Calling Bullshit in the Age of Big Data – free/open lectures, tools and case-studies from Washington U Spring 2017 class

The University of Washington had a Spring 2017 class entitled “Calling Bullshit in the Age of Big Data” and makes available the lecture materials at (Syllabus, Videos, Tools, Case Studies, FAQ).

Lecture titles:

  1. Introduction to bullshit
  2. Spotting bullshit
  3. The natural ecology of bullshit
  4. Causality
  5. Statistical traps
  6. Visualization
  7. Big data
  8. Publication bias
  9. Predatory publishing and scientific misconduct
  10. The ethics of calling bullshit.
  11. Fake news
  12. Refuting bullshit

The course (Twitter: @callin_bull) was created by (mathematical) biology professor Carl T. Bergstrom (Twitter: @CT_Bergstrom) and associate professor data science and ‘science of science’ Jevin West (Twitter: @JevinWest), both affiliated with the University of Washington.

Coverage at The New Yorker: How to Call B.S. on Big Data: A Practical Guide (this link was posted at Hacker News).

Coverage at Explosive growth in bulls**t studies! The latest academic frontier in the age of You Know Who .

Further reading:


EU LIBE proposes end-to-end encryption in e-Communications; and, re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

This post shortly highlights two developments regarding EU internet privacy/security.

1. EU LIBE proposes amendment of draft e-Communications regulation to promote end-to-end encryption, seeks prohibition of Member State legislation that would “[weaken] security and encryption”

The EU LIBE Committee released a draft report (.pdf), dated June 9th 2017, on the proposed e-Communications regulation, and specifically promotes end-to-end encryption in Amendment 116:

“The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. (…)”

The remainder of that amendment seeks prohibition of nation-level legislation that would “[weaken] security and encryption of their networks and services”:

“The Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

This, of course, is at odds with interests regarding intelligence & security, which range from the ability to detect & thwart computer network attack/exploitation to the ability to detect and monitor plans to sabotage or steal military equipment or dual-use goods (Wassenaar). It is certainly different from the direction where the European Commission has been heading for years; to that end, also take a look at the The Effect of Encryption on Lawful Access to Communications and Data (.pdf, February 2017, Center for Int’l Security Studies; by Lewis, Cheng & Carter).

The promotion of end-to-end encryption by EU LIBE is not unexpected: part 2 of the STOA study “Mass Surveillance”, dated January 2015, recommended the promotion of end-to-end encryption, and provided several policy options for that. Specifically, see the last paragraph of the following section in the management summary (all emphasis is original) :


Policy options for the ‘Promote adoption’ scenario

Promote end-to-end encryption

Stimulate awareness of the necessity of using encryption by initiating a media campaign, as awareness of privacy risks is quite low.

Increase the knowledge level of end-users, both individuals and responsible departments in organisations, by setting up an independent platform where users can find information on tools, implementation, do’s and don’ts etc.

Support product security tests by independent institutions such as the Electronic Frontier Foundation that help users make better-informed choices. Support can be a financial contribution, but also promotion of the results. Alternatively the EU can set up its own regular product security test programme.

A parallel option is to stimulate user-friendliness of end-to-end encryption solutions, for instance by promoting existing user-friendly end-to-end encryption solutions for e-mail, messaging, chat etc. Dedicated funding or participation in open-source software end-to-end encryption solutions is also an option to specifically improve user-friendliness.

If the market does not provide security with end-to-end encryption by itself, regulation should be considered, obliging service providers and/or Internet service providers to provide end-to-end protection as standard for data in transit. An additional benefit of regulation would be a concrete political discussion on the balance between privacy and law enforcement and national security, at European and/or national level. The outcome of this debate should be implemented in national legislation.


I’m not sure what LIBE’s intent / expectation is wrt Amendment 116; to me, it looks like something that is not intended to be adopted “as is” as part of the e-Communications regulation, but rather as something to stimulate debate, which could have a beneficial effect on the final regulation. But I may be wrong.

2. Re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

On June 13th 2017, the Article 29 Working Party (“WP29”) released a press statement (.pdf), entitled “Preparation of the Privacy Shield annual Joint Review”, that references bulk collection, e.g. of communication or databases containing data about persons, in relation to the EU/US Privacy Shield:

“Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.”

Tip of the Hat to Bavo Van den Heuvel (Twitter: @BavoCranium), who highlighted this in a post on LinkedIn.

Unrelated side note: the revision of the Dutch Intelligence & Security Act of 2002 (“Wiv2002”), tentatively referred to as “Wiv20xx”, expands the Wiv2002 such that the Dutch intelligence and security services (domest: AIVD; military: MIVD) can perform untargeted / bulk search interception of cable communications, and explicitly allows acquisition of bulk data sets through hacking or voluntary cooperation (for instance through remote access); not unlike the bulk powers in the U.K. (more). The oversight framework is significantly revised as well, for instance through addition of ex ante oversight. The Wiv20xx was adopted by the Dutch lower house in Q1/2017 and is now being evaluated by the Dutch senate; its status in the legislative progress can be seen here.


[Dutch] Wetsvoorstel “VOG politiegegevens”: politiegegevens als zelfstandige weigeringsgrond bij VOG-beoordeling

TL;DR: het concept-wetsvoorstel “VOG politiegegevens” beoogt het mogelijk te maken een VOG ook te kunnen weigeren op grond van politiegegevens, zonder dat sprake is van een strafblad. De concept-MvT stelt dat het voorstel is gericht op functies betreffende BOAs, DJI, en OM, maar de tekst van het concept-wetsvoorstel beperkt het niet tot die functies; uitbreiding naar andere functies wordt overgelaten aan AMvB en ministeriële regeling (dus: beslissing minister, zonder tussenkomst Tweede Kamer).
In de wereld van IT-beveiligers bestaan situaties waarin (mogelijk) behoefte is aan screening die verder gaat dan een VOG, maar het zwaardere VGB (screening door AIVD/MIVD) niet mogelijk is: die kun je, anders dan een VOG-screening, als opdracht-/werkgever niet zomaar aanvragen; dat kan alleen voor aangewezen vertrouwensfuncties. Het ‘gat’ tussen VOG en VGB kan, althans t.a.v. politiegegevens, niet worden ingevuld door particuliere screeningsbedrijven: zij hebben geen toegang tot politiegegevens.
Vraag: zou het wenselijk zijn de werking van dit wetsvoorstel uit te breiden naar functies in de private sector, en zo ja, hoe zou een beoordelingskader eruit kunnen zien voor besluitvorming een VOG op grond van politiegegevens te weigeren aan personen die betrokken zijn bij bijv. red teaming, penetratietests, en kwetsbaarhedenscans,  en als zodanig regelmatig en soms hoge toegangsrechten hebben of mogen verwerven tot gegevens, systemen en netwerken
? Denk bijvoorbeeld aan een geseponeerde zaak wegens computercriminaliteit: onschuldpresumptie versus belangen bij VGB-beoordeling.

Het concept-wetsvoorstel “Verklaring Omtrent Gedrag (VOG) politiegegevens”, dat momenteel in consultatie is (einddatum: 12 juli 2017), ziet op uitbreiding van VOG-weigeringsgronden van justitiële/strafvorderlijke gegevens naar politiegegevens. Justitiële/strafvorderlijke gegevens betreffen beslissingen van het OM en de rechter (lees: strafblad), en gegevens die op het niveau van het OM en de rechterlijke macht zijn verzameld. Politiegegevens zijn veel ruimer: “elk persoonsgegeven dat in het kader van de uitoefening van de politietaak wordt verwerkt” (Artikel 35, eerste lid, Wjsg).

Beoogd wordt het mogelijk te maken politiegegevens als zelfstandige weigeringsgrond te hanteren bij de VOG-beoordeling, althans voor functies die voldoen aan bij Algemene Maatregel van Bestuur (AMvB) te bepalen criteria, bij ministeriële regeling vast te stellen. De concept-Memorie van Toelichting (MvT) van 7 maart 2017 van het wetsvoorstel stelt daarbij:

“(…) Bij deze functies wordt vooralsnog gedacht aan functies binnen het veiligheidsdomein zoals bij de DJI, BOA’s en het OM. Voor personen met een functie die een hoge mate van integriteit vereist, bestaat reeds een afwijkende termijn voor de gegevens die mee kunnen wegen bij de beoordeling van de VOG-aanvraag. De terugkijktermijn is voor deze functies niet beperkt tot de standaardtermijn van vier jaren, maar is langer. In principe geldt een terugkijktermijn van tien jaren, zoals bij BOA’s het geval is. Voor bepaalde functies, zoals inrichtingspersoneel van de DJI, is deze termijn in de Beleidsregels VOG NP-RP 2013 verder verlengd tot dertig jaren.”

Vervolgens wordt een voorbeeld gegeven:

“Graag geef ik een voorbeeld van een zaak van een persoon met een functie die een hoge mate van integriteit vereist waarbij politiegegevens bij de VOG-beoordeling als zelfstandige weigeringsgrond van toepassing zouden kunnen zijn. Het betreft een zaak waarin uit de politiegegevens blijkt dat een potentiële BOA een geweldsincident in een horecagelegenheid heeft uitgelokt. De betreffende persoon was daarbij aantoonbaar onder invloed van alcohol en mogelijk ook van drugs. De politie was ter plaatse en heeft de man meegenomen voor verhoor en een blaastest. Wanneer bovendien blijkt dat volgens informatie van de politie de man meermalen dronken is gesignaleerd in uitgaansgelegenheden waarvan bovendien bekend is dat er veelvuldig harddrugs worden gebruikt en verhandeld, kan dit relevant zijn voor de beoordeling van zijn VOG-aanvraag. Van personen met een (toekomstige) functie die een hoge mate van integriteit vereist, mag immers verwacht worden dat zij een onberispelijke voorgeschiedenis hebben.”

Het wetsvoorstel ziet op de volgende politiegegevens:

(…) Bij personen met de bedoelde functies kunnen politiegegevens die wijzen op onbehoorlijk gedrag relevant zijn, ondanks dat er (nog) geen vervolging is ingesteld of veroordeling heeft plaatsgevonden. Vanwege het onbesproken gedrag dat een dergelijke persoon dient te hebben, is gekozen voor verstrekking van de politiegegevens, bedoeld in de artikelen 8, 9, 10, eerste lid, onderdelen a en c, en 13 van de Wpg. Dat betekent dat bij de beoordeling van de VOG die kan worden geweigerd op basis van politiegegevens gebruik kan worden gemaakt van de volgende politiegegevens:

  1. politiegegevens die worden verwerkt met het oog op de uitvoering van de dagelijkse politietaak (artikel 8 Wpg);
  2. politiegegevens die worden verwerkt ten behoeve van een onderzoek met het oog op de handhaving van de rechtsorde in een bepaald geval (artikel 9 Wpg);
  3. politiegegevens die worden verwerkt met het oog op het verkrijgen van inzicht in de betrokkenheid van personen bij het beramen of plegen van bepaalde ernstige misdrijven (artikel 10, eerste lid, onderdeel a, Wpg);
  4. politiegegevens die worden verwerkt met het oog op het verkrijgen van inzicht in de betrokkenheid van personenbij handelingen die, gezien hun aard of frequentie of het georganiseerde verband waarin zij worden gepleegd, een ernstige schending van de openbare orde vormen (artikel 10, eerste lid, onderdeel c, Wpg); en
  5. politiegegevens als bedoeld in de artikelen 8, 9 en 10 van de Wpg die ten behoeve van de ondersteuning van de politietaak verder worden verwerkt (artikel 13 Wpg).

De omstandigheden waarin een VOG op grond van politiegegevens zou kunnen worden geweigerd, moeten nog worden uitgewerkt:

“De afgifte van een VOG kan alleen worden geweigerd indien er met betrekking tot de aanvrager relevante politiegegevens bestaan met het oog op de functie waarvoor de VOG is aangevraagd. Het enkele feit dat de aanvrager voorkomt in de politiesystemen is onvoldoende grond om de afgifte van de VOG te weigeren. Bij de beoordeling van de politiegegevens zal bijvoorbeeld rekening worden gehouden met het soort gegeven, de frequentie en de actualiteit van de gegevens. Dit beoordelingskader zal in de beleidsregels VOG van Justis verder worden uitgewerkt.

Men houdt rekening met een flinke hit-rate wanneer in politiegegevens wordt gezocht naar VOG-aanvragers (NB: het is me duidelijk waarop deze inschatting is gebaseerd en of het gaat over alle VOG-aanvragen of alleen VOG-aanvragen voor de functies waar het wetsvoorstel thans voor is bedoeld):

“Burgers kunnen op verschillende manieren voorkomen in de politiesystemen. Niet alleen als verdachte, maar ook als getuige, aangever of anderszins. Ter voorbereiding van het wetsvoorstel wordt nader bezien hoe vaak personen voorkomen in de politiesystemen.

Bij de keuze voor een hit/no hit systeem gaan politie en Justis er op dit moment vanuit dat op jaarbasis 50% van de VOG aanvragen een hit oplevert en in welke zaken aan de politie om toezending van de beschikbare gegevens wordt verzocht.”

Het concept-MvT bevat een schatting van het aantal functies dat (sowieso) binnen scope van het wetsvoorstel valt: het aantal aanvragen voor functies in de groepen Buitengewoon Opsporings Ambtenaar (BOAs), Dienst Justitiële Inrichtingen (DJI) en het OM is 16.200.

In 2016 zijn er in totaal maar liefst 950.000 VOG-aanvragen behandeld. De concept-MvT laat, logischerwijs, de mogelijkheid open dat politiegegevens ook voor andere functies als zelfstandige weigeringsgrond zouden kunnen worden gebruikt; dat kan bij AMvB en ministeriële regeling worden bepaald.

Vanuit mijn eigen beroepsveld, informatiebeveiliging, zou ik me bijvoorbeeld kunnen voorstellen dat er omstandigheden bestaan waarbij je de betrokkene, ondanks een schoon strafblad, misschien liever niet positief door de VOG-beoordeling ziet komen. Dan valt te denken aan politiegegevens waarbij betrokkene in relatie wordt gebracht met activiteiten die onder de Wet Computercriminaliteit vallen. Tegelijkertijd wil je, gezien de aanhoudend grote vraag naar ervaren IT-beveiligers, vermijden dat bonfide hackers die in het verleden (een jaar terug? drie jaar terug? vijf jaar terug? langer?) ongevraagd onderzoek verrichten naar systemen, netwerken en applicaties van derden, die daarvan aangifte deden zonder dat het OM daarop ging vervolgen, geen VOG zouden kunnen krijgen op basis van politiegegevens daarover. Het zou m.i. interessant zijn om, als (prematuur) gedachtenexperiment, na te denken hoe (en hoe niet) voor het IT-beveiligingsveld een beoordelingskader er uit zou kunnen zien voor weigering van een VOG op grond van politiegegevens. Daarbij gaat het natuurlijk niet alleen om hacking-zonder-veroordeling, maar in beginsel om alle zaken die kunnen raken aan betrouwbaarheid; zoals in potentie ook radicalisering of criminele contacten.

(Side note: het zwaardere Verklaring van Geen Bezwaar (VGB), waarbij een screening wordt uitgevoerd door de AIVD of MIVD en waarbij ook politiegegevens kunnen worden geraadpleegd, kan niet vanuit de private sector worden aangevraagd, en particuliere screeningsbedrijven hebben geen toegang tot politiegegevens; er is in die zin in de praktijk een ‘gap’ tussen de VOG en de VGB, en het is voorstelbaar dat er nu of in de nabije toekomst vanuit de private sector een roep komt om de scope van de voorgestelde wet per AMvB / ministeriële regeling uit te breiden van BOA/DJI/OM naar de private sector.)

Mogelijk leesvoer:

  • Vechten tegen spoken in de mist? Over veiligheidsonderzoeken voor vertrouwensfuncties en rechtsbescherming (.pdf, 2013, Nederlands Juristenblad; door Jon Schilder, Jan-Peter Loof en Kees Sparrius; zie p.290-298). Dit (rechts)wetenschappelijke artikel heeft betrekking op VGB-screenings, niet op VOG-screenings, maar bevat achtergronden, zienswijzen en argumentatie die, althans naar mijn lekenoordeel (ik ben techneut, geen jurist of beleidsmaker), wellicht informatief/sturend/afbakenend zouden kunnen zijn bij het denken over beoordelingskaders t.a.v. “VOG politiegegevens”.


After Ennetcom, Dutch police makes arrests re: PGP Safe, another Dutch company, for allegedly providing crypto phones to (primarily?) the underworld

On 10 May 2017, the Dutch Public Prosecution Office published a press release (in Dutch) regarding arrests made during police investigations into businesses for allegedly providing/selling crypto phones to criminals. Earlier, the Public Prosecution Office made public their investigation into the Nijmegen-based company Ennetcom. The present investigation involves the Amsterdam-based PGP Safe. Here is my (unofficial) translation of the official press release:

New arrests in the Netherlands for providing crypto phones to the underworld

10 May 2017 – Public Prosecution Office

The police has arrested four suspects on Tuesday May 9th in relation to the 26Sassenheim investigation into selling encrypted mobile phones and services to criminals. A 51 year old man from Guizen and a 66 year old man from Amsterdam are being detained on suspicion of money laundering. A 34 year old man from Amsterdam and a 24 year old man from Almere were also arrested. They would have provided support to the older men.

These are not the first arrests en detainments of provider of encrypted phones and services to the underworld. That also happened in April last year in the extensive investigation, 26DeVink, into the Ennetcom company in Nijmegen.

Crypto phones

The money laundering investigation 26Sassenheim was initiated by the Team High Tech Crime of the National Unit of Police. The investigation is focused on two main suspects who offered products and services to, primarily criminals under the trade mark ‘PGP Safe’. The suspects sold customized BlackBerry or Android smartphones that could only communicate in encrypted form. These phones were sold for EUR 1200, on the average. The payments mostly took place as cash payments at public roads.

The Public Prosecution Office suspects the men of laundering part of the yields. The two were presumably supported by family members.

Since 2014, at least 34 Dutch police investigations exist where crypto phones, that the suspects provided, played a role. The investigations involve, among others, (attempted) liquidation and international organized trade in drugs. Police and the Justice Department have clues that suggest the main suspects knew that their products and services were mostly used by criminals in committing such offenses.

Millions of Euro’s and luxurious vehicles

The police and the National Public Prosecutor have searched buildings at eleven locations in the Netherlands. This was done in cooperation with the tax intelligence and investigation service, FIOD. The searches took place in the municipalities of Amsterdam, Huizen, Koggenland and Zandvoort in the province of North Holland, and in Almere and Zeewolde in the province of Flevoland.

A farmhouse of the suspect in Berkhout was seized, as well as a mansion in Amsterdam. The farmhouse has an estimated worth of EUR 600.000 and the building in Amsterdam has an estimated worth of EUR 1.6 million. The police has seized, in total, some 2 million Euro and thirteen vehicles, including luxury editions of Mercedes, Porsche and Audi. Hundreds of phones were found (both BlackBerry and Android phones) and large number of sim cards. Furthermore, 57 bank accounts in the Netherlands are frozen. Simultaneously, the FIOD entered two administrative offices to confiscate the suspects’ book keeping. Several searches were also carried out abroad.


The police and the Public Prosecution Office act against persons who (digitally) support or facilitate criminals and criminal organizations. They are prosecuted for laundering and there criminal capital is seized.


Following 26DeVink, the investigation into Ennetcom, 26Sassenheim is the second large-scale criminal investigation into providers of tools and services for encrypted communication. Both providers are suspected of having provided, to a vast number of criminal customers, means and services, to communicate in encrypted form about serious crime. 26DeVink is still ongoing. It has already yielded information: some 3.6 million messages were decrypted. The investigation into the content and usability of these messages is ongoing.

The Ennetcom case involved a company located in Nijmegen (NL) that sold PGP-enabled BlackBerry phones priced at ~EUR 1500, often with camera and mic removed. According to the Public Prosecution Service, some 40,000 phones were registered (by some 19,000 users). The phones could only communicate with other phones on Ennetcom’s network, and could be remotely wiped by Ennetcom (e.g. in case the phone is lost or stolen). The phones reportedly connected to a server at an IP address that was traced to the telecommunications hub / carrier hotel at 151 Front Street West, Toronto, Canada. On April 18th 2016, a Canadian judge authorized a search of Ennetcom’s server, and “the complete key management system” was found during that search (to my knowledge it is not certain what that refers to, but Symantec PGP Universal Server — part of PGP Support for BlackBerry BES — would be the obvious guess). Data was made available by Canada to the Dutch police on September 19th 2016, which enabled the Dutch police to decrypt user messages. While it is (to my knowledge) not clear what “data” entails here, precisely, the Mutual Legal Assistance in Criminal Matters Act (Re), 2016 ONSC 5699 (CanLII) states:

The Dutch authorities also discovered that the “keys” for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom’s BlackBerry Enterprise Servers.

So, conceivably, the actual keys were present and handed over, and that was that; although alternative scenarios cannot be ruled out, depending on how the software implements key scheduling etc., in which decryption is not immediately straightforward, but some cryptanalytic method is involved that is feasible depending on whatever other information is present (e.g. all user identifiers, all ciphertexts per user, and all associations between all users, etc.).

Ennetcom’s servers are reported to have been configured such that messages are wiped/overwritten after 48 hours; nonetheless, according to the Public Prosecution Service, some 3,6 million messages were obtained. (Note: “message” as in “instant message”, not as in “email message”; a single conversation can be made up of multiple messages.)

The Public Prosecution Service press release states that prior to seizing Ennetcom’s servers, the police sent a message to all 19,000(ish) users, requesting that if they hold a special profession (such as lawyers, doctors, notaries or clergyman), they inform the police about that (presumably for reasons of due diligence); the police did not receive any response. It is reported that the data remains under Canadian control, and can not be shared further without court approval: “The fear is that unfettered disclosure would expose innocent people to the unjustified attention of police, just because they used an encrypted BlackBerry.”

On March 9th 2017, Ennetcom posted the following press statement:

Press release March 9th, 2017

In response to the press release of the public prosecution service today, in which the public prosecutor indicated to have “cracked” the servers, which the public prosecution had seized from client’s organization Ennetcom, announce I, as the client’s counselor, that first has to be determined, that the public prosecution has done these seizures under false pretenses, based on a suspicion of money laundering with the excuse as if the customers of the phones are criminals.

The file showed that the Ennetcom organization had tens of thousands of customers who bought the phones and the software through resellers and that the public prosecutor could name only 4 actual example cases in which there would have been a PGP phone purchased from a reseller. The company proved to have many customers nationally and internationally, also with governmental agencies and businesses, that wish to safely communicate without being hacked without any criminal reasons. The seizure of the servers was, so it seemed, more an attempt by the public prosecution to gain access on improper grounds to an immense amount of data of tens of thousands in order to “catch fish with a trail-net”.

As if KPN or any other telecom company would simply be invaded and all their possessions being plundered to see who sends a wrongful message.

The public prosecution now tries to give the impression that all servers were cracked, but states at the same time that 3.6 million messages were made accessible, apparently giving the impression as if this would mean a lot of communication. The public prosecutor mentions 40,000 users. However, one message is part of a conversation, so consecutive “yes”, “and then”, “what do you mean”, are three messages in one conversation.

Calculating the number of messages to the number of users, 90 messages per user would have been made accessible. Given the fact that the data on the servers was erased after 48 hours by default, in other words; the messages were destroyed, it would indeed mean for those 40,000 users with 3.6 million messages that only the last 48 hours were made accessible.

The public prosecution speaks in the press release remarkably about “encryption keys which were obtained by the public prosecutor and police during the investigation.” Client’s organization however did not obtain these keys. These keys are in possession of the company responsible for making PGP, namely Symantec. There are many other companies that sell their PGP products in the same way as the client’s company did. The “falling of this communication into the hands of” seems therefore involve a very shadowy area of irregularities and possibly the result of present-day wild hacking.

The public prosecutor assumes to get started on this “loot”, but the Canadian court had, and in my opinion deceived by the public prosecution service, based on the given suspicion, only authorized the use of the confiscated data for 4 defined and appointed investigations. And then there is always the question what messages can be linked to which cases and subsequently be linked to which physical entities.

That still seems a hack too much for me.

UPDATES (from new to old)

UPDATE 2018-03-14: yet another case involving PGP-enabled BlackBerry, this time about a Canadian-owned company named Phantom Security Communications aka Phantom Secure: Canadian Company Custom-Made Encrypted Phones for Cartels: FBI. It may have been active “as early as 2008 and continuing up to and including February 28, 2018” in the U.S. According to the indictment (.pdf), their marketing materials stated that on reception of new BlackBerry phones their technical team “removed the hardware and software responsible for all external architecture, including voice communication, microphone, GPS navigation, camera, Internet and Messenger service”. Customers paid $2000-3500 per six-month subscription.

UPDATE 2017-08-31: a blogpost by Bits of Freedom states that according to Inez Weski, defense lawyer in case spawn from the Ennetcom investigation, ‘the PGP [private] keys’ were located ‘at a different organization’ than the organization where the Canadian RCMP seized the (or an?) Ennetcom server.


Dutch Review Committee on the Intelligence & Security Services (CTIVD) to (self-)assess effectiveness of lawfulness oversight re: large-scale & data-intensive spying

The Dutch Review Committee on the Intelligence & Security Services (CTIVD) has published a press release (in Dutch) about a project it has started to review and uphold the effectiveness of its oversight on the lawfulness of the exercise of special powers by the Dutch intelligence services AIVD (non-military) and MIVD (military). Here is my translation of that press release:

Project Oversight 3.0

News | 25-04-2017 | 13:09

The technological possibilities for the AIVD and MIVD to acquire and analyze data have increased strongly. The Intelligence & Security Bill 20xx contributes to that. As a result of the expansion of the cable interception powers, the bill provides the AIVD and MIVD more possibilities to collect data. At the same time, the bill provides safeguards regarding the analysis of collected data and the deletion of data that is not relevant [to the exercise of the services’ tasks as defined by law]. The CTIVD oversees this. In the parliamentary debate on the bill, the question whether the CTIVD has sufficient in-house technical knowledge to keep pace with the developments. The professional field that the CTIVD must oversee changes, and the CTIVD adapts accordingly.

Objective of the project

Against this background, the CTIVD decided to set up project Oversight 3.0. The objective of this project is to make an inventory of how the organization and procedures of the CTIVD should be structured, so that effective oversight can also be carried out in the future. The emphasis is on the possibilities of (systemic) oversight on the acquisition, analysis and deletion of large amounts of data. Project 3.0 does not include investigation into lawfulness [note: this might have been mentioned because overseeing lawfulness is the normal/default task of the CTIVD, and this project is separate from & additional to that]. The CTIVD will report on this project in its annual report.

Data processing

To uphold effective oversight, the CTIVD must gain more insight into the data housekeeping at the services and the way in which they deal with large(r) data. Project Oversight 3.0 will provide insight into which instruments, organizational changes and technical means must be used by the AIVD and MIVD in support of implementing the new bill. The project also maps the data housekeeping, analysis and administration. The exchange of data/intelligence with national and international partners will be taken into account in this. Furthermore, the project focuses on the way in which the AIVD and MIVD implement safeguards in their systems and enable internal oversight [by the services themselves] and external oversight by the CTIVD [on those safeguards]. These insight will then provide the basis for structuring the CTIVD’s oversight in a way that fits to the new bill and further digitalization of our world.


Project Oversight 3.0 comprises a number of subprojects. There are focuses on topics such as the new power of investigation-oriented interception, the deletion of non-relevant data, and for instance automated data analysis [note: the bill introduces, or rather provides a more specific basis and powers corollary to the acquisition and processing of large data sets].


Oversight 3.0 is a project that will span multiple years. As a first step, an IT adviser has been hired per 1 September 2016. He is responsible for the execution of the project and will advise the CTIVD on what changes are necessary. The IT adviser is also involved in setting up the IT expert unit within the CTIVD. This expert unit will bring together specific technical knowledge. The unit will have various tasks, such as advising and supporting the legal experts, the joint exercise of investigations into lawfulness of the exercise of special powers, and advising the CTIVD on technically complex questions/problems. The unit is expected to consist of three persons.

At the start of 2017, the first subprojects of project Oversight 3.0 have commenced. An annual evaluation will be carried out as part of the project, based on which adjustments can be made to the project if necessary.

One might also recall that in 2014, the CTIVD decided to involve a group of academics in the oversight process. (I personally believe that both that decision, and project Oversight 3.0, are indicators of realism and strength on the part of the CTIVD.)