisive, also where it involves the collection, processing and storage of data of internet users. The answer to the question to what extent companies are responsible for protecting internet freedom can not yet be given, legally. This question must be understood within the wider context of corporate social responsibility. To that end, the Ruggie Framework was established, which is topic of international discussion, but that has special relevance in this domain.

The AIV states it interprets the word “internet freedom” in terms of the House of Freedom’s categories, as included in the Freedom on the Net 2013 report (.pdf, 2013):

• Obstacles to access: assesses infrastructural and economic barriers to access; governmental efforts to block specific applications or technologies; and legal, regulatory, and ownership control over internet and mobile phone access providers.
• Limits on content: examines filtering and blocking of websites; other forms of censorship and self-censorship; manipulation of content; the diversity of online news media; and usage of digital media for social and political activism.
• Violations of user rights: measures legal protections and restrictions on activity; surveillance; privacy; and repercussions for online activity, such as prosecution, imprisonment, physical attacks, or other forms of harassment.

Related:

• 2015-02-27: Governments Covertly Fund Internet Freedom Activists (re: Hivos’ Digital Defenders Partnership (DDP), started by NL, US & UK in 2012)

EOF

UPDATE 2015-07-01: the court of The Hague has ruled today that the Dutch government must, in the next six months, change its current policy for interception of privileged communications: ruling (in Dutch) and press release (in Dutch). If the government fails to comply, it has to seize any such interception.

UPDATE 2015-06-26: the Minister of Defense sent a letter (in Dutch) to parliament to explain the relation between privileged (lawyer/client) communications and national security. Here’s a translation of the essence:

(…) First I want to point out that the position a lawyer holds in criminal law is different from the one in context of an investigation by the intelligence & security service, in the course of carrying out their legal tasks on the basis of the Dutch Intelligence & Security Act of 2002. The rules that apply to a lawyer in criminal (procedure) law as holding a privileged position, do not apply one-on-one to in the latter context. Situations can exist in which the interest of national security prevails over the interest of privileged persons (in this case, being able to talk freely with clientele). As I stated during the parliamentary question time of April 21st 2015, the intelligence services can only under strict conditions proceed to use special powers against lawyers. In addition to the safeguards that apply to every use of a special power (necessity, subsidiarity and proportionality), extra criteria apply, including a shorter period of use of the power (one month instead of the normal three months). (…)

UPDATE 2015-03-10: in response (in Dutch) to parliamentary questions following a plead (in Dutch) from the National Bar Council, the Dutch Minister of the Interior stated that he does not believe it is necessary to introduce ex ante court approval for intercepting communications of lawyers.

UPDATE 2014-12-22: NRC Handelsblad published a piece (in Dutch) by Ot van Daalen (@digidefence) in which Ot, citing the case described below, recommends lawyers to encrypt communication with clients.

Today, Dutch newspaper NRC Handelsblad reports (in Dutch) that the Dutch intelligence & security agency AIVD spied on the Amsterdam-based lawyer office Prakken d’Oliveira, that defends terror suspects, among others. Here is a translation of NRC’s report:

AIVD admits eavesdropping on law firm that defends terror suspects

The secret service AIVD admits it eavesdropped on lawyers of the Amsterdam-based law firm Prakken d’Oliveira. The office states so on its own website, revealing a letter [.pdf, in Dutch] from Minister of the Interior, Ronald Plasterk.

The firm had filed a complaints because lawyers had been suspecting for years that they are eavesdropped on by the AIVD. Prakken d’Oliveira defends many terror suspects, among others. In the written answer from the Minister, the Dutch Review Committee on the Intelligence and Security Services (CTIVD) partially confirms the complaint. The Minister states he will follow the CTIVD’s recommendation and says that the AIVD acted “inappropriately” in transcribing the phone conversations, text messages, and emails.

Wiretapped despite policy

The AIVD thereby admits that between January 1st 2003 and July 1st 2014, conversations have been eavesdropped, and text messages and emails from the lawyers where read and transcribed. The CTIVD says it has doubts about the necessity of transcribing communication of the law firm prior to 2007. In that year, the AIVD established a policy concerning wiretapping of phones, among others. But according to the CTIVD, messages have been transcribed unlawfully after that.

The eavesdropping of contact between lawyers and suspects is, in principle, prohibited by the attorney–client privilege [in Dutch: “verschoningsrecht”]. That privilege ensures free consultation between both parties, such that a proper defense can be prepared. Exceptions can only be made in case of imminent threats.

In a statement on its website, Prakken d’Oliveira states that the regulation concerning eavesdropping is “seriously inadequate”. The law firm wants the law to be changed such that wiretapping of communication means is only allowed after prior approval of a court. Currently, the AIVD can eavesdrop if the Minister consents that doing so is necessary.

EOF

UPDATE 2015-07-15: Dutch intel oversight committee (still) seeks to publish statistics on use of special powers, suggests topics for debate on the new bill.

The below is a comparison of (lawful) public availability of statistics about the use of investigatory powers by intelligence & security services in Belgium and the Netherlands; I intend to add more countries if I can find the necessary information (legislation, etc.).

Belgium: ADIV and VSSE

Belgium has a non-military intelligence & security service (VSSE) and a military intelligence and security service (ADIV). Oversight on lawfulness and expediency is carried out by the Belgian Standing Committee I (in Dutch: “Vaste Comité I”), an independent specialist body consisting of three persons, and some staff. The Standing Committee I is established by the Act Governing Review of the Police and Intelligence Services and the Coordination Unit for Treat Assessment of 1991 (hereafter: “Review Act of 1991”). The VSSE and ADIV are established by the Intelligence Services Act of 1998 (hereafter: “W.I&V”). The W.I&V provides the VSSE and ADIV with special investigatory powers. Oversight reports written by the Standing Committee I are not automatically fully published; it is possible to withhold elements from publication.

Article 35-2 of the Review Act of 1991 states that the Standing Committee I reports quantitatively on the use of such powers. My translation of the relevant part in that article:

(…) The report contains the number of warrants, the duration of use of the special methods for data collection, the number of persons [=targets] involved, and, where appropriate, the yields. The report also describes the activities of the Standing Committee I.

There is a restriction, however:

The elements contained in the report may not harm the proper functioning of the intelligence and security services or put the cooperation between Belgian and foreign intelligence and security services at risk. [note: the latter firstly concerns information shared with Belgium by foreign services.]

With that in mind, take note of the statistics in the table below that the Standing Committee I included in its 2013 activity report (.pdf, in Dutch and French): a LOT of transparency, I’d say. The fact that it is published is evidence in support of the hypothesis that this information is not considered to harm proper functioning of the Belgian services.

Bulk collection: neither ADIV nor VSSE currently (=Dec 2014) have a legal basis for any form of bulk collection; neither via intercepts, nor via requests for traffic/subscriber addressed to telco’s (source).

Netherlands: AIVD and MIVD

The Netherlands has a general intelligence & security service (AIVD) and a military intelligence and security service (MIVD). Oversight on lawfulness is carried out by the Dutch Review Committee on the Intelligence and Security Services (CTIVD), and independent specialist body consisting of three persons. Oversight on expediency resides at the Minister. All three entities are established by the Dutch Intelligence & Security Act of 2002 (hereafter: “Wiv2002”). The Wiv2002 provides the AIVD and MIVD with special investigatory powers.

CTIVD oversight reports are always sent to Parliament and openly published, but may, and often do, contain a classified appendix. The CTIVD can decide for itself what topics it wants to investigate, but also start an investigation at the request of Parliament. In 2008, the CTIVD for the first time looked into the use of interception powers: targeted interception ex Article 25 Wiv2002, and selection from bulk-interception ether communication ex Article 27 Wiv2002. In 2010, the CTIVD decided to make interception an annually recurring topic of investigation.

Several attempts have been made by Dutch media, civil organizations (notably Bits of Freedom) and MPs to obtain interception statistics from the intelligence services. In 2010, Parliament adopted a motion requesting interception statistics. Two statistics were published: the number of targeted interceptions by the AIVD (1,078) and the MIVD (53) during 2009. No statistics from other years are available. In October 2014, a court in The Hague accepted the government’s argument that such numbers, in combination with other information that is already public or will become public in the future, provide insight into the methods and practices used by the AIVD and that this poses a risk to the effective functioning of the AIVD. In December 2014, the CTIVD decided to publish these statistics — but it got censored last-minute by the Minister of the Interior. Interesting stuff.

The table below shows the known statistics for the use of special powers by the AIVD and MIVD over 2013: none. Open question: how should the difference with Belgium be explained?

Bulk collection: yes, via interception (Article 26/27), but only ether. Both AIVD and MIVD have that power, but it is used far more for military tasks (MIVD) than national security. It is carried out by the NSO, which becomes part of the JSCU.  In November 2014, the Dutch cabinet announced it seeks to expand this power to permit bulk interception of cable communication. Legislation is currently (=Dec 2014) being drafted. According CTIVD report 38 (.pdf, in Dutch; see p.39), Article 28/29 do not permit acquisition of bulk traffic/subscriber data from telco’s. Article 24 (hacking) has been used to obtain web forum data in bulk; in cases where many non-targets where involved, the CTIVD judged this did not satisfy the requirement proportionality (although those cases did satisfy the requirement of necessity).

Germany: BND, MAD, BfV and LfV

INFORMATION NEEDED: all information, tips, hints, suggestions, etc. are welcomed: see “Contact me” on the right. I’m both interested in learning whether or not statistics are officially published, and if they are, where I can find them.

UK: GCHQ, MI5, MI6, MoD (RIPA)

INFORMATION NEEDED: all information, tips, hints, suggestions, etc. are welcomed: see “Contact me” on the right.

An aggregate statistic is available of the number RIPA warrants issued to GCHQ, MI5, MI6 and the MoD, combined. Much more statistics are available; see the IOCC’s report (.pdf) over 2013.

EOF

Today, the Dutch Data Protection Authority (CBP) announced it is imposing an incremental penalty payment to Google of up to 15 million euros:

CBP issues sanction to Google for infringements privacy policy

Press release/15 December 2014

The Dutch Data Protection Authority (Dutch DPA) has imposed an incremental penalty payment on Google. This sanction may amount to 15 million euros. The reason for the sanction is that Google is acting in breach of several provisions of the Dutch data protection act with its new privacy policy, introduced in 2012.

Infringements

The results of the investigation by the Dutch DPA, as published earlier, show that Google combines personal data of internet users, amongst others to display personalised ads. This combining not only involves people that are logged in to a Google account, but also people that use the search engine, or people that visit a (third party) website that places or reads cookies from Google.

Data about for example search queries, location data, video’s watched and e-mails can be combined with each other, while those services serve very different purposes. This combining occurs without Google adequately informing the users in advance and without the company asking for consent. This is in breach of the law.

“Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested,” says Jacob Kohnstamm, chairman of the Dutch DPA.

Incremental penalty payment

The Dutch DPA demands that Google:

• Will ask for the unambiguous consent of users for the combining of personal data from the different Google services. This can be achieved via a separate consent screen. Unambiguous consent can’t be obtained through information about this processing in the general (privacy) terms and conditions.
• Further clarifies the information in its privacy policy in order to provide clear and consistent information to people on which personal data are used by the different services of Google.
• Provides clear information about the fact the YouTube is part of Google. With regard to this last point, Google seems to have already taken measures in the Netherlands.

Google has been given until the end of February 2015 to take the measures described above to end the breaches of the Dutch data protection act. After that, the Dutch DPA will verify whether Google has met all demands.

European data protection authorities

In the beginning of 2012, Google announced the introduction on 1 March 2012 of a global new privacy policy, applicable to the users of all services of Google. Following that, the French data protection authority launched an investigation, on behalf of all European data protection authorities. This resulted in the publication of investigation results in October 2012.

After this investigation, 6 data protection authorities, in France, Germany, the UK, Italy, Spain and the Netherlands decided to start national investigations, based on their own national data protection laws.

Google has recently sent a letter to the 6 data protection authorities, in which the company announces a large number of measures to comply with European privacy laws. The Dutch DPA has not yet established whether the proposed measures will end all the violations found by the Dutch DPA.

Related:

• 2013-11-28: Dutch DPA: privacy policy Google in breach of data protection law (CBP) + report Investigation into the combining of personal data by Google (.pdf, CBP)

EOF

UPDATE 2017-07-11: updates moved to bottom.

On December 12th 2014, Dutch newspaper Volkskrant reported (in Dutch) that a majority of Dutch MPs favor the establishment of an independent “House for Whistleblowers”. There is a bill (.pdf, in Dutch), accompanied by a Memory of Understanding (MoU) (in Dutch), proposing a “House for Whistleblowers Act”.

The bill establishes a House for Whistleblowers (hereafter: the House) as a “zelfstandig bestuursorgaan” (ZBO), the Dutch version of a quasi-autonomous non-governmental organization. The House will consist of an advisory department and an investigatory department. The advisory task and investigatory task are subject to separation of duty. To make the House more independent from the government than normal ZBOs — and thereby deviating from the concept of ZBOs as defined by Dutch law —, the following rules will apply:

• the Minister cannot appoint, suspend, or dismiss members of the House;
• the Minister cannot require the House to provide information concerning the substance and methods of specific investigations;
• the Minister cannot establish policy rules concerning the House’s task performance;
• the Minister cannot dismantle the House.

Based on data from the National Ombudsman, the Whistleblowers Expert Group and the Advice Centre for Whistleblowers, it is anticipated — according to the MoU — that the House will be processing report from four to six hundred whistleblowers annually, and that 10 percent of the reports, some 50 per year, will result in an investigation. The annual budget for the House is estimated at 3.5 million euro.

The bill provides whistleblowers the protection that they cannot be fired while an investigation by the House is ongoing. The following wrongdoings concerning public interest are explicitly recognized:

• violation of a statutory provision;
• a public health risk;
• a risk to the safety of persons;
• a threat to the environment;
• a threat to the proper functioning of a public service or a business as a result of an improper way of acting or negligence.

Concerning whistleblower reports from the public sector, the bill obligates the following parts of government to fully cooperate with investigations carried out by the House:

• the state;
• provinces;
• municipalities;
• water boards;
• public bodies for industry and the professions, for instance:
  • the Social and Economic Council of the Netherlands (SER)
  • the Dutch Order of Lawyers (NOvA)
  • the Dutch Institute of Chartered Accountants (NBA)
  • the Dutch Order of the Accountants-Administrator’s consultants (NvOAA)
  • the Royal Notarial Association (KNB)
  • the Royal Association of Bailiffs (KBvG)
  • …
• other public bodies authorized under the Constitution;
• European Grouping of Territorial Cooperation (EGTC) organizations seated by statutory in the Netherlands;
• other legal persons established under public law, for instance, from the ZBO register:
  • the Authority for Consumers and Markets (ACM)
  • Staatsbosbeheer
  • National Library of the Netherlands (KB)
  • Netherlands Organisation for Scientific Research (NWO)
  • Royal Netherlands Academy of Arts and Sciences (KNAW)
  • TNO
  • …
• other legal persons not established under public law vested with public authority, with the exercise of that authority being the core activity of the legal person, for instance:
  • Authority for the Financial Markets (AFM)
  • DNB

The House is also granted full physical access to these organizations. Based on Article 9:31 of the the General Administrative Law Act (in Dutch: “Algemene bestuurswet”), officials from these bodies can be required to provide information. Officials are however allowed to refuse, if providing information is contrary to interests of national security, or constitutes a breach of official secrecy or other legal provisions.

Concerning whistleblower reports from private sector, the House can summon any individual and require them to provide information, but the House is not granted full physical access.

It is proposed that the House has a chair person and at most four members, to be appointed by Parliament, and such that “all relevant expertise” to carry out its legal tasks is present. It is proposed that the House is supported by its own agency, employed by the House.

In 2013, opponents of bill included the Dutch Association for Medium and Small Enterprises (VNO-NCW), the Dutch Association for Listed Companies (VEUO), the Dutch Minister of the Interior, the Netherlands Authority for the Financial Markets (AFM) and the DNB. The Minister and regulators expressed worries about potentially harmful interference with investigations that existing authorities are undertaking. Also, the combination of an advisory task and an investigatory task in a single organization was criticized.

Excluded from reporting a suspicion of wrongdoing to the House are magistrates (in Dutch: “rechterlijke ambtenaren”) and officials of the Dutch intelligence and security services AIVD and MIVD, as well as members of the Dutch Review Committee on the Intelligence and Security Services (CTIVD). According to the MoU, the reason for this exclusion is that those organizations have existing procedures for reporting and handling wrongdoing. These officials are however free to contact the House for Whitleblowers to obtain advice.

Lastly, here is my translation of the report by Volkskrant (hyperlinks and parts in [] are mine):

Netherlands first to establish independent House for Whistleblowers

Things usually don’t end well for someone who reports wrongdoing in government or business. A parliamentary majority wants to change that by establishing an independent House for Whistleblowers.

The Netherlands will be the first European country to have an independent House for Whistleblowers that provides legal protection for whistleblowers and investigates reports from whistleblowers.

The objective is to prevent whistleblowers from being isolated, fired, and forgotten without the wrongdoing being addressed.

That is the core of the bill that MPs from seven parties, led by Ronald van Raak (Socialist Party) sent to the Council of State this week. The House for Whistleblowers will be a quasi-autonomous non-governmental organization (in Dutch: “zelfstandig bestuursorgaan”), independent of the central government. It will have an annual budget of approximately 3.5 million euro and will be supporting four hundred to six hundred whistleblowers annually.

‘Whistleblowers are now often left to fend for themselves, while they often render a service to society’, Van Raak states. ‘They will soon be able to go to the House for Whistleblowers. They cannot be fired while an investigation into the wrongdoings they reported is ongoing. The objective is to prevent whistleblowers from being isolated, fired, and forgotten, without the wrongdoing being addressed.’

Van Raak has worked on the bill for over two years, after earlier attempts to regulate the legal position of whistleblowers failed. The reason for Parliament to address this issue was, among others, the fate of Ad Bos, the whistleblower who exposed fraud in the Dutch construction industry [.pdf, 2006]. Bos ended up living in a caravan, years after he had exposed the large-scale collusion of construction companies.

‘I am regularly contacted by whistleblowers, and as an MP I want to do something about the wrongdoings that they report’, says Van Raak. ‘This often could not be done because my sources would then be fired. That situation was very unsatisfactory.’

The bill’s authors expect that in 10 percent of the cases — about fifty times a year — employees of the House of Whistleblowers will themselves carry out research into possible wrongdoings. The House will get extensive powers for that, especially if the wrongdoing involves the government. The public authority involved, such as a Ministry or a water board, must provide the researchers full access, and fully cooperate.

The estimations of the annual numbers of whistleblowers and investigations to be carried out by the House of Whistleblowers are based on data from the National Ombudsman, the Whistleblowers Expert Group and the Advice Centre for Whistleblowers, where most whistleblowers currently turn to. The bill aims to end the fragmentation of policy concerning whistleblowers.

The House will also investigate private sector wrongdoings, but cannot simply walk in there. Investigation into reports from businesses will initially be limited to requesting information and written evidence. In case of suspicion of offenses, the Public Prosecution Service will be contacted.

The driving force behind the improved legal protection of whistleblowers is Gerrit de Wit, chairman of the Whistleblowers Expert Group Foundation. The former detective blew the whistle on fraud and corruption of officials at the Ministry of Housing at the end of the previous century, and has since been fighting for better treatment of whistleblowers.

‘Of course we wanted to have arranged things for whistleblowers even better, but it is an achievement on and by itself that this proposal is now sent to the Council of State’, De Wit says. ‘In the past fifteen years I have talked to hundreds of whistleblowers and saw the majority of them be ostracized. That will change in the near future, which is a victory’.

Own responsibility

Behind the screens, a lot of lobbying was going on up until last week to prevent that whistleblowers would get legal protection. Opponents, including employers’ organizations, fear that the House of Whistleblowers will attract troublemakers and employees threatened with losing their job. They also think companies already are responsible themselves for dealing with wrongdoings in the workplace and that more than enough supervisors and inspection agencies exist.

Professor Leo Huberts (VU University), who specializes in integrity policy, thinks the establishment of an independent organization is a good thing. But, according to Huberts: ‘What I greatly miss, is focus on prevention. Integrity mostly is about awareness, about culture. This proposal also seems unfinished, and the name is quaint. The initiative started off with the right agenda that whistleblowers who report wrongdoings and have to deal with retribution, deserve legal and financial support. The proposal looks like an ambitious building under construction, but as far as I’m concerned, eventually a real nation-wide House for Integrity will exist.’

A large parliamentary majority is in favor of introducing the House for Whistleblowers. An earlier version of the bill was adopted by the Parliament, but got rejected by the Senate.

UPDATES (from new to old)

UPDATE 2018-12-19: Former employees report wrongdoings about the House for Whistleblowers (in Dutch, NOS). One report is about (in)effectiveness of the House for Whistleblowers in general, including its administrative procedures; another report is about about the procedure of the appointment of the current chair, Wilbert Tomesen, who previously was chair of the Dutch Data Protection Authority (in Dutch: “Autoriteit Persoonsgegevens”). The NOS report contains no further details.

UPDATE 2018-03-06: Best Practice Guide voor wetgeving ter bescherming van klokkenluiders (in Dutch, by Transparency Netherlands)

UPDATE 2017-12-20: Nieuwe Eurobarometer onderstreept slechte staat van klokkenluidersbescherming (in Dutch; post by Transparency Netherlands regarding the new Eurobarometer special report on corruption that covers public and corporate activity)

UPDATE 2017-12-14: Herstart Huis voor Klokkenluiders (in Dutch; post by the House for Whistleblowers reporting that the house will be rebooted). Also today, a report on this by Transparency Netherlands: Huis voor Klokkenluiders staat op instorten na kritisch rapport (in Dutch).

UPDATE 2017-10-31: The European Parliament calls for protection of whistleblowers (EDRi).

UPDATE 2017-10-20: Crisis in Huis voor Klokkenluiders (Merijn Rengers, NRC Handelsblad; in Dutch). The director of the House for Whistleblowers, Paul Loven, resigns over inability of the House for Whistleblowers to complete a single investigation in its first sixteen months of existence. Some 30 out of 800 reports received from (possible) whistleblowers were considered worthy of investigation. While the House was established after extensive debates in Dutch parliament and has its own legal basis, a spokesperson states that practice is more complex than expected. Loven requested former top official Maarten Ruys to conduct an investigation into this; it is not yet clear who will be Loven’s successor. The situation reminds a bit of what was observed in the U.S. in Feb 2015 regarding the Occupational Health and Safety Administration (OSHA: OSHA Whistleblower Investigator Blows Whistle on Own Agency.

UPDATE 2017-07-11: Wet Huis voor Klokkenluiders: een update (Linda Schut, Transparency Netherlands; in Dutch).

UPDATE 2017-03-13: NOS reports that since the House for Whistleblowers was opened in July 2016, 530 persons have made reports to it. 70 of them were established to be actual whistleblowers, the remainder reported was is qualified as ‘differences of opinion at work’. Half of the reports were made by persons employed in the private sector, one third of the reports were from persons employed in the public sector. The House for Whistleblowers published its annual report 2016 (.pdf; mirror) and a press statement.

UPDATE 2016-07-04: today, the House for Whisteblowers is officially opened (reports by NRC Handelsblad, in Dutch), and located in the city of Utrecht. Its first director is Paul Loven. It is stated that the House for Whistleblowers, which is established through Dutch national law, is the first of its kind in the world. Organizations that have 50+ employees are, as of now, expected to have (or establish) internal procedures for reporting perceived wrongdoings (and yes, that will come as a surprise to many organizations; for instance, 10% of Dutch municipalities, all of which have 50+ employees, currently have no such procedures). The House for Whistleblowers acts as a safe place to obtain advice and as a means of last resort for carrying out investigations in case internal reporting fails — or in case suspicions are that upper management (C-level) and/or shareholders are involved in fraud. Questions remain: as stated elsewhere in this blogpost, the House for Whistleblowers has both an advisory department and an investigatory department, which are ‘strictly separated’, but what nonetheless means that the ‘lawyer’ and ‘judge’ functions are exercised by people who are part of the same physical organization. Time will tell how this works out in practice. (Note: please do read the remainder of this post for more details; the House for Whistleblowers is deals (only) with reports that affect a public interest, as explained elsewhere in this post. The legal details of whistleblowing are complicated; for more information, refer to e.g. the ‘klokkenluiders’ category at the Dutch website ‘Bijzonder Strafrecht’ and the legal expert book ‘Klokkenluiders in perspectief’ (Q4/2015).)

UPDATE 2016-03-01: today, the Senate adopted (unanimously) the bill (.pdf). Furthermore, the Senate adopted (non-unanimously) a motion (.pdf) intended to also provide protection, against being disadvantaged as result of reporting wrongdoing, to non-employees who report alleged wrongdoing from a work situation, such as interns, volunteers and self-employed persons, who have no labor contract with the organization about which they submit a report to the House of Whistleblowers.

UPDATE 2016-12-xx: Transparency Netherlands published a position paper (.pdf, in Dutch) on the House for Whistleblowers.

UPDATE 2016-02-12: update (in Dutch) on the legislative proposal House for Whistleblowers.

UPDATE 2016-01-11: Dutch piece by Michael van Woerden (KeyCompliance) on the upcoming Senate debate on the legislative proposal (9 & 16 Feb 2016): “Voor klokkenluiders wordt 2016 het jaar van de waarheid”

UPDATE 2015-07-06: in-depth article by Rik van Steenbergen (Netherlands Trade Union Confederation, FNV): Whistleblowing Protection in the Netherlands: Latest Developments.

UPDATE 2015-07-01: overview article by M. Verveld-Suijkerbuijk (lawyer at NautaDutilh), in Dutch: “Het wetsvoorstel Huis voor klokkenluiders: Een praktijkgerichte bespreking” (.pdf, 2015)

UPDATE 2015-04-09: new documents available (in Dutch): the advice from the Council of State (.docx), an updated legislative proposal (.docx) that incorporates that advice, and an updated Memorandum of Understanding (.docx).

UPDATE 2015-03-18: meanwhile, at the EU level: CoE Parliamentary Assembly: Call for protection of whistleblowers in national security-related fields ; i.e., the PACE Committee on Legal Affairs & Human Rights adopted the draft report “Improving the Protection of Whistleblowers” (.pdf, Mar 18; mirror). The draft report will be discussed at the PACE summer session in Strasbourg on 22-26 June 2015. (source: Statewatch) Huffington Post has an article about it (Mar 20).

UPDATE 2015-03-02: indeed, a house for whistleblowers might itself need whistleblowing — see this U.S. example: OSHA Whistleblower Investigator Blows Whistle on Own Agency

EOF

UPDATE 2018-08-15: some links broke since publishing this post; I fixed them insofar possible. Current version of Davies’ Ideas for Change is here (.odt, March 2017; mirror); the file does not properly open on my system; but maybe it will on yours.

On December 3rd 2014, Simon Davies (@privacysurgeon) presented and published Ideas for Change, a comprehensive guide to privacy campaigning consisting of 100 tactics & principles — also available in one file here (.pdf; mirror). For my own referencing purposes, I hereby list all 100 tactics & principles without Davies’ annotation and explanation.

WARNING: to understand the below, read the full original by Simon Davies.

The principles

General principles of influence

1. Focus on the ‘Big Five’ emotional triggers: hypocrisy, unfairness, deception, secrecy and betrayal. 
2. A truly influential campaign will not only disrupt bad initiatives, it will also shift underlying beliefs. 
3. Your size isn’t as significant as how you use it
4. The lone maverick can have more punching power than large institutions.
5. Power is not only what you have, but what your opponent imagines you have.
6. Imagining the scale of a threat is rarely accurate and can be infinitely manipulated 
7. The bigger they come, the harder they fall

Principles of conduct and integrity

8. Be scrupulous with the truth
9. Check your facts until it hurts.
10. Develop a profile of quiet confidence.
11. The strength of your argument depends on the integrity of your commentary. 
12. Lawbreaking must rest on a solid ethical foundation.
13. Never make a threat you aren’t prepared – or aren’t able – to follow through.
14. Never breach your own ethos

Guiding strategic principles

15. Robust activism is driven by goals, excited by tactics and calmly guided by strategy. 
16. The rationale for conflict is rarely self-evident; it must be strategically and ethically tested. 
17. Risk-assess your strategy to anticipate turbulence. 
18. Never decide the nature of engagement with an opponent until you’ve looked at all the options.
19. Your campaign target may not be what you first imagine – and the targeted opponent rarely is. 
20. Whenever possible, go outside the expertise of your opponent. 
21. Make the opponent live up to its own book of rules.
22. A campaign won in the blink of an eye can be lost in a heartbeat 
23. There is rarely an outright victory, only an outright shift. 
24. Any criticism by a major opponent can be turned into a campaign endorsement. 
25. When big organizations respond in frustration, they usually fail.
26. Engage real people at every opportunity.
27. Use the legal system, but with caution 
28. Create win-win situations against your opponent. 
29. Know your opponent and know their past.

Ideas for strategy and tactics

30. Overload the system
31. Think global, act local 
32. Build an ethical framework.
33. Information is the new gold 
34. Don’t be afraid to make it personal.
35. Timing is the most important and least understood factor in campaigning – and often it’s the only factor that matters 

Specific campaign ideas

36. Ridicule and satire are potent weapons
37. Use complaint processes whenever possible
38. Where possible, create tangible or physical evidence of an assertion
39. Be a stakeholder manager 
40. Make your opponent an offer it can refuse 
41. Re-brand the opposition’s brand
42. Become a shareholder
43. My enemy’s enemy is my friend
44. Never underestimate the power of prayer
45. Conduct Comparatively good research
46. Strike an emperor, strike to kill 
47. The great walk-out
48. Slur by association
49. Use the party political system 
50. Follow the money.
51. Create strange bedfellows
52. Leverage the police 
53. Target influential people
54. What you don’t know can be as important as what you know
55. Publish unanswerable technical questions 
56. Test the system.
57. Guilt by association 
58. Find a victim, any victim 
59. Trap your opponent in a double loss position 

Negatives to positives

61. If you push a negative hard and deep enough, it will break through into its counterside…
62. Plan for a victorious defeat

Critical campaign risk factors and risk mitigation

63. Understand the elastic limit of your supporters.
64. Don’t risk staking everything on media coverage
65. Keep your messaging consistent and real. 
66. Never concede or confess anything to the opponent.
67. Always respond to an accusation of inaccuracy with a counterclaim of secrecy.
68. Negative campaigns should conceive a constructive alternative to avoid a perception that they are destructive. 

Media and Communications strategy

69. If your issue can’t be expressed in a nine-word headline, you have a thesis, not a campaign. 
70. A successful first strike in media offers opportunity to the opponent.
71. A good media strategy ensures you’ll always be quoted, but a great media strategy hands you the headline.
72. Use active language and don’t be afraid to speak your mind. 
73. Images can be more powerful than words.
74. You are what you write 
75. Get real about the value of media coverage.
76. Viral a conspiracy.
77. Do all the running for media
78. Make your website more than a soap box.

Guiding principles for campaign planning and formation

79. Strategically brand your public identity 
80. A good tactic is one your supporters enjoy.
81. Become academic
82. Always ensure your campaign lifespan is sustainable.
83. Create partnerships to empower the campaign 

Critical risk factors for the campaign organization

84. Avoid the hothouse 
85. Democratising a campaign can lead to dangerous waters.
86. Build and discreetly support a network 
87. Maintain humility in leadership.
88. Protect the organisation from castration 
89. When planning a campaign, never assume continued support from any quarter unless you’ve considered all possible circumstances for its withdrawal. 
90. No matter how highly you rate your value as a campaigner, your symbolic worth is greater to the opponent. 
91. Take full risk and contingency measure to protect your infrastructure.

Guiding principles for managing and sustaining a campaign infrastructure

92. “Keep the pressure on, 
93. Do something surprising
94. Know the difference between the need to keep control for your campaign to win and the need to let go of control for the issue to win. 
95. Create a project-resource program.
96. Love your team, but fear them equally.
97. Do conventionally good things.
98. Lighten up
99. Know your technology
100. Protect your info and your supporters.

EOF

UPDATE 2015-10-30: the Dutch government announced it has decided on a bill that revises the invalidated Telecommunications Data Retention Act of 2009. Changes are proposes to take into account recent Dutch and European jurisprudence: access to retained data will now require prior approval from a magistrate (specifically, in Dutch, a “rechter-commissaris”), and only be permitted regarding offenses that allow temporary remand (and thus only regarding offenses that carry a maximum penalty of four or more years imprisonment). The status of the bill can be viewed here (in Dutch). The government will consult the Council of State and then submit the bill to parliament.

UDPATE 2015-01-30: answers (.doc, in Dutch) to Parliamentary questions from MP Verhoeven, Schouw, Van Tongeren and Gesthuizen about the illegality of the Dutch telecommunications data retention act.

UPDATE 2014-12-19: handy table (.pdf, by the Open Rights Group in cooperation w/EDRi) showing status of data retention in various EU Member States following the ECJ ruling.

UPDATE 2014-12-16: Dutch government: Let’s keep data retention mostly unchanged (Bits of Freedom)

TL;DR: the Dutch government upholds the existing Dutch implementation of the EU Data Retention Directive and proceeds with its proposal for ANPR data retention. The Dutch government does, however, cater to the ECJ’s ruling through some cosmetic changes.

On November 17th, the Dutch government responded (.pdf, in Dutch) to the ECJ’s rejection of the EU Data Retention Directive in April. The response addresses consequences of the ruling for the current telecommunications data retention legislation in the Netherlands, as well as for the ANPR data retention bill that is being prepared.

The remainder of this post consist of a translation of the entire 18-page response as sent to Parliament by the Minister of Security and Justice, Ivo Opstelten. Translation was done as literal as possible; interpretation is limited to phrases that necessitate non-literal translation to avoid confusion. Questions and suggestions for correction/improvement are welcomed. Hyperlinks and parts in [] are mine.

Relevant reading: Evaluation report on the Dutch implementation of the EU Data Retention Directive (post of July 17th 2014 on evaluation report published at the end of 2013).

WARNING: this is an unofficial translation.

1. Introduction and background

On April 8th 2014, the Court of Justice of the European Union (hereafter: Court of Justice) in the cases of Digital Rights Ireland and Seitlinger ruled on the validity of directive 2006/24/EC (hereafter: data retention directive). This concerns court cases C-293/12 and C294/12 [sic; latter should be “C-594/12”]. The data retention directive was ruled invalid by the Court of Justice.

Following this ruling, the Dutch State Secretary for Security and Justice during the parliamentary Question Time on April 8th stated that Parliament would be informed as soon as possible, to be expected within eight weeks, about the consequences of this ruling for the data retention law in the Netherlands (Handelingen Tweede Kamer 2013/2014, nr. 72, item 2).

On April 10th 2014, through letter 2014Z06389/2014D13189, the Permanent Committee for Security and Justice asked me to respond to this ruling of the Court of Justice, and more specifically to address the following questions:

• Which (Dutch) laws are based on this directive? What does the ruling mean for the binding and execution/implementation of these laws?
• Does the Dutch law on retention of telecommunications data need to be updated?
• Does the ruling have consequences for telecommunications companies operating in the Netherlands and for other companies subject to this Dutch law? If so, what consequences?
• What consequences does the ruling have for broad methods of storage of personal data by the government that currently exist and/or that the government intends to introduce?
• What are the consequences of the ruling for the secret services?

On April 23rd 2014, through letter Kamerstukken I, 2013/14, 31 145, Y, the Permanent Committee for Immigration and Asylum / JHA Council [in Dutch: “vaste commissie voor Immigratie en Asiel / JBZ-Raad”] expressed that it considers the retention and storage of traffic and location data in accordance with the data retention directive to be a very extensive and severe infringement in fundamental rights, and asked the State Secretary for Security and Justice to state what measures will be taken, and when revocation or suspension of the data retention law concerning traffic and location data will take place.

During the General Meeting on the processing and protection of personal data on April 24th 2014, the Permanent Committee for Security and Justice and the Permanent Committee for European Affairs requested that the Dutch Data Protection Authority (CBP) and the Council of State be asked for advice about the ruling of the Court of Justice. The State Secretary for Security and Justice responded by stating that can not be ruled out that the eight week term would not be met (Kamerstukken II 2013/14, 32 761, nr. 64, pages 14-15 and 20). During the General Meeting on the JHA Council of June 4th 2014, the State Secretary of Security and Justice stated that some delay occurred and that he hoped to be able to provide more clarity by July (Kamerstukken II 2013/14, 32 317, nr. 246, pages 19 and 23).

On behalf of the government, the present letter addresses the consequences of the ruling of the Court of Justice in the cases of Digital Rights Ireland and Seitlinger for the data retention law concerning telecommunications data, and the Parliamentary questions following that ruling.

For the purpose of careful decision-making I have, through a letter dated May 20th 2014, requested the Vice President of the Council of State, on the basis of Article 21a, first member, of the Law on the Council of State, to provide me information about the question what the possible consequences of this arrest are to the national legislation on retention of telecommunications data for the purpose of investigation and prosecution of offenses. On July 17th 2014 I received a letter with this information from the Advisory Division of the Council of State. In the course of establishing the present response, this information has been taken into account. On the basis of this response, a draft bill has been developed, that will be submitted to the CBP for advice. The CBP’s advice will thereby be sought on the consequences of the ruling of the Court of Justice for the data retention law in the Netherlands. This offers the opportunity to currently inform you, the Parliament, about the government’s response following the aforementioned ruling of the Court of Justice, and to publish the information from the Advisory Division of the Council of State. The latter information has been added as an appendix to the present letter. The draft bill for changing the Telecommunications Act [official English translation available here] and the Code of Criminal Procedure concerning providing public electronic communication services has also been added to this letter for information.

2. The data retention directive

The data retention directive concerns the retention of telecommunications data. The directive was intended to harmonize Member States’ national regulations, and to establish requirements for providers concerning the retention of data generated or processed by them, so as to ensure that those data were available for investigation and prosecution of serious crime, as defined in national legislation of the Member States. This concerned so-called traffic data: data about the use of telecommunication by individuals. The data retention directive required Member States to ensure that certain categories of telecommunications data were retained for a minimum of six months and up to two years. The categories of data to be retained were listed in the directive. It concerned data about the number of the caller and the called party, time, duration, and location of the start of the connection. The contents of a conversation or text message were not included in the directive. Historic traffic data about internet concerned, among others, the email address of the sender and recipient, and the traffic data of digital telephony. The contents of conversations, messages or emails, keywords that have been entered in a search engine and IP addresses of internet pages [sic] that were visited, were not included in the directive. The data retention directive established that Member States would implement regulations to ensure that data retained under this directive are only provided to competent authorities in certain well-defined cases, in accordance with national law (Article 4).

3. Dutch legislation implementing the data retention directive (current law)

The data retention directive was implemented in the Netherlands by means of the Telecommunications Data Retention Act of 2009 [in Dutch: ” Wet bewaarplicht telecommunicatiegegevens”, Stb. 2009, 333], that got enacted per September 1st 2009, and the Telecommunications Bill of July 6th 2011 that changes the retention period for telecommunications data concerning internet access, internet-based email and internet-based telephony. Furthermore, the implementation of the data retention directive was followed by a change of the Decision Telecommunications Data Security of 2009 [in Dutch: “Besluit beveiliging gegevens telecommunicatie”, Stb. 2009, 350].

The Telecommunications Data Retention Act of 2009 provides an extension and change of Section 11 (protection of personal data) and Section 13 (lawful interception) of the Telecommunications Act (Tw). Providers of public telecommunication networks and services retain data, insofar these data are generated or processed within the context of the offered networks or services, for the purpose of investigation and prosecution of serious crime. The retention period is twelve months for data about telephony from a land-line or mobile network. For certain forms of internet-based telephony, such as VoIP, the functionality is so coherent with traditional telephony that the same retention period applies to such services. For internet data (internet access, internet-based email and other forms of internet telephony), the retention period is six months (Article 13.2a, third member, Tw). The categories of data to be retained are equal to those of the European directive. Following that directive, the retention period for so-called location data is increased from three to twelve months (Article 13.4, third member, Tw). This is for the purpose of data analysis to be able to trace data of holders of so-called prepaid cards (Decision Special Number Data Collection; in Dutch: “Besluit bijzondere vergaring nummergegevens”).

General criminal investigatory powers

Access to retained data is regulated in the Code of Criminal Procedure (and the Intelligence and Security Act of 2002). The Code of Criminal Procedure grants a public prosecutor [in Dutch: “officier van justitie”] the power to demand traffic data (Article 126n and Article 126u Sv). The use of this power requires suspicion of a crime for which remand is possible, or a reasonable suspicion that offenses are planned or committed in organized context that comprise a serious breach of the law. Besides the prosecutor, the investigating officer is itself authorized to demand so-called user data; this concerns data about name, address, place, number, and type of service. This concerns a far more limited category of data than the category of data that can be obtained on the basis of the power to demand traffic data. The use of this power is therefore not limited to cases involving serious offenses. The use of this power requires suspicion of an offense or a reasonable suspicion that offenses are plannen or committed in organized context (Article 126na and Article 126ua Sv).

Special powers for counter-terrorism

Lastly, the prosecutor and investigating officer have special powers concerning counter-terrorism. In case of indications of a terrorist offense, the prosecutor is authorized to demand traffic data (Article 126zh Sv). Besides the prosecutor, the investigating officer is itself authorized to demand user data in case of indications of a terrorist offense (Article 126zi Sv).

If an exploratory investigation is aimed at preparing the investigation of terrorist offenses, the prosecutor can, in support of the investigation, demand data files from public and private institutions for the purpose of having the data therein processed (Article 126hh Sv). The data files can be searched for certain profiles and patterns of act of individuals that are of importance to counter-terrorism. The use of this power requires a written warrant from the judge [in Dutch: “rechter-commissaris”]. This concerns a general power that can also be used on providers of telecommunication services or networks.

Data retained on the basis of the Telecommunications Data Retention Act are subject to the Dutch Data Protection Act [in Dutch: “Wet bescherming persoonsgegevens”, or “Wbp”] and Section 11 of the Telecommunications Act. The personal data that can be requested by the police and that are then processed for the purpose of investigation into offenses, are subject to the Police Data Act [in Dutch: “Wet politiegegevens”]. The oversight on compliance with the rules is exercised by the Telecom Agency (AT; in Dutch: “Agentschap Telecom”) of the Ministry of Economic Affairs and the Authority for Consumers and Markets (ACM), in cooperation with the Dutch Data Protection Authority (CBP). Providers are required to take suitable technical measures to protect the retained data from unauthorized use, to ensure that the data is only accessed by specially appointed persons, and that the data are immediately destroyed after the retention period (Article 13.5, second and third member, Tw). The Decision Telecommunications Data Security provides further rules concerning the protection of retained data. This concerns the requirement to take security measures to prevent unauthorized access, the screening of persons that have access to the data, and the destruction of data after the retention period.

4. The ruling by the European Court of Justice

In the ruling of April 8th 2014, the Court of Justice — at the request of the Irish High Court and the Austrian Verfassungsgerichtshof — examined the validity of the European directive, in particular in the light of two fundamental rights of the Charter of Fundamental Rights of the European Union [hereafter: “Charter”], namely the right to privacy (Article 7 of the Charter) and the right to family life (Article 8 of the Charter). These rights build on human rights and fundamental rights (ECHR). The Court of Justice finds that the European data retention directive is retrospectively invalid. The Court of Justice thereto considers that the data to be retained can provide very accurate clues about the private life of those whose data are retained, such as habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. It is not inconceivable that this eventually affects the right to freedom of speech that is laid down in Article 11 of the Charter (item 28). The infringement of the rights by the directive is wide-ranging and particularly serious (item 37).

The Charter requires that every infringement of rights and freedoms laid down in the Charter must be provided for by law and, subject to the principle of proportionality, limitations of these rights and freedom may be made only  if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others (item 38). The principle of proportionality requires that a EU regulation is “appropriate” to pursuing legitimate objectives of that regulation, and does not exceed limits to what is appropriate and necessary. According to the Court, the retaining of telecommunications data can be considered appropriate to pursue the objective of the directive (item 49).

The Court of Justice then examines whether the EU regulation lays down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data. The review of certain paragraphs of the data retention directive leads the Court of Justice to find that the directive does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter (item 65). It was concluded that the EU legislator exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter (item 69). The considerations underlying this ruling will be discussed below, in the discussion of the cabinet’s response concerning the consequences of this ruling for national legislation. The European Commission left open the possibility to propose a new directive till after the formation of the new commission. It is yet uncertain whether the new European Commissioner will take an initiative on this.

5. Consequences of the ruling to the Dutch legislation concerning data retention of telecommunications data

The precise meaning of the potential consequences of the ruling of the Court of Justice for the Dutch legislation concerning the retention of telecommunications data requires a diligent analysis. The Court of Justice first finds that retention of telecommunications data for the purpose of preventing offenses and fighting crime in fact serves an objective of general interest (item 44). Taking into account the increasing importance of electronic means of communication, the retention of these data are a valuable instrument to authorities in criminal investigations. The retention of such data is therefore appropriate for attaining the objective pursued by the data retention directive (item 49). The Court of Justice then considers that the regulation does not lay down clear and precise rules governing the scope and application of the measure in question, and does not impose minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (item 54). The Court of Justice finds that the directive entails a wide-ranging and particularly serious interference with the fundamental rights laid down in Article 7 and 8 of the Charter, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary (item 65).

The consequences of the ruling by the Court of Justice will now be discussed, as well as Parliamentary Questions  that followed the ruling.

5.1. Can the Dutch legislation concerning retention of telecommunication data be upheld?

The first question is whether the Telecommunications Data Retention Act can be upheld, now that the data retention directive has been ruled invalid. The government answers that question in the affirmative. The Dutch law was established legally, on the basis of applicable procedures. The Advisory Division concludes that the mere fact that the Court of Justice found the data retention directive to be invalid, does not imply that national legislation that implements that directive is invalid. The Dutch legislator has a general authority to establish rules. The Dutch law already contains safeguards that exceed those of the data retention directive, such as the rules in the Code of Criminal Procedure about access to retained data. The established legislation must however be, or made to be, in accordance with the (new) explanation of existing fundamental rights concerning the protection of private life and the protection of personal data. This will be discussed later.

5.2. Is mandatory retention of telecommunications data necessary?

The government is convinced of the importance and indispensability of telecommunications data retention. Data retention ensures that certain telecommunications data are available to investigate and prosecute serious offenses. Existing powers in the Code of Criminal Procedure also allow demanding data from providers of telecommunication services, but without legally required data retention, it is not certain that those data are available at the provider. Rapid technological developments in communication technology make it uncertain whether the data, that are important to investigation and prosecution, are being processed by the providers for their own business operations and whether such data is available for investigation and prosecution. In addition to the data retention, the specific retention period is of vital importance, because the length of data retention directly affects the availability of data for investigation and prosecution. Specifically at a later stage it can turn out that certain telecommunications data are of importance to an investigation, without it being clear at the time of retention of the data that individuals are involved in serious offenses. Numerable examples can be given. One concerns an accomplice to two violent robberies in Rotterdam, in which the accomplice was not identified until ten months later. Another example concerns a rape in which the long-term investigation eventually led to the perpetrator, partially thanks to traffic data that proved that the suspect was in proximity of the victim at that time. Yet another example concerns international investigation into child abuse, in which children younger than ten years old were very severely abused. More than hundred IP addresses belonged to Dutch persons. But none of these cases could be investigated because the retention period had expired, meaning that the IP address could no longer be associated with an individual. A reference can be made to the publication [.pdf] by the European Union about the necessity of data retention in the European Union.

5.3. Does the Dutch legislation concerning retention of telecommunications data need to be changed?

The next question is whether the Telecommunications Data Retention Act must be changed, given the ruling by the Court of Justice. The government also answers this question in the affirmative. National rules on retention of telecommunications data are relevant to the free movement of services within the European Union and are, now that the data retention directive has been ruled invalid, within the scope of directive 2002/58/EC (ePrivacy Directive). On the basis of this directive, Member States can establish rules for retention of telecommunications data, if so necessary, reasonable and proportional in a democratic society to safeguard legitimate interests, including the prevention, investigation and prosecution of offenses. Member states can thereto take measures to retain data for a limited period for those aims. These measures must be in accordance with the community law, including the principles, as meant in the Charter and the ECHR. Because data retention is within the scope of the ePrivacy Directive (Article 15(1), ePrivacy Directive) and thus within the scope of European Union law, it also is within the scope of the Charter.

The Advisory Division finds that the Telecommunications Data Retention Act transposes the rules disputed by the Court of Justice, and that review of the Telecommunications Data Retention Act against the Charter leads to the concludes that this law, as well as the data retention directive, violate Article 7 and Article 8 of the Charter. It follows that national legislation must be changed insofar it is not in accordance with the Charter. The Dutch government subscribed to this view. Later on I will discuss the various requirements established by the Court of Justice for retention of telecommunications data, and point out on which aspects the Telecommunications Data Retention Act needs to be changed to meet the requirements of the Charter.

5.3.1. Requirements to the legislation

The Court of Justice considers that a legitimate objective is pursued through data retention, namely the fight against serious crime (item 44 and 51). This, by itself, does not mean that the directive is in accordance with the Charter. The data retention must, according to the Court of Justice, be limited to what is strictly necessary (item 52) and clear and precise rules must exist. Then the Court considers that the data retention directive applies to all persons, all means of electronic communication and all traffic data,  without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (item 57). The Court of Justice thereby considers that the data retention directive even applies to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime (item 58).

Based on these considerations of the Court of Justice, the Advisory Division concludes that a European regulation must clearly and precisely describe which categories of data, of which historic means of communication, of which persons are strictly necessary for prevention, investigation or prosecution of crime and must thus be retained by providers of telecommunication. Herein, clues must exist that a relation exists between the behavior of persons whose data are retained and serious crime. Following this, I note that legally required data retention serves to ensure that historic telecommunications data are available, if in hindsight it turns outs that such data is relevant to investigation and prosecution. If a crime is committed, it can be important to determine whom the victim or suspect has been in contact with prior to the crime, such that the perpetrators and accomplices can be identified. If the data of these persons can not be retained prior to the crime, there would be no point in asking such a question. The retention of certain data about all citizens is thus necessary, as it is not possible to differentiate between suspected and unsuspected citizens beforehand. Unlike the Advisory Division, the government is of the opinion that such considerations by the Court of Justice should be interpreted in their interrelationships/coherence. If the view of the Advisory Division would be true that each of the safeguards mentioned by the Court of Justice must be met separately, then the mere fact that data of citizens is retained, without any indication that their behavior relates to serious crime, would be sufficient to invalidate the data retention directive. The Court of Justice, however, rules that taking all considerations into account (“Having regard to all the foregoing considerations”), the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter (item 69). The ECHR jurisprudence also does not support the view that such data storage is not permitted. That consideration of the Court of Justice must, according to the Dutch government, be explained in that the fact that the directive does not require a link between data retention and personal behavior can be a very serious limitation of personal life of those involved, but that the seriousness of that limitation can be mitigated by appropriate guarantees and safeguards for careful methods of storing, processing and accessing the data. The required mitigation can be achieved through some mutually reinforcing changes of the law. The seriousness of the infringement on personal life necessitates very critical review of the nature and extent of data retention based on the Telecommunications Data Retention Act, as well as the applicable guarantees and safeguards. These aspects will be discussed later. Successively, the questions whether retention periods and categories of data must be changed will be discussed, and whether the rules concerning access to the data and protection and security need to be changed.

5.3.2. Retention periods and categories of data to be retained

The Court of Justice considers that the data retention directive, having a minimum retention period of six months, does not differentiate between the categories of data set out in Article 5 of the directive on the basis of their possible usefulness for the purposes of the objective pursued (item 63). Furthermore, the directive does not state that the determination of the period of retention — set at between a minimum of 6 months and a maximum of 24 months — must be based on objective criteria in order to ensure that it is limited to what is strictly necessary (item 64).

The Advisory Division notes that the Court of Justice requires that the retention period is differentiated to the various categories of data on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned. Such distinction is not made in the Telecommunications Data Retention Act of 2009, which only differentiates between data about telephony and data about internet, email and internet telephony.

Following this, the retention periods for telecommunications have been reconsidered. The framework provided by Article 15 (1) of the ePrivacy Directive was taken into account. Indeed, now that the data retention directive has been ruled invalid, a national telecommunications data retention law can only be determined within the framework of the ePrivacy Directive. That directive does not define the meaning of “limited period”, as meant in Article 15 (1). The measures must be appropriate for, and strictly necessary within a democratic society, and must include adequate safeguards conform the ECHR (preamble of the ePrivacy Directive, item 11). This implies a change of Article 13.2a, third member, and Article 13.4, third member, of the Telecommunications Act. In determining the retention period, both privacy and necessity to prosecution must be taken into account. The government thus finds that the retention periods should remain unchanged. That is, a retention period of six months for internet data and twelve months for telephony data. To limit the infringement on personal life resulting from data retention as much as possible, it is proposed that the rules concerning access to the data and protection and security be changed. This will be elaborated on later. The requirement that on the basis of objective criteria it must be clearly and precisely described per category of data for what period it must be retained by telecommunications providers ignores the purpose of the essence of data retention. That essence is that certain telecommunications data must be available for the investigation of serious crime. If the data are strictly necessary for that objective, then retention of them is applicable. If the data are not strictly necessary for that objective, then this is not the case. Differentiation between categories of data is irreconcilable with this. The requirement can however be met in other ways. Distinction can be made in the period of availability of data for the investigation of serious crime, in the sense that the period of access increases depending on the seriousness of the crime. Thus an objective criterion, namely the seriousness of the crime, can be used to differentiate in availability of data for crime prevention. This implies change of Article 126n and Article 126u of the Code of Criminal Procedure.

5.3.3. Access to retained data

The Court of Justice considers that the directive does not provide an objective criterion that limits access to the data by competent authorities. The directive refers to serious crime, as defined by each Member State in its national law (item 60). The directive does not contain contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. That is left up to Member States (item 61). In particular, the directive does not provide an objective criterion to limit the number of persons who have access, the subsequent use of the data, to what is necessary in the light of the objectives pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body following a reasoned request of those authorities (item 62).

In the Netherlands, direct access to the database is already strictly regulated. Only authorized employees of the providers have access to the retained data. The provisioning of the data by providers of public telecommunications networks and services for the investigation and prosecution of crime is governed by the rules laid down in the Code of Criminal Procedure. On the basis of those rules, the public prosecutor can, in case of suspicion of a crime that permits remand or in case of a reasonable suspicion that crimes are being planned or committed in organized context that constitute a serious breach of the law, request traffic data in the interest of the investigation. A list of crimes that permit remand is included in Article 67(1) of the Code of Criminal Procedure. Hence, unlike in the data retention directive, access to the retained data for investigation and prosecution is limited to cases involving serious crime. Following the ruling by the Court of Justice, the government intends to add new safeguards aimed at further limiting of access to retained data. Firstly by the introduction of a system of differentiation in access to the data,and by introducing advance judicial review.

The system of differentiation is designed to establish that the full retention period, unlike now, is only used in case of the most severe category of offenses that carry very long prison sentences. In lighter offenses, for which remand is possible but that do not carry very long prison sentences, the data can be requested during a shorter period. In the latter case, data may be subject to data retention, but the public prosecutor can not request the data for investigation of a certain offense because the offense is not serious enough to justify access to the data.

In addition, a judicial review is proposed. Currently, as said, the authority to request traffic data is reserved for the public prosecutor. By making access to retained data subject to advance judicial review, it is better ensured that the data are only used in cases where sufficient reason exist to do so, and that the privacy of citizens is protected. To that end, the Code of Criminal Procedure will lay down that the demand for retained data depends on an advance authorization from a judge [in Dutch: “machtiging van de rechter-commissaris”].

Furthermore, in case of suspicion of a crime or a reasonable suspicion that crimes are planned or committed in organized context that constitute a serious breach of the law, the investigating officer can, in the interest of the investigation, request historic user data (Article 126na and Article 126ua Sv). A similar power applies in case of indications of a terrorist offense (Article 126zi Sv). This involves data concerning name, address, postal code, place, number and type of service of a user of a communication service. Here, “type of service” means the type of telecommunication service that is used, such as land-line or mobile telephony, internet, or types within these services, such as telefax. The use of these powers is possible in case of suspicion of a crime, and is not limited to cases of serious crime. The government believes that the category of user data, as mentioned, constitutes a far more limited category of data. From these data, no precise conclusions can be drawn about the private life of the persons about whom the data is retained, as the Court of Justice finds to be the case for retention of traffic data based on the data retention directive (item 27). The government believes that the retention of user data must be assessed different from retention of traffic data, and sees no reason to change the current legislation concerning this.

5.3.4. Data protection and data security

The Court of Justice considers that the data retention directive does not provide sufficient guarantees for effective protection against the risk of abuse and against any unlawful access and use of that data. The directive does not provide specific rules adapted to the vast quantity of data that must be retained, or to the sensitive nature of these data and the risk that they will be used unlawfully. The directive does not lay down a specific obligation on Member States to establish such rules (item 66). The directive does not ensure that a particularly high level of protection and security is applied by providers by means of technical and organizational measures, but permits those providers in particular to have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures. In particular, the directive does not ensure the irreversible destruction of the data at the end of the data retention period (item 67). The data retention directive also does not require the data in question to be retained within the European Union,  with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured (item 68).

Following these considerations, the government notes that the Dutch Data Protection Act (Wbp) and the Telecommunications Act (Tw) already have safeguards and rules, on the basis of which provides must take appropriate technical and organizational measures for safety and security of the networks and services they offer (Article 13 Wbp and Article 11.3 Tw). These norms implement European rules. Providers can take the state of the art of technology and the economical costs into account, but paramount is that the measures are appropriate, considering the risks involved in the processing of the data that is to be protected. Hence, the safety and security of the networks and services must be ensured at all times. The Data Protection Authority (CBP) monitors compliance with Article 13 Wbp and Article 11.3 Tw. Besides the CBP, also the ACM is tasked with monitoring compliance with Article 11.3 Tw. In addition to those requirements, the providers must take appropriate technical and organizational measures to protect the data against destruction, loss, change, unauthorized storage, processing, access or disclosure, to ensure that only specially authorized persons access the data, and to destruct the data after the retention period (Article 13.5, second member, Tw). Providers have no possibility to take economic costs into account. The Decision Telecommunications Data Security [in Dutch: “Besluit beveiliging gegevens telecommunicatie”] lays down rules for the security of access to the retained data. Moreover, the Telecommunications Act, as noted by the Advisory Division, provides an obligation for immediate destruction of the data (Article 13.5, third member, Tw). The Telecom Agency (AT) [in Dutch: “Agentschap Telecom”] monitors compliance with Article 13.5 Tw. The Minister of Economic Affair has sent the report “Measurement data retention 2013” [in Dutch: “Meting dataretentie 2013”] to the Parliament in a letter dated May 16th 2014 (Kamerstukken II 2013/14, 26 643, nr. 313). This report aims to provide insight into compliance with the Telecommunications Data Retention Act. From the periodic and individual reviews of the providers it is apparent that they generally comply with the legal regulations concerning the storage of data and privacy of their customers. In the light of the legal regulations and the experiences with those regulations in practice, the government believes that the Dutch regulation in general meets the requirements of the Court of Justice concerning protection and security of retained data. On some aspects the governments considers it necessary to make changes.

Further rules on the security of retained data have been included in the Decision Telecommunications Data Security. The retained data may only be accessible for a limited number of employees of the provider. Given the sensitivity of these data, it stands to reason that data retained for the purpose of investigation and prosecution are fully protected from unauthorized access. The government will investigate whether encryption of these data can take place.

The Advisory Division pointed out that Dutch law, like the data retention directive, does not provide an obligation to store retained data within the European Union, and therefore it is currently not fully ensured, as the Court of Justice requires, that the CBP can oversee security and protection of retained data.The Court of Justice explicitly links to the purpose thereof: to ensure that the data are sufficiently secured and protected. In response to this, the government intends to change the regulation in the Telecommunications Act, such that providers are obliged to retain and process the data within the European Union. Monitoring of compliance with the norms concerning protection and security of retained data, that to a large extent follow from European rules, can thereby be improved.

Monitoring of compliance with Section 13 of the Telecommunications Act is done by the Minister of Economic Affairs and the CBP. The Minister therefore uses officials of the Telecom Agency. The supervisory task of the Minister of Economic Affairs in no way limits the supervisory powers of the CBP concerning personal data. Supervision by the Telecom Agency is currently designed as supervision of the system. That means that the Telecom Agency assesses business processes and their guarantees. On the basis of the Telecommunications Act, the Telecom Agency is however not authorized to request traffic data that must be retained by providers on the basis of the Telecommunications Data Retention Act. The Telecom Agency thus lacks a useful instrument to be able to carry out this part of the supervisory task. The government intends to change the Telecommunications Act, such that the Telecom Agency, as a supervisory authority, can get access to telecommunications data retained or provided by providers, if and insofar that is necessary for oversight. That change will allow better oversight on lawful and careful processing of the retained data, including the actual destruction of it. Better monitoring of compliance with the legal rules will cater to the ruling of the Court of Justice.

6. Consequences for telecom companies operating in the Netherlands and other companies

The measures proposed in section 5 of this letter will have consequences for the business operations of internet and telecom providers operating in the Netherlands. The obligation to store data within the European Union can have consequences for the business operations and costs of the providers. The precise effects and costs will be investigated in cooperation with the private sector. From the perspective of the internal market, it is not to be expected that the presently proposed measures will carry disproportional obstacles. It must also be taken into account that the requirements following from the ruling of the Court of Justice apply to all Member State, such that these will have an equal consequence to the national laws concerning data retention for the purpose of investigation and prosecution of serious crimes.

In the letter to Parliament sent by the Minister of Economic Affairs on May 16th 2014 concerning the report “Measurement data retention 2013”, it was noted that besides six large telecom providers, 337 SME providers have obligations concerning data retention and privacy. It was stated that the number of request of investigative services address to these group of smaller parties is limited (ca. 2 percent). This group carries, considering its limited business size, relatively more costs and efforts to meet the requirements concerning data retention and privacy. The application and compliance with rules concerning data retention proved complex especially for this group of providers. It will thus be considered in what way this group of providers can be spared, by providing ways to comply with Telecommunications Data Retention Act as efficiently as possible.

It will be discussed with providers what possible practical solutions exist to comply with the legal obligations in a way that avoids disproportionate costs and efforts wherever possible.

7. Consequences of the ECJ ruling to the Dutch intelligence and security services

The data retention directive left Member States the necessary room for regulating access to retained telecommunications data. The Member States were to ensure that retained data would be provided to competent national authorities only in well-defined cases and in accordance with national law.

On the basis of Article 28 of the Dutch Intelligence & Security Act of 2002 (Wiv2002), the AIVD and MIVD are authorized to request data about a user and their traffic data from providers of public telecommunication networks and services. On the basis of Article 13.4, first member, of the Telecommunications Act of 2009, these providers are obliged to immediately comply with such requests. Nothing changes in this. In the context of renewal of the Wiv2002, the government will further discuss possible consequences of the Court of Justice for the activities of the intelligence and security services.

8. What consequences does the ruling have for broad forms of storage of personal data currently carried out by the government and that the government still intends to introduce?

Following questions from the Permanent Committee for Security and Justice, I note that “broad forms of storage of personal data” apparently refers to legal rules concerning the storage of data for criminal purposes about persons about whom (at that time) no indications exist of involvement in crimes. Such storage exists in the proposal to change the Code of Criminal Procedure concerning the regulations of the recording and storing of ANPR data by the police (33 542), also known as the ANPR bill. The ANPR bill provides a legal basis for storing certain license plate data of all vehicles passing a camera. This concerns license plate number, a photo of the vehicle, the time and location. The retention period is four weeks. The data can be used for investigation of a criminal offense that permits remand and for arresting of a fugitive or convict. The data can only be used by an authorized investigating officers, for the purpose of the investigation. Linking retained ANPR data to databases outside the police, to identify persons for the purpose of investigation (‘data mining’), is not possible. The text of the proposed Article 126jj of the Code of Criminal Procedure excludes this.

The ANPR bill has an important similarity to the data retention directive, as license plate numbers are retained of all passing vehicles, including those of persons who’s behavior at the time of recording is not linked to serious crime. The Advisory Division points this out and notes that it is up to the legislator and, eventually, the judge, to provide a definitive judgement of this proposal, but to take into account the possibility that this sort of data storage will be considered to be a violation of proportionality or as irrelevant and excessive, assuming the criminal purpose of the storage. However, significant differences exist between the data retention directive, which is subject of the ruling of the Court of Justice, and the ANPR bill. This firstly concerns the nature of the data to be retained. Different from telecommunications data, that can provide a more all-encompassing of citizen behaviors, license plate data cannot provide very accurate indications about the private life of those whose data is retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. The license plate data only provide insight into where a vehicle at a certain date and time was registered by a camera. Although on the basis of license plate data insight is possible into the location of a vehicle on certain dates or times, no insight is obtained in relations between persons. The nature of these data makes them less invasive to personal life. It is of vital importance that the ANPR bill provides a retention period of four weeks, which is significantly shorter than the retention period included in the data retention directive of up to two years for telecommunication traffic data. In addition, license plate data are collected at public roads. Drivers of vehicles can know and expect that their vehicle can be registered by the police at public roads for the purpose of law enforcement. Also taking into account the principle of “reasonable expectation of privacy” of those involved, the collection and retention of license plate data must be assessed differently than the collection and retention of telecommunications data.

Unlike the retention of telecommunications data, the access to retained ANPR data does not require advance review by a court or an independent administrative body, as meant by the Court of Justice (item 62). I believe that, now that the infringement on personal life is less serious than the retention of telecommunications data, it is not strictly necessary to also provide such a safeguard in retention of ANPR data. As with telecommunications data, ANPR data is retained specifically for the purpose of investigation and prosecution of crime. Considering that similarity, I intend to require advance approval from a public prosecutor for access to retained ANPR data. The requirement of advance authorization from a public prosecutor also applies to the use of other special powers, such as systematic observations, the systematic collection of information, and infiltration. Because the use of these powers constitute a breach on the privacy of those involved that is greater than the retention of ANPR data — a warrant for observation can for instance permit observation of a person’s behavior for three months — I believe that such a requirement amply satisfies the requirements following from the Charter. The Code of Criminal Procedure will thus regulate that the request of retained ANPR data requires advance approval from the public prosecutor. This means that the proposed Article 126jj of the Code of Criminal Procedure will be changed, such that an authorized investigating officers can only request retained ANPR data after obtaining approval from the public prosecution, for the purpose of investigating a serious crime of arresting a fugitive.

Access to retained ANPR data for the purpose of investigation and prosecution of crimes is limited to cases involving a suspicion of a crime the permits remand, or reasonable suspicion that crimes are being planned or committed in organized context that constitute a serious breach of the law. In the light of the requirements set by the Court of Justice to access to retained telecommunications data, the government finds that this regulation meets the requirements to be set based on the ECHR or — insofar applicable — the Charter of Fundamental Rights of the European Union.

As I stated earlier, in a letter dated April 10th 2014 (Kamerstukken II, 2013/14, 33 542, nr. 13), I firmly believe the legislative proposal — certainly with a further limitation of access to the data — is well within the limits of Article 8 of the ECHR and — insofar applicable — Article 7 and 8 of the Charter.

9. In conclusion

The government thus intends to change the national legislation concerning retention of telecommunications data, such that:

• the public prosecutor can only issue a warrant to obtain telecommunications data following advance approval from a judge. This means that Article 126n/u of the Code of Criminal Procedure will be changed;
• access to the data for the purpose of investigation and prosecution of serious crimes will be differentiated based on the seriousness of the crime. This means the Article 126n/u of the Code of Criminal Procedure will be changed;
• it will be examined whether telecommunications data retained for the purpose of investigation and prosecution of serious crimes can be encrypted so that they are protected from unauthorized access. This can result in a change of the Decision Telecommunications Data Security;
• providers will be obligated to retain data within the European Union. This means that Article 13.2a and Article 13.5 of the Telecommunications Act will be changed;
• the Telecom Agency, as a supervisory body, can get access to telecommunications data that are retained or provided by providers, with the objective of better oversight on the processing and destruction of the retained data. This means that Article 18.7, second member, of the Telecommunications Act will be changed;

These changes will be included in a proposal to change the Telecommunications Act and the Code of Criminal Procedure, that will soon be released for public consultation.

Furthermore, the government intends to change the ANPR data retention bill, such that:

• the authorized investigating officer can only access retained ANPR data following advance approval from the public prosecutor, for the purpose of investigating a serious crime or arresting a fugitive. This means that the proposed Article 126jj of the Code of Criminal Procedure will be changed.

This change will be included in an Amending Letter for the ANPR bill, that will soon be sent to Parliament.

EOF

UPDATE 2016-04-15: an additional NOS report states that the existing (targeted) interception power and (targeted) hacking power, too, will be subject to ex ante and binding oversight. The newly to be established oversight committee is entitled ‘Toetsingscommissie Inzet Bevoegdheden’ (TIB), and will consist of persons that have a background in the judicial branch.

UPDATE 2016-04-14: NOS reports that according to unnamed sources, the Dutch government will, with regard to the upcoming cable interception power, consider ex ante oversight by a new independent committee. (Note: ‘new independent committee’ presumably means it’s not about the CTIVD, the existing independent expert committee that has been carrying out ex post non-binding oversight since 2002.) Furthermore, requiring prior court approval for the interception of communications of lawyers and journalists will also be considered. The report states these topics will be discussed in the cabinet. The cabinet changed “purpose-oriented interception” (my translation from the Dutch word “doelgericht” used previously) to “investigation-bound interception” (my translation of “onderzoeksopdrachtgericht”). It’s just different words for the same thing: interception that is carried out in the context of an intelligence task, but that is not targeted/limited to specific known persons or organizations.

UPDATE 2015-07-02: the Dutch government released their draft intelligence bill into public consultation. Details here.

UPDATE 2015-06-01: changed “goal-oriented” to “purpose-oriented” everywhere, including in the (translated) diagram; it’s a better, less confusing translation (credits to A).

UPDATE 2015-02-11: the existing law contains the word “ongericht” (untargeted, unselected, bulk, mass). Yesterday it became clear that the bill, that Minister of the Interior expects to appear in April 2015, will no longer contain that word. Only the new word “doelgericht”, which I tentatively translated as “goal-oriented”, will be used. Goal-oriented does not exclude bulk interception, but aims to limit it to what’s necessary for specific investigations. An investigation can be long-running. The permitted (un)specificity of the definition of a “goal” depends on the phase of interception. If you permit me to speculate: I think it is very likely that an investigation can involve interception of all Tor traffic for the goal of identifying persons associated with terrorist use of the internet, such as public provocation (radicalisation, incitement, propaganda or glorification), recruitment, training (learning), planning and organizing terrorist activities).

UPDATE 2014-12-09: I translated the Dutch word “doelgericht” as “goal-oriented”. Someone suggested a better translation would be “targeted”. The reason I chose “goal-oriented” over “targeted” is that the latter, as perceived by my brain, suggests “targeted to a person or organization”, which is not how the notion of “doelgericht” is explained. For instance, it may very well  be considered “doelgericht” to intercept as much Tor traffic as possible if doing so is necessary to achieve to the — hypothetical — goal/objective “deanonymize online extremism”. The notion of “doelgericht” could make indiscriminate surveillance a bit more discriminate, but there will be bulk interception nonetheless. In Dutch, “doel” means “goal” or “objective”; and “gericht” means “oriented”, “aimed” or, the word that I try to avoid, “targeted”. Assuming this notion will make it into law, which is still a long way ahead, we’ll have to wait and see how it will in practice be used to justify (AIVD/MIVD) and review (CTIVD) activities carried out in each of the three interception phases (collection, pre-processing, processing).

UPDATE 2014-11-28: an example use of bulk cable-intercept power would be to intercept all cable-transmitted phone calls to and from Syria, as part of current counter-terror efforts. The existing bulk ether-intercept power can only be used insofar phone calls are routed through the ether at some point and the intelligence services are able to intercept it there. The existing targeted (i.e., non-bulk) cable-intercept power can only be used on specific phone numbers are require that the identity of a person or organization is known prior to getting approval to intercept.

A first version of the below was posted on Cryptome.

In the Netherlands, interception powers of the intelligence & security services AIVD (historically focused on internal security) and MIVD (military) are regulated by the Dutch Intelligence & Security Act of 2002 (“Wiv2002”).

The AIVD and MIVD both have the power of (targeted) interception of communications in any form (cable, wireless, spoken, etc.) of specific persons or organizations. Exercise of this power requires advance approval of either the Minister of the Interior (in case of the AIVD) or the Minister of Defense (in case of the MIVD).

The AIVD and MIVD both also have the power of (untargeted) bulk interception of communications, but only for non-cablebound (i.e., wireless) communications. Under the current law, the AIVD and MIVD can carry out Sigint search against any wireless communications they want as long as that communication has at least a foreign source or foreign destination. (The latter restriction does not apply to Sigint selection; if authorization has been granted to select on the basis of identities, keywords or (other) characteristics, bulk interception for the purpose selection may also be performed on domestic communication; but there’s probably not a lot of it.)

In 2013, the a temporary committee named “Dessens Committee” reviewed that law, and concluded that in today’s world, the distinction between cable and non-cable communications can/should no longer be made. That committee then recommended, among others, to change the law and make it ‘technology-neutral’, i.e., to also allow bulk interception of cable communications.

In October 2014, the Dutch senate adopted a motion requesting the Dutch government to abstain from “unconditional, indiscriminate and large-scale” surveillance.

On November 21st 2014, the Dutch government published its response (.pdf, in Dutch) — accompanied by this diagram (.pdf, in Dutch) — to the recommendations of the Dessens Committee, and it turns out the Dutch govt indeed seeks to grant the power of bulk interception of cable communications to the AIVD and MIVD. Translation of said response and diagram are below. But first, here is a translation of a post (Nov 21, in Dutch) by the AIVD about the Dutch govt’s response (suffices as TL;DR):

Modernization of the Dutch Intelligence & Security Act of 2002, extra safeguards for privacy

The cabinet will modernize the Dutch Intelligence & Security Act of 2002. Minister Plasterk of the Interior and Minister Hennis-Plasschaert of Defense have explained the general ideas in a letter to Parliament.

The Intelligence & Security Act is nearly 15 years old and no longer suits current technology. 90 percent of telecommunications is transferred over cables. In the changed law, the AIVD and the MIVD are granted the power to also recognize terrorist threats, counter espionage, protect against digital attacks, support the Dutch security interests and military missions via the cable.

Interception of raw telecommunications data will be divided in three phases: collection, preprocessing and processing. Every phase requires separate approval from the Minister. In every phase, data may only be intercepted aimed at a specific purpose, after a review of proportionality, subsidiarity and necessity. In every phase, explicit retention and destruction periods apply. The intercepted raw data are only accessible by specific employees and for specific tasks. The approval from the Minister is subject of independent oversight by the Dutch Review Committee on Intelligence and Security Services (CTIVD). This framework ensures that the security services cannot search the collected raw data without restrictions.

The Wiv2002, that was established in the late 90s and applies since 2002, still makes distinction between ether and cable. The Dessens Committee reviewed the law and concluded at the end of last year that this distinction is outdated as result of ongoing technological developments. Nearly all telephony, internet, email, social media, apps and chat programs communicate over cables. Terrorist and combat groups also use this a lot, for instance for recruiting and command and control.

The cabinet therefore want to permit the intelligence and security services to intercept raw cable telecommunications under conditions. This concerns larger amounts of data, from which the services can select data of adversaries. An example is telephone communications to conflict areas. The safeguards in every phase of interception and processing of the data ensure that the government cannot spy on random email conversations of citizens, or eavesdrop on phone conversations. The privacy will thus be better protected.

The oversight will also be strengthened. If the CTIVD concludes, after review, that approval was given illegally, the Minister is required to reconsider that approval. When the Minister upholds his/her decision, it must be reported to the CTIVD and to the Parliamentary Committee for Intelligence & Security Services (CIVD), which can hold the Minister accountable.

These general ideas are developed in legislation.

The “legislation” refered to at the end is still being developed.

Here is an unofficial translation of the Dutch government’s diagram that outlines the new interception framework (click picture for larger image; also available as .pdf here):

Here is an unofficial translation of the full Dutch government response (note: non-italic parts in [] are mine; some phrases are ambiguous, that is sic, and I wasn’t confident to disambiguate):

1. Introduction

During the General Meeting of April 16th 2014, the government promised to establish the cabinet opinion about the advice by the Dessens Committee concerning special powers in the digital world. This opinion is presently provided. The Dessens Committee concludes that technology-dependent interception regulation that distinguishes between ether communications and cable communications can no longer be uphold, considering the fast technological developments concerning data traffic and communication. The committee found that change is necessary of regulations in the Intelligence & Security Act of 2002 (Articles 25 to 27). In the cabinet’s response to the Dessens report, submitted to Parliament on March 11th 2014, the cabinet stated it would study how this distinction can be replaced by a relevant norm that keeps safeguarding the privacy of Dutch citizens. Taking all things into account, the cabinet agrees with the Dessens Committee that this distinction is outdated and must be withdrawn, provided that a clear normative framework is provided that has adequate safeguards.

2. Developments in the digital domain and the necessity of a technology-neutral interception framework

In recent years, also as result of the great development of the internet, transmission of communication via cable infrastructure has increased explosively. In the Wiv2002, which was established in the late 90s and applies since 2002, this development was not taken into account. The current regulation of interception of telecommunication codified the then-current practice of the services, notably the former Military Intelligence Service (MID), in which interception of radio and satellite traffic was central. Different from the special power of targeted interception (Article 25 Wiv2002), which was formulated technology-neutral, the regulation of bulk interception was not formulated technology-neutral. The Dessens Committee thus concludes that the regulation of bulk interception in the Wiv2002 is outdated and does not reflect today’s necessary powers in the context of national security.

Besides an explosive growth of the amount of data that are produced globally (and that doubles every two to three years), it must be established that approximately 90% of all telecommunication is transmitted via cable networks. Nowadays, all electronic communication networks (ether and cable) comprise a communication network with global coverage.

For the (inter)national security interests of the Netherlands, and the deployment of the armed forces, a strong Dutch intelligence position is of vital importance, whether it concerns preventing terrorism, countering espionage, protecting against digital attacks, insight into threats for the international rule of law, understanding the intentions of some countries, insight into capabilities of risk countries, or proliferation of WMDs. Moreover, the services must be able to know about the threats that the society and the state are exposed to in the digital domain, in order to effectively arm against them, and allow others to take measures. This is of vital importance in the context of the National Cyber Security Strategy and in the light of the endeavors of the cabinet towards the digital government. The technical threats and possibilities manifest themselves both on cable and in the ether. The (potential) impact of cyber threats has become increasingly clear as result of various incidents. This not only concerns threats that can disrupt our cyber infrastructure, but also threats concerning integrity, availability and confidentiality of the information that all of us digitally record, use and exchange. To get insight into these threats, the services depend on adequate access to telecommunications.

The services must therefore have sufficient intelligence means and methods to collect, analyze, and report timely in the digital domain. Special powers that — under strict conditions — allow interception in the cable domain are indispensable. The use of these special powers by definition infringes upon citizens’ right to privacy. Considering the responsibility and task of the government to ensure security of its citizens, it is inevitable that the services collect and process personal data. This does not means that security and privacy are opposing interests. Through proper and purpose-oriented exercise of these powers, the government aims to support a secure society of fundamental rights, including the right to privacy. The goal-oriented character of the exercise of these powers based on legally defined tasks of the intelligence services ensures that “normal” telecommunications of citizens will not be infringed upon by the intelligence services. In other words: citizens need to fear that the government views arbitrary email conversations or eavesdrops on phone conversations. A right balance must continuously be found between the use of these powers and the ability to exercise fundamental rights. Necessary infringements on the right to privacy must be accompanied by adequate safeguards. In all cases, the CTIVD can review whether the requirements of proportionality, subsidiarity and necessity have been met.

3. Elaboration of cabinet opinion: new normative interception framework with adequate safeguards

3a Outline of new interception framework

The cabinet agrees with the Committee Dessens that a new balance must be found between security and privacy.

The cabinet concludes that a technology-neutral and thereby future-proof rephrasing of the powers of interception (as meant in Article 26 and 27 Wiv2002) is needed, albeit under simultaneous tightening of existing safeguards and introduction of new safeguards. The current law already exhaustively defines how the services are permitted to infringe upon the right to privacy through the use of their powers. The requirements of necessity, proportionality and subsidiarity must always be met. Moreover, the use of this power is only permitted if it is necessary in the interest of national security, as further defined in the tasks of the services.

Historically, the assumption was made that the closer the contents of telecommunications are involved, the greater the infringement on fundamental rights is. The distinction between content and non-content is, however, not the only defining element in determining the seriousness of the infringement and the approval regime that should be used. Also of importance are the scale on which data are collected and the methods used for (further) processing of the data.

Considering the above, the new framework for interception of telecommunication (“bulk”) is outlined in three phases. This outline will — as replacement of current Article 26 (exploration of communication) and Article 27 (bulk interception of non-cablebound telecommunications) — be further developed and explained in the bill that is to be prepared.

The phases are:

1. purpose-oriented collection [in Dutch: “doelgerichte verzameling”] of telecommunications,
2. preprocessing of intercepted telecommunications, and
3. (further) processing of the telecommunications.

For clarification, these phases in the interception framework are depicted in a diagram that is appended to this letter. The diagram briefly denotes which activities each phase entails, and the safeguards that will be laid down in the new legal framework.

The following can be noted. Each phase has a well-defined purpose. In the first phase — collection — purpose-oriented relevant data are intercepted and made accessible (for instance by decryption), after advance approval from the Minister based on an investigative purpose defined as accurately as possible. Preparatory technical activities aimed at purpose-oriented collection of data and making the data accessible, can be part of this phase. Individuals or organizations are not yet being investigated in this phase, meaning that the infringement on privacy is limited. The second phase — preprocessing — is aimed at optimizing, in broad sense, the interception process, in the context of ongoing, approved investigatory assignments using the collected data. As this optimization can require metadata analysis or briefly taking a look at the contents of telecommunication , the infringement on privacy is greater than in the first phase. In the third phase — processing — selection of relevant telecommunications takes place, and selected data are used to gain insight into the intentions, capabilities and behavior of individuals and organizations that are subject of investigation. In this phase, subject-oriented investigation takes place, in which the contents of telecommunications and metadata are analyzed to identify individuals or organizations, and to recognize patterns.

An increasing insight into the personal life is thus obtained from phase to phase. The safeguards that will be laid down in legislation, must be stronger as the infringement on privacy is greater. Safeguards will be built in for all phases, which requires that both the use of the interception power (collection) and the processing of intercepts depend on (a) predetermined and time-limited approval from the Minister (a “warrant”, including a review of necessity, proportionality and subsidiarity), (b) purpose-oriented use [in Dutch: “doelgericht gebruik”] [Footnote: The term “purpose-oriented use” will be defined for the involved phase. In the collection phase, references can be made to investigation tasks as included in, for instance, the Foreign Intelligence Decision [in Dutch: “Aanwijzingsbesluit Buitenland”] or the Intelligence and Security Requirements Defense [in Dutch: “Inlichtingen- en Veiligheidsbehoefte Defensie”]. The further down the process, the more specific the purpose will need to be formulated.] , (c) retention and destruction periods concerning the intercepted data, and (d) a (combined) framework of separation of jobs and duties, c.q. compartmentalization concerning the access to data in various phases and outside the interception process. These safeguards not only apply to interception of cable telecommunications, but also to the interception of non-cablebound telecommunications as meant in Article 27, first member, Wiv2002.

The latter currently does not require approval from the Minister. In addition to said safeguards, reporting will take place both for purposes of internal control and oversight by the CTIVD.

Through this framework of measures with purpose-oriented use of weighing of proportionality, subsidiary and necessity in the advance approval, the privacy of Dutch citizens is protected.

3b. Cooperation network providers

To exercise the power to intercept cable telecommunications as meant here, cooperation is in practice required from a network provider. This form of interception is always bound to a certain investigative purpose. The Ministerial approval to intercept (“warrant”) will be a mandatory legal assignment to a network provider to provide support for the interception. The most important condition that is to be laid down in legislation, is the obligated consultation between the services and network provider, prior to exercise of the interception power approved by the Minister. The services will not have unrestricted and independent access to Dutch telecommunication infrastructure. The mandatory cooperation will be supported by a requirement for providers to obtain relevant information if so asked.

3c. Metadata analysis

Use of intercepted telecommunications for the intelligence process can both concern use of metadata and use of contents. Currently, approval from the Minister is only required for the latter. The intercepted metadata can be subjected to a mere technical metadata analysis. and to more involved analysis, in attempt to identify subjects and recognize patterns. Both forms of metadata analysis are currently based on Article 12 etc. Wiv2002 and do not require approval from the Minister. In the new legal framework, the form of metadata analysis that aims to identify subjects and recognize patterns will be subjected to Ministerial approval. Here, too, requirements will apply of purpose-oriented use, necessity, subsidiarity and proportionality. In addition, a retention period and destruction period will be included.

3d. Enhanced approval regime

The approvals from the Minister that will be needed in the new framework, will be subjected to the system of reconsideration outlined during the General Meeting of April 16th 2014. That means that if the CTIVD, in the course of its legal oversight, concludes that an approval from the Minister was illegal, the Minister will be obliged to reconsider it. If the Minister upholds the approval, the CTIVD and the CIVD must be informed immediately. The CIVD can hold the Minister accountable if it desires to.

4. Data exchange with foreign services

The cabinet has earlier stated that the exchange of large amounts of raw data (“bulk data”) by the AIVD and MIVD with foreign services will be subjected to Ministerial approval. The Wiv2002 will be changed accordingly. Considering that international cooperation between intelligence and security services also involves exchange of other data, this legislation will not be limited to telecommunications data, but more generic.

The exchange of this sort of data will be safeguarded as follows:

a. Evidently, only data can be shared that was collected legally, with the criteria being met;
b. For every (intended) cooperation, a review will take place of criteria for cooperation with foreign services. These criteria involve the democratic setting of the service, the human rights policies in the country involved, and the professionalism and reliability of the services. The outcome of this review partially determines what form of cooperation, if any, is considered permissible, such as data exchange. If, according to these criteria, a cooperation with a foreign service involves risks, approval will be required from the Minister.
c. In the provisioning of data, it will always be required that the data will not be shared further.
d. Exchange of “bulk data” (large amounts of raw data) will require approval from the Minister.

5. Concluding remark

The cabinet outlined the new interception framework and safeguards. In further development, the relevant providers of communication networks will be consulted. The outcome will be laid down in law and is currently being prepared. Evidently, this outcome will take into account not only the requirements from our own Constitution (Article 10 and 13), but also the relevant human rights treaties, notably the ECHR and European jurisprudence concerning interception of telecommunications and processing thereof. Combined with a stronger framework of oversight and complaints, as announced earlier, the cabinet is of the opinion that legislation as such will meet the constitutional requirements.

As a reminder: collection through interception and hacking, as well as some of the activities that the Dutch govt’s diagram lists under the preprocessing and processing phases, is carried out by the Joint Sigint Cyber Unit (JSCU) that is currently located at the AIVD’s building in Zoetermeer, and tasked as follows:

Article 1: Task description
The JSCU is a joint supporting unit of the AIVD and the MIVD that, commissioned by and under the responsibility of the AIVD and MIVD, is tasked with:

a. the collection of data from technical sources;
b. making accessible data from technical sources such that the data are searchable and correlation within and between these sources is possible;
c. supporting the analysis, notably in the form of data analysis, investigation into cyber threats and language capacity;
d. delivering Sigint and Cyber capability in support of the intelligence requirements of the AIVD and the MIVD, potentially on-site;
e. innovation and knowledge development on the task areas of the JSCU.

Some things that come to mind based on all of the above (or rather: what’s missing):

• From CTIVD oversight reports 19, 26, 28, 31, 35 and 38 it is evident that for years, the AIVD and MIVD often fail to substantiate the use of their existing bulk interception power. For instance, the legally required motivation is lacking or insufficient, or necessity/proportionality/subsidiarity are not discussed — the CTIVD once observed reasoning that boiled down to “necessity implies proportionality” (which it does not). Said reports proof that it is a tenacious problem. Will the (oversight on) legality of the use of bulk interception powers improve with this new framework?
  
• Will the existing restriction that Sigint search is only permissible concerning communication that has either a foreign source or destination be upheld? Put differently, will that restricted be lifted, which would be a plausible move in the internet age, and (hypothetically) allow domestic-domestic bulk sigint search for whatever the Minister agrees to be “purpose-oriented” — a new term that is yet ill-defined and suggested will be defined relative to the phase / level of privacy infringement — and to meet necessity/proportionality/subsidiarity?
• Will the intended legal requirement for network providers to cooperate only involve passive taps, or also the possibility for the services to exercise their hacking power ex Article 24 via access to the provider’s network? (e.g. to carry out packet injection and, for instance, infect via fake or manipulated software updates, or infect or capture credentials via spoofed/MitM’d websites)
• Could it be “purpose-oriented”, proportional, necessary and subsidiary to collect all Tor traffic they can, for exchange with foreign services as part of “the multi-national effort” towards deanonymization of Tor traffic meant here? Note that (1) interception of bulks of encrypted communication may, by itself as something preceding preprocessing/processing/analysis, not be considered very privacy-invasive, and that (2) under current law, encrypted traffic can be stored indefinitely (Art.26 Wiv2002) until decryption (and decrypted traffic can be stored for up to 1yr). Furthermore, it is stated that the word “purpose-oriented” is to be defined relative to the phase — collection, preprocessing, processing — and that the intelligence services must specify the purpose “as accurately as possible”. Would a specification such as “deanonymize Tor traffic in support of national security or foreign intelligence” be accepted? If further limited as “for counter terrorism purposes”, would that in practice indeed ensure that deanonymization bycatch concerning other topics (crime, espionage, activism, etc.) will be ignored/destructed, and not exchanged with foreign services? [It should be noted, though, that perhaps other technical methods exist or will be developed aimed at deanonymizing Tor traffic that don’t rely on bulk intercepts, but that for instance rely on having control over certain and/or enough entry nodes, relays and exit nodes, or can be carried out without intercepting the full packet stream (e.g. only characteristics of the traffic; for example through netflows). Of course, for hidden services, successful deanonymization via browser exploits has been observed in the FBI’s “EgotisticalGiraffe” codename thing to deanonymize visitors of the Freedom Hosting .onion; successful use of traditional intelligence methods such as infiltration and stings seems to be observed in the arrest of drug dealers on Silk Road; successful use of leveraging OPSEC failures of an individual hosting a hidden service was observed in the arrest of the person behind Silk Road. Also, fake, manipulated versions of the Tor Browser have been observed here and here.]
• The govt states that the intelligence services will not have “independent” (in Dutch: “zelfstandig”) access to provider networks, i.e., they will not be granted the power to obtain access without consulting the provider networks (i.e., clandestine access to cables). But: don’t existing powers, which include access to private places and closed objects (Art. 22 Wiv2002), physical intrusion (Art.30 Wiv2002), the use and placement of technical eavesdropping equipment (part of Art. 25 Wiv2002), and hacking (Art.24 Wiv2002) already allow this? Also, the word “network providers” is, AFAIK, not well-defined in Dutch law, unlike, for instance, “provider of public electronic communication networks or services”. “Network provider” seems to include that category (i.e., the usual internet access providers and mobile telecom providers) but potentially also non-public networks such as the SURFnet NREN, and other closed user-group networks. Although there will be cases where traffic pertaining to such networks is exchanged via an upstream provider that is legally a “provider of public electronic telecommunication networks or services”. The latter of course applies to Google, Twitter, Skype etc., which are not “telecommunication services” under Dutch law.
• Could the new distinction between collection (considered by govt to be relatively little privacy-invasive) and preprocessing/processing (considered to be more privacy-invasive) in any way, to any extent, yield a situation similar to the U.S. government defining “collect” not to be “collect” until a human looks at what is collected?
• Will the Parliamentary CIVD committee, that is suggested should hold the Minister of the Interior and/or the Minister of Defense accountable for illegal approval, actually carry out that task adequately? Note that it is very likely that that process will take place in secrecy, because much of the information shared by the government with the CIVD is subject to NDAs.
• It is very premature, but: what will the Dutch senate’s opinion be on this proposal (note: an actual legislative proposal / bill does not yet exist, it is still being prepared at the time I’m writing this), considering that the Dutch senate in October 2014 adopted a motion requesting the government to abstain from “unconditional, indiscriminate and large-scale” surveillance? Put differently, will the proposal be sufficiently conditional, discriminate and small-scale, in the senate’s view?

Final note: it remains to be seen whether granting the bulk cable-intercept power will lead to a Dutch equivalent of GCHQ’s Tempora and/or to (unrestricted?) participation in the NSA’s Special Source Operations (SSO) that feed PRISM by hosting U.S. equipment for cable access (also see DANCINGOASIS / RAMPART-A (.pdf)). Factors of budget, capabilities, culture, law and the (quid pro quo) politics of intelligence exchange with foreign services will come into play. The Netherlands is a member (.pdf) of the SIGINT Seniors Europe (SSEUR) in relation with the U.S. government, but that does not mean that anything goes in NL->US data sharing. For instance, Dutch academics Beatrice de Graaf and Constant Hijzen in a book chapter on the Dutch intelligence community in a transatlantic context state (2012) that different privacy laws, human rights concerns and legal standards of the Dutch services “put a brake on their relationship with American services and agencies”. A historic anecdote from Dutchbat (Dutch battalion under U.N. command during UNPROFOR in Bosnia 1994-1995) that seems to illustrate this can be found on page 239-242 of Srebrenica: a ‘safe’ area — Appendix II — Intelligence and the war in Bosnia 1992-1995: The role of the intelligence and security services (.pdf, Cees Wiebes, 2003/2004):

A secret request to the MIS: a suitcase for Dutchbat

The MIS would have been able to acquire a good intelligence position if a secret American offer had been accepted. Staff of American, Canadian, British and Dutch intelligence services confirmed that the NSA intercepted only few conversations in Eastern Bosnia. The Americans had problems with their Comint coverage, although they intercepted fairly large quantities of information. Communications via walkie-talkies presented a problem however, as described in the previous section. This provided an opportunity for the Netherlands. The Head of the MIS/CO Commander P. Kok – he occupied this post from 1 January 1994 to 25 June 1995 – was approached by the CIA representative in The Hague immediately after Kok took up his post at the start of 1994. Dutchbat I was then about to leave for Srebrenica and the CIA made an offer ‘which you cannot refuse’.

Kok was told the following. The NSA, it appeared, had a serious problem: the service was unable to intercept communications via Motorola walkie-talkies in and around the eastern enclaves. The range of such communications equipment was no more than about 30 km. The Americans wanted to set up an interception network at various points in the Balkans, and envisaged Srebrenica as one of these points. They proposed setting up a reception and transmission installation at a number of OPs in the enclave. This involved equipment with the format of two ‘samsonite’ suitcases. One suitcase was for interception of the traffic, and the other provided a direct link to an Inmarsat satellite. The intercepted messages would be shared with the MIS. In exchange for this cooperation the MIS was also offered other ‘broad’ intelligence, taken to mean also Imagery Intelligence.

[…]

The CIA, also acting on behalf of the NSA, is said to have asked five or six times between March 1994 and January 1995 whether the MIS would cooperate in this project. Kok always had to reply in the negative. Kok was to try five times to get approval from the MIS/Army for this idea. He tried again with Bosch’s successor as Head of MIS/Army, Colonel H. Bokhoven. According to Bokhoven, Kok passed this request to him just once; he could not recall that Kok said that he had been approached by the CIA several times. Kok presented this to Bokhoven as a ‘spectacular’ proposal, but Bokhoven considered that the MIS should not cooperate in this project. He viewed it as an offensive intelligence task that did not fit the context of UNPROFOR, and also felt it was more suitable for the intelligence services of other countries. Bokhoven confirmed to the author that he had refused to cooperate in the installation of these Comint devices in the enclave.

[…]

Related posts:

• 2014-10-22: The Dutch Defense Cyber Command: A New Operational Capability
• 2014-10-16: New Dutch intelligence oversight report: the (il)legality of SIGINT carried out by the AIVD in 2012-2013
• 2014-10-03: Sigint: definition, qualities, problems and limitations (quotes from Aid & Wiebes, 2001)
• 2014-09-25: [UPDATED] Dutch Senate requests govt to abstain from legalizing cable SIGINT in a way that permits “unconditional, indiscriminate and large-scale” surveillance
• 2014-09-05: Overview of legal framework used to assess Dutch intelligence activities involving social media
• 2014-09-04: The (il)legality of hacking, acquisition, exchange of social media, webfora by Dutch intel agency in 2011-2014
• 2014-07-03: June 15th 2014: Dutch Joint Sigint Cyber Unit (JSCU) officially started
• 2014-06-30: Citing increased threats, Dutch govt partially reverses budget cuts on intelligence & security service AIVD
• 2014-05-06: Chairman of Dutch intel oversight to Dutch Senate: ‘I want to oversee ex ante (before the fact), not just ex post (afterwards)’
• 2014-03-03: [Dutch] Enkele gedachten bij ongerichte interceptie door IVD’s
• 2014-02-15: [Dutch] Meer context bij toezicht op selectie na ongerichte interceptie door AIVD uit CTIVD-rapporten 31 en 35
• 2014-02-14: [Dutch] Metadata: de cie-Dessens had het min of meer al begrepen!
• 2014-02-08: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
• 2013-12-28: [Dutch] Afluisteren en SIGINT door AIVD/MIVD: toestemmingsverzoeken en normering
• 2013-12-04: Outcome of official review of Dutch Intelligence & Security Act of 2002
• 2013-12-02: Report of EU-US Working Group established re: NSA surveillance involving EU citizens
• 2013-11-09: Oversight on Dutch SIGINT is still broken

EOF

Jos Baijens van Uitgeverij de Wereld (@wereldboeken) vroeg aan, ik citeer, “ruim 100 mannen en vrouwen, denkers, schrijvers, kunstenaars, ondernemers en wetenschappers van Nederlandse en Vlaamse universiteiten” kort te beschrijven wat volgens hen het beste idee is van 2014. Die exercitie heeft de fascinerende bundeling Het beste idee van 2014 opgeleverd, die in november 2014 verscheen. Het is de tweede keer dat zo’n bundeling verschijnt: in 2013 verscheen Het beste idee van 2013.

Uitgeverij de Wereld stelt alle ideeën openbaar beschikbaar, maar ik raad iedereen aan het drukwerk aan te schaffen, en dat zeg ik niet alleen als WC-Eend die een bijdrage heeft mogen insturen: zelden vind je zo’n diverse verzameling aan ideeën beschreven in één publicatie — die misstaat in niemands boekenkast. NRC Next en NRC Handelsblad, Fokke en Sukke incluis, besteedden er aandacht aan: zie hier en hier fragmenten.

Voor het boekje van 2013 schreef ik over het idee van dr. Karst Koymans, opleidingsdirecteur van de UvA-masteropleiding OS3/System and Network Engineering, om tot een “internetwiskunde” te komen, en het internet opnieuw uit te vinden op basis van c.q. begeleid door wiskundige principes. Huidige internetprotocollen zijn gespecificeerd in natuurlijke taal (Engels); die is vaak niet ondubbelzinnig, en als gevolg van interpretatieverschillen kunnen dan kwetsbaarheden of (ander) onverwacht gedrag ontstaan.

Voor het boekje van 2014 schrijf ik over het consensusbesluit van de Internet Engineering Task Force (IETF), vastgelegd in RFC 7258, om alomtegenwoordige monitoring op internet (door overheden, big data, criminelen, enz.; maar denk in het verlengde ook aan het manipuleren van internetverkeer door marketingbedrijven zoals het Britse Phorm en, recenter bekend geworden, het Amerikaanse Verizon) als een technische bedreiging te beschouwen waarover bij ontwikkeling van nieuwe internetprotocollen verplicht moet worden nagedacht:

Verplicht nadenken over alomtegenwoordige internetsurveillance

Hoe alles op internet met elkaar “praat” is grotendeels afgesproken in technische internetstandaarden. Een internetstandaard begint met een idee voor verandering of nieuwe functionaliteit. Onder de paraplu van de Internet Engineering Task Force (IETF) wordt dat idee uitgeschreven in een “Request for Comments”-document (RFC), dat door experts onderling wordt besproken en bijgeschaafd. Dit proces is volledig open: iedereen met relevante kennis en inzichten kan aanschuiven. Nadat softwaremakers het idee implementeren kan het idee volwassenheid bereiken, en de status van internetstandaard krijgen. Op deze manier, ruwweg, is het internet in de afgelopen decennia steeds een stukje verder uitgebouwd tot wat het nu is.

Vanwege zorgen over gebrekkige beveiliging is in 1993 besloten (RFC 1543) dat bij nieuwe standaarden verplicht een paragraaf “Security Considerations” moet staan. Deze bevat een discussie over mogelijke bedreigingen en aanvallen op het protocol dat in de standaard wordt beschreven. Nadat enkele jaren ervaring is opgedaan met het schrijven van dit soort paragrafen, is in 2003 verduidelijkt (RFC 3552) wát er dan precies in die paragraaf moet staan: er moet worden beschreven welke digitale aanvallen relevant zijn voor het communicatieprotocol dat wordt beschreven, welke niet, en waarom. Van de relevante aanvallen moet worden beschreven of het protocol ertegen beschermt, of er kwetsbaar voor is. Er moet onder meer verplicht aandacht worden besteed aan afluisteren (vertrouwelijkheid), aan het injecteren, wijzigen of verwijderen van gegevens (integriteit), en aan denial-of-service-aanvallen die diensten gebaseerd op het protocol kunnen verstoren (beschikbaarheid). Zo’n paragraaf zal initieel nooit 100% dekkend zijn, maar leidt wel tot verbetering van veiligheid op internet. Bovendien zijn RFC’s levende documenten en kunnen updates gemaakt worden.

De onthullingen van Snowden hebben laten zien dat inlichtingendiensten, vooral de Amerikaanse NSA en Britse GCHQ, op grote schaal met uiteenlopende methoden actief zijn op het internet om inlichtingen te verzamelen. Binnen IETF-kringen bestaat consensus dat er sprake is van “alomtegenwoordige monitoring” en dat dat een bedreiging vormt voor internetgebruikers.

Inlichtingendiensten horen zoveel mogelijk gericht te werken, niet met ongerichte sleepnetten.Het beste idee van 2014 is wat mij betreft het besluit van de IETF om alomtegenwoordige monitoring als een bedreiging te beschouwen (RFC 7258), en een aanpak te ontwikkelen hoe bij nieuwe standaarden met dit complexe onderwerp om te gaan. Bij alle nieuwe standaarden moet hierover worden nagedacht en worden aangegeven hoe wordt beschermd (of niet) tegen alomtegenwoordige monitoring. Dit kan potentieel leiden tot een aanzienlijke verbetering van internetstandaarden ten aanzien van deze bedreiging. Het momentum dat nu als gevolg van Snowden bestaat is de sleutel tot een meer privacyvriendelijk internet.

Concreet heeft het idee er al toe geleid dat HTTP 2.0, de nog in ontwikkeling zijnde nieuwe versie van het protocol dat wordt gebruikt als je websites bezoekt, standaard versleuteld zal zijn. Het “slotje in de browser” wordt dan de norm in plaats van de uitzondering. Beter drie decennia te laat dan nooit.

De verplichting ergens over na te denken is natuurlijk geen garantie op een goed resultaat. Over dat slotje in de browser en de nadelen en kwetsbaarheden van het centralistische PKI CA-model is van alles te zeggen. Maar een verplichting over dit thema na te denken is een stap in de goede richting. Het IETF-proces is een open proces, waarbij in beginsel iedereen die nuttige inzichten en kennis/kunde heeft, kan aanschuiven en meedenken, en dus ook kritiek leveren.

Tot slot, hierbij de volledige inhoudsopgave van “Het beste idee van 2014”:

EOF