After Ennetcom, Dutch police makes arrests re: PGP Safe, a Dutch company, for allegedly providing crypto phones to (primarily?) the underworld

On May 10th 2017, the Dutch Public Prosecution Office published a press release (in Dutch) regarding arrests made during police investigations into businesses for allegedly providing/selling crypto phones to criminals. Earlier, the Public Prosecution Office made public their investigation into the Nijmegen-based company Ennetcom. The present investigation involves the Amsterdam-based PGP Safe. Here is my (unofficial) translation of the official press release:

New arrests in the Netherlands for providing crypto phones to the underworld

10 May 2017 – Public Prosecution Office

The police has arrested four suspects on Tuesday May 9th in relation to the 26Sassenheim investigation into selling encrypted mobile phones and services to criminals. A 51 year old man from Guizen and a 66 year old man from Amsterdam are being detained on suspicion of money laundering. A 34 year old man from Amsterdam and a 24 year old man from Almere were also arrested. They would have provided support to the older men.

These are not the first arrests en detainments of provider of encrypted phones and services to the underworld. That also happened in April last year in the extensive investigation, 26DeVink, into the Ennetcom company in Nijmegen.

Crypto phones

The money laundering investigation 26Sassenheim was initiated by the Team High Tech Crime of the National Unit of Police. The investigation is focused on two main suspects who offered products and services to, primarily criminals under the trade mark ‘PGP Safe’. The suspects sold customized BlackBerry or Android smartphones that could only communicate in encrypted form. These phones were sold for EUR 1200, on the average. The payments mostly took place as cash payments at public roads.

The Public Prosecution Office suspects the men of laundering part of the yields. The two were presumably supported by family members.

Since 2014, at least 34 Dutch police investigations exist where crypto phones, that the suspects provided, played a role. The investigations involve, among others, (attempted) liquidation and international organized trade in drugs. Police and the Justice Department have clues that suggest the main suspects knew that their products and services were mostly used by criminals in committing such offenses.

Millions of Euro’s and luxurious vehicles

The police and the National Public Prosecutor have searched buildings at eleven locations in the Netherlands. This was done in cooperation with the tax intelligence and investigation service, FIOD. The searches took place in the municipalities of Amsterdam, Huizen, Koggenland and Zandvoort in the province of North Holland, and in Almere and Zeewolde in the province of Flevoland.

A farmhouse of the suspect in Berkhout was seized, as well as a mansion in Amsterdam. The farmhouse has an estimated worth of EUR 600.000 and the building in Amsterdam has an estimated worth of EUR 1.6 million. The police has seized, in total, some 2 million Euro and thirteen vehicles, including luxury editions of Mercedes, Porsche and Audi. Hundreds of phones were found (both BlackBerry and Android phones) and large number of sim cards. Furthermore, 57 bank accounts in the Netherlands are frozen. Simultaneously, the FIOD entered two administrative offices to confiscate the suspects’ book keeping. Several searches were also carried out abroad.

Punishable

The police and the Public Prosecution Office act against persons who (digitally) support or facilitate criminals and criminal organizations. They are prosecuted for laundering and there criminal capital is seized.

Ennetcom

Following 26DeVink, the investigation into Ennetcom, 26Sassenheim is the second large-scale criminal investigation into providers of tools and services for encrypted communication. Both providers are suspected of having provided, to a vast number of criminal customers, means and services, to communicate in encrypted form about serious crime. 26DeVink is still ongoing. It has already yielded information: some 3.6 million messages were decrypted. The investigation into the content and usability of these messages is ongoing.

The Ennetcom case involved a company located in Nijmegen (NL) that sold PGP-enabled BlackBerry phones priced at ~EUR 1500, often with camera and mic removed. According to the Public Prosecution Service, some 40,000 phones were registered (by some 19,000 users). The phones could only communicate with other phones on Ennetcom’s network, and could be remotely wiped by Ennetcom (e.g. in case the phone is lost or stolen). The phones reportedly connected to a server at an IP address that was traced to the telecommunications hub / carrier hotel at 151 Front Street West, Toronto, Canada. On April 18th 2016, a Canadian judge authorized a search of Ennetcom’s server, and “the complete key management system” was found during that search (to my knowledge it is not certain what that refers to, but Symantec PGP Universal Server — part of PGP Support for BlackBerry BES — would be the obvious guess). Data was made available by Canada to the Dutch police on September 19th 2016, which enabled the Dutch police to decrypt user messages. While it is (to my knowledge) not clear what “data” entails here, precisely, the Mutual Legal Assistance in Criminal Matters Act (Re), 2016 ONSC 5699 (CanLII) states:

The Dutch authorities also discovered that the “keys” for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom’s BlackBerry Enterprise Servers.

So, conceivably, the actual keys were present and handed over, and that was that; although alternative scenarios cannot be ruled out, depending on how the software implements key scheduling etc., in which decryption is not immediately straightforward, but some cryptanalytic method is involved that is feasible depending on whatever other information is present (e.g. all user identifiers, all ciphertexts per user, and all associations between all users, etc.).

Ennetcom’s servers are reported to have been configured such that messages are wiped/overwritten after 48 hours; nonetheless, according to the Public Prosecution Service, some 3,6 million messages were obtained. (Note: “message” as in “instant message”, not as in “email message”; a single conversation can be made up of multiple messages.)

The Public Prosecution Service press release states that prior to seizing Ennetcom’s servers, the police sent a message to all 19,000(ish) users, requesting that if they hold a special profession (such as lawyers, doctors, notaries or clergyman), they inform the police about that (presumably for reasons of due diligence); the police did not receive any response. It is reported that the data remains under Canadian control, and can not be shared further without court approval: “The fear is that unfettered disclosure would expose innocent people to the unjustified attention of police, just because they used an encrypted BlackBerry.”

On March 9th 2017, Ennetcom posted the following press statement:

Press release March 9th, 2017

In response to the press release of the public prosecution service today, in which the public prosecutor indicated to have “cracked” the servers, which the public prosecution had seized from client’s organization Ennetcom, announce I, as the client’s counselor, that first has to be determined, that the public prosecution has done these seizures under false pretenses, based on a suspicion of money laundering with the excuse as if the customers of the phones are criminals.

The file showed that the Ennetcom organization had tens of thousands of customers who bought the phones and the software through resellers and that the public prosecutor could name only 4 actual example cases in which there would have been a PGP phone purchased from a reseller. The company proved to have many customers nationally and internationally, also with governmental agencies and businesses, that wish to safely communicate without being hacked without any criminal reasons. The seizure of the servers was, so it seemed, more an attempt by the public prosecution to gain access on improper grounds to an immense amount of data of tens of thousands in order to “catch fish with a trail-net”.

As if KPN or any other telecom company would simply be invaded and all their possessions being plundered to see who sends a wrongful message.

The public prosecution now tries to give the impression that all servers were cracked, but states at the same time that 3.6 million messages were made accessible, apparently giving the impression as if this would mean a lot of communication. The public prosecutor mentions 40,000 users. However, one message is part of a conversation, so consecutive “yes”, “and then”, “what do you mean”, are three messages in one conversation.

Calculating the number of messages to the number of users, 90 messages per user would have been made accessible. Given the fact that the data on the servers was erased after 48 hours by default, in other words; the messages were destroyed, it would indeed mean for those 40,000 users with 3.6 million messages that only the last 48 hours were made accessible.

The public prosecution speaks in the press release remarkably about “encryption keys which were obtained by the public prosecutor and police during the investigation.” Client’s organization however did not obtain these keys. These keys are in possession of the company responsible for making PGP, namely Symantec. There are many other companies that sell their PGP products in the same way as the client’s company did. The “falling of this communication into the hands of” seems therefore involve a very shadowy area of irregularities and possibly the result of present-day wild hacking.

The public prosecutor assumes to get started on this “loot”, but the Canadian court had, and in my opinion deceived by the public prosecution service, based on the given suspicion, only authorized the use of the confiscated data for 4 defined and appointed investigations. And then there is always the question what messages can be linked to which cases and subsequently be linked to which physical entities.

That still seems a hack too much for me.

UPDATES (from new to old)

UPDATE 2017-08-31: a blogpost by Bits of Freedom states that according to Inez Weski, defense lawyer in case spawn from the Ennetcom investigation, ‘the PGP [private] keys’ were located ‘at a different organization’ than the organization where the Canadian RCMP seized the (or an?) Ennetcom server.

EOF

Dutch Review Committee on the Intelligence & Security Services (CTIVD) to (self-)assess effectiveness of lawfulness oversight re: large-scale & data-intensive spying

The Dutch Review Committee on the Intelligence & Security Services (CTIVD) has published a press release (in Dutch) about a project it has started to review and uphold the effectiveness of its oversight on the lawfulness of the exercise of special powers by the Dutch intelligence services AIVD (non-military) and MIVD (military). Here is my translation of that press release:

Project Oversight 3.0

News | 25-04-2017 | 13:09

The technological possibilities for the AIVD and MIVD to acquire and analyze data have increased strongly. The Intelligence & Security Bill 20xx contributes to that. As a result of the expansion of the cable interception powers, the bill provides the AIVD and MIVD more possibilities to collect data. At the same time, the bill provides safeguards regarding the analysis of collected data and the deletion of data that is not relevant [to the exercise of the services’ tasks as defined by law]. The CTIVD oversees this. In the parliamentary debate on the bill, the question whether the CTIVD has sufficient in-house technical knowledge to keep pace with the developments. The professional field that the CTIVD must oversee changes, and the CTIVD adapts accordingly.

Objective of the project

Against this background, the CTIVD decided to set up project Oversight 3.0. The objective of this project is to make an inventory of how the organization and procedures of the CTIVD should be structured, so that effective oversight can also be carried out in the future. The emphasis is on the possibilities of (systemic) oversight on the acquisition, analysis and deletion of large amounts of data. Project 3.0 does not include investigation into lawfulness [note: this might have been mentioned because overseeing lawfulness is the normal/default task of the CTIVD, and this project is separate from & additional to that]. The CTIVD will report on this project in its annual report.

Data processing

To uphold effective oversight, the CTIVD must gain more insight into the data housekeeping at the services and the way in which they deal with large(r) data. Project Oversight 3.0 will provide insight into which instruments, organizational changes and technical means must be used by the AIVD and MIVD in support of implementing the new bill. The project also maps the data housekeeping, analysis and administration. The exchange of data/intelligence with national and international partners will be taken into account in this. Furthermore, the project focuses on the way in which the AIVD and MIVD implement safeguards in their systems and enable internal oversight [by the services themselves] and external oversight by the CTIVD [on those safeguards]. These insight will then provide the basis for structuring the CTIVD’s oversight in a way that fits to the new bill and further digitalization of our world.

Subprojects

Project Oversight 3.0 comprises a number of subprojects. There are focuses on topics such as the new power of investigation-oriented interception, the deletion of non-relevant data, and for instance automated data analysis [note: the bill introduces, or rather provides a more specific basis and powers corollary to the acquisition and processing of large data sets].

Conclusion

Oversight 3.0 is a project that will span multiple years. As a first step, an IT adviser has been hired per 1 September 2016. He is responsible for the execution of the project and will advise the CTIVD on what changes are necessary. The IT adviser is also involved in setting up the IT expert unit within the CTIVD. This expert unit will bring together specific technical knowledge. The unit will have various tasks, such as advising and supporting the legal experts, the joint exercise of investigations into lawfulness of the exercise of special powers, and advising the CTIVD on technically complex questions/problems. The unit is expected to consist of three persons.

At the start of 2017, the first subprojects of project Oversight 3.0 have commenced. An annual evaluation will be carried out as part of the project, based on which adjustments can be made to the project if necessary.

One might also recall that in 2014, the CTIVD decided to involve a group of academics in the oversight process. (I personally believe that both that decision, and project Oversight 3.0, are indicators of realism and strength on the part of the CTIVD.)

EOF

Dutch gov’t released as open source a research prototype of its Privacy Enhanced Filter (PEF) software for pseudonymizing (large-scale?) traffic captures

The Dutch government — specifically the National Cyber Security Centre in joint work with the Netherlands Forensics Institute — today released its Privacy Enhanced Filter (PEF) research prototype as open source software (under Apache License 2.0). PEF is written in Java and pseudonymizes network traffic captures, thereby limiting the privacy invasion made by traffic analysis (e.g. signature-based or anomaly-based intrusion detection at a nation(-ish)-wide scale). PEF is open to scrutiny by the public, and importantly, ideas and code are welcomed — let me emphasize this last sentence of the press release cited below in full:

This allows other organizations and developers to view and use the source code at no cost. They can also improve PEF or add additional functionality.

The software that is released is a (research prototype) CLI tool that takes a PCAP or PCAPNG file as input, pseudonymizes IP addresses of internet packets containing DNS data (says the README.md), and writes its output as a PCAP file. It is unclear (to me) whether a non-CLI sibling exists (either now, or soon).

This is the full press release from the National Cyber Security Centre:

Privacy Enhanced Filter (PEF) made available as opensource software

News | 25-04-2017

Effective detection and prevention of digital threats and risks are often in conflict with privacy regulations. The Privacy Enhanced Filter (PEF) can remove privacy sensitive information as much as possible from network traffic in such a way that detection and prevention remain possible. This is analogous to the operation of Google Street View, in which persons, license plates, etc. are anonymized, but the road, environment, and obstacles can still be seen. This allows detection measures to work without compromising privacy.

In close collaboration with the Netherlands Forensic Institute and with the NCTV Safety Through Innovation Program, the NCSC has implemented this application. PEF was then made available as open source software [1]. This allows other organizations and developers to view and use the source code at no cost. They can also improve PEF or add additional functionality.

[1] https://github.com/NCSC-NL/PEF/

Contents of the README.md (note: in the box below, beware overflows due to long lines):

# Privacy Enhanced Filtering

A research prototype application demonstrating network traffic pseudonymization
using a model-driven engineering approach.

It uses declarative definitions to parse the following data structures:

- Link Layer:        Ethernet 2 Frame
- Internet Layer:    IPv4, ICMPv4, _IPv6 partially_
- Transport Layer:   UDP, TCP
- Application Layer: DNS formatted application data (DNS, MDNS, LLMNR, NBNS)

These are used to find network packets containing valid DNS requests and responses.

Supplied is a Java implementation of a format preserving encryption algorithm
that is used to pseudonymize IP addresses of internet packets containing DNS data.

## Limitations

Here is a list of known limitations of this PEF implementation:

- IPv6 parsing is not fully supported.
  (extension headers are not fully supported and only UDP/TCP/IPv4(IP in IP) are parsed further)
- TCP reassembly in order to recognize DNS payload over TCP is not supported yet. for example,
  large DNS transfers can be segmented over multiple packets)
- Only the protocols stated at the top are supported
- If for some reason packet data is not fully parsed, the packet is left untouched
- At least 8 bits have to be pseudonymized, or none
  
Limitations of the command line tool:
- Works only on PCAP and PCAPNG files

## Requirements:

- Java Runtime Environment 7
- Maven
- The test suite uses [jNetPcap](http://jnetpcap.com/), which requires a native PCAP library, such 
  as `libpcap-dev` on Ubuntu or `WinPcap` on Windows.

## Usage

A command line tool is built around this implementation. This tool can can be used to pseudonymize 
DNS packets in PCAP/PCAPNG files.

Build the application:

```
$ mvn clean package
```

Show the command line tool usage:

```
$ java -jar target/pef-0.0.1-SNAPSHOT-jar-with-dependencies.jar -h

```

An example run could be:

```
$ java -jar target/pef-0.0.1-SNAPSHOT-jar-with-dependencies.jar -i inputfile.pcap -o anonymized.pcap -4 0123456789ABCDEF0123456789ABCDEF /10 -6 0123456789ABCDEF0123456789ABCDEF /55 -c ipv4,icmp,udp -m 4

```

Explanation:

- `java -jar target/pef-0.0.1-SNAPSHOT-jar-with-dependencies.jar` - execute the command line tool, pseudonymizes IP addresses of packets with DNS formatted application data
- `inputfile.pcap` - the input file to process (PCAP or PCAPNG)
- `anonymized.pcap` - the output file to write the results to
- `-4 0123456789ABCDEF0123456789ABCDEF /10` - pseudonymize IPv4 source and destination addresses, using format preserving encryption with the given key, but leave first ten bits untouched
- `-6 0123456789ABCDEF0123456789ABCDEF /55` - same as above, but for IPv6
- `-c ipv4,icmp,udp` - recalculate the IPv4 header, ICMP and UDP checksum (another possibility is `-c all`)
- `-m 4` - run across four threads

The pseudonymization parameter specifies the key to use and how much of the original message to transform. The key should be a 32 character hexadecimal string, 
representing 16 bytes, i.e. a 128-bit key. The part of the message to transform is determined by the mask. This value determines how many of the most significant
bits to keep. For example: IP address 255.255.255.255 with /8 mask will pseudonymize to 255.x.x.x, where x are the encrypted values.

## License

Copyright 2015, 2016, 2017 National Cyber Security Centre and Netherlands Forensic Institute

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

EOF

U.K.: Bulk Powers for MI5, MI6 and GCHQ — Executive Summary of the Independent Bulk Powers Review

News from the U.K.: the outcome of the Independent Bulk Powers Review is now available: here (.pdf, August 2016; mirror). Media reports about the review are available for instance at FT and The Guardian. The review was carried out by David Anderson QC and elaborates on the four bulk powers laid down for MI5, MI6 and GCHQ in the Draft Investigatory Powers Bill (November 2015). That bill is now up for debate in the lower house. In Q1/2016, following the advice of a Joint Committee, the U.K. government provided (further) justification for the new bulk powers proposed in the draft bill; the justification is available here (.pdf, Q1/2016; mirror).

The four bulk powers included in the draft bill are bulk interception, bulk acquisition, bulk equipment interference (“equipment interference” = Computer Network Exploitation / CNE) and bulk personal datasets. TL;DR: the review concludes that there is a proven operational case for bulk interception, bulk acquisition and bulk personal datasets, and a “distinct (though not yet proven)” operational case for bulk equipment interference. No conclusions are made about proportionality or desirability of the powers; that is left as a matter for the U.K. parliament to decide. For my own purposes — related to understanding the draft Dutch bill of which the Dutch government will soon submit the final draft to the Dutch lower house and that also includes new and expanded powers for the Dutch intelligence services AIVD and MIVD related to bulk interception, bulk acquisition and bulk personal datasets (but not bulk equipment interference, at least not in the initial draft of the bill) — I quote the executive summary from the British Independent Bulk Powers Review below.

EXECUTIVE SUMMARY

  • This Report evaluates the operational case for four of the powers in the Investigatory Powers Bill currently before Parliament: bulk interception, bulk acquisition, bulk equipment interference and bulk personal datasets. These powers can be used only by MI5, MI6 and GCHQ.
  • It provides a full introduction to each of the powers (chapter 2) and notes the generally favourable conclusions of those security-cleared persons who have in the past commented on their utility (chapter 3).
  • The security-cleared Review team comprised technical, investigatory and legal experts. We consulted widely. Each member of the Review team authorises me to say that they are in agreement with the conclusions of this Report and with my recommendation (1.28-1.55).
  • The Review applied itself in particular (chapter 4) to:
    • some 60 detailed case studies provided by MI5, MI6 and GCHQ, together with associated intelligence reports,
    • internal documents from each of the Agencies, in which the utility of the powers was discussed, and
    • the questioning of some 85 intelligence officials, including on whether other methods could have achieved the same results.
  • The Report concludes that there is a proven operational case for three of the bulk powers, and that there is a distinct (though not yet proven) operational case for bulk equipment interference (9.12-9.15).
  • As the case studies show, the bulk powers are used across the range of Agency activity, from cyber-defence, counter-espionage and counter- terrorism to child sexual abuse and organised crime (Annexes 8-11).
  • The bulk powers play an important part in identifying, understanding and averting threats in Great Britain, Northern Ireland and further afield. Where alternative methods exist, they are often less effective, more dangerous, more resource-intensive, more intrusive or slower (chapters 5-8).
  • The Review was not asked to reach conclusions as to the proportionality or desirability of the bulk powers. As the terms of reference for the Review made clear, these are matters for Parliament (1.10-1.14).
  • The Report makes a single recommendation: that a Technical Advisory Panel of independent academics and industry experts be appointed by the Investigatory Powers Commission to advise on the impact of changing technology, and on how MI5, MI6 and GCHQ could reduce the privacy footprint of their activities (9.16-9.31).
  • Though it found that the bulk powers have a clear operational purpose, the Report accepts that technological changes will provoke new questions. Adoption of its Recommendation will enable such questions to be asked, and answered, on a properly informed basis (9.32).

Recommended reading:

EOF

[Dutch] Enkele snippets uit de gelekte Wiv20xx MvT aan RvS

Hierbij enkele zinsneden uit de via de Volkskrant gelekte Wiv20xx MvT die de regering aan de RvS heeft gestuurd (zie hier enkele quick references naar losse onderdelen van de alles-in-één .pdf die de Volkskrant publiceerde). De MvT is ten opzichte van de consultatieversie 123 pagina’s gegroeid; het wetsvoorstel met 8 pagina’s.

Over hacking via geautomatiseerde werken van derden (MvT, p.106-107):

“[…] In de praktijk verschaffen de diensten zich al in het overgrote deel van de gevallen toegang tot het geautomatiseerd werk van een target via het geautomatiseerd werk van een derde. Het internet is een ecosysteem van providers, tussenleveranciers en dienstverleners die ervoor zorgen dat informatie beschikbaar is via het internet. Een internetverbinding loopt via een ingewikkelde infrastructuur van routers, netwerkverbindingen, servers, e.d. Om toegang te krijgen tot het geautomatiseerd werk van het target moet gebruik kunnen worden gemaakt van die infrastructuur. Belangrijk is te beseffen dat binnendringen via een geautomatiseerd werk van een derde een ultimum remedium is. De diensten zullen altijd eerst proberen rechtstreeks binnen te dringen in het geautomatiseerde werk van het target zelf. Indien dit niet mogelijk is kunnen alternatieven worden uitgewerkt, waaronder binnendringen via (een) geautomatiseerd werk van (een) derde(n). […]

[…] Tevens moet eventueel aangebrachte malware in het geautomatiseerd werk van de derde indien mogelijk worden verwijderd. Een daartoe strekkende inspanningsverplichting, die zich ook uitstrekt het geautomatiseerde werk van het target, is in artikel 44, zevende lid, van het wetsvoorstel vastgelegd. Er is gekozen voor een inspanningsverplichting, omdat in bepaalde gevallen het verwijderen van de malware disproportioneel nadeel zal opleveren voor de derde of voor zwaarwegende operationele belangen van de diensten.

Over toegang tot kabelnetwerken (NB: ‘OTT-diensten’ staat voor ‘Over The Top-diensten’, denk daarbij aan Skype en WhatsApp):

“De eerste reden waarom deze toegang van belang is voor de informatiepositie van de diensten is dat door technologische ontwikkelingen de opbrengst van gerichte interceptie afneemt. Targets wijken uit naar open en anonieme opstijgpunten van het internet (zoals wifi-netwerken in hotels, restaurants en andere openbare ruimtes) waardoor een gerichte tap bij de traditionele aanbieders van telecommunicatiediensten in Nederland steeds minder effectief is. Targets passen bewust hun gedragingen aan om onder de radar te blijven, bijvoorbeeld door gebruik te maken van chatfuncties in games en van berichten- en videodiensten van social media. Het gaat hier onder meer om OTT-diensten. OTT-diensten verzorgen een dienst over het internet en ze hebben veelal communicatie- en (social) mediatoepassingen. Daarnaast zijn zij doorgaans goedkoper dan de traditionele methoden. Diverse OTT-diensten passeren de traditionele aanbieders van (mobiele) telefonie door bijvoorbeeld (video)bellen en chatten via het internet mogelijk te maken. Wereldwijd kunnen consumenten (en daarmee dus ook targets van de diensten) OTT-diensten benaderen door middel van alle denkbare digitale apparatuur zoals PC’s, laptops, spelcomputers, smartphones (Android, iOS en Windows Phone telefoons), muziekspelers, smart TV’s en tablets.”

Het blijft onduidelijk of de diensten alleen LEESTOEGANG kunnen vorderen of ook SCHRIJFTOEGANG. Dat is een cruciaal punt. Het hebben van schrijftoegang kan goud waard zijn voor het uitvoeren van Man-in-the-Middle-aanvallen ter ondersteuning van het uitoefenen van de hackbevoegdheid. Hierover is duidelijkheid nodig! Daartoe hadden Joris van Hoboken en ik trouwens al opgeroepen in onze reactie op de internetconsultatie. Als iemand hierover meer weet, let me know.

Over de ontsleutelplichten is een lichtpunt(je) te melden (MvT, p.158):

Voor de goede orde wordt opgemerkt dat uit de medewerkingsplicht geen bevoegdheid van de diensten kan worden afgeleid tot het (doen) inbouwen van achterdeuren in systemen om aldus toegang tot de ontsleutelde gegevens te krijgen. Ook is er geen enkele verplichting voor bijvoorbeeld aanbieders van communicatiediensten om de encryptie die in hun systemen is toegepast te verzwakken.

Dat is consistent met het kabinetsstandpunt encryptie dd januari 2016. Afwezigheid van een bevoegdheid tot het (doen) inbouwen van achterdeurtjes of het verzwakken van crypto betekent natuurlijk niet dat dit niet op vrijwillige basis kan plaatsvinden — zie de casus met de PX-1000 pocket telex anno jaren ’80, waarbij op verzoek van de NSA een telex met sterke crypto van de markt is gehaald en een variant met backdoor’d crypto op de markt is gebracht; maar dat terzijde.

Over de kosten van kabelgebonden interceptie (MvT, p.284):

“Met de uitvoering van kabelgebonden interceptie onder artikel 47 van dit wetsvoorstel zijn ook aan de zijde van de diensten kosten gemoeid. Het gaat om versterking van de personele capaciteit en aanpassing van informatiesystemen bij de diensten. Bij de ontwikkeling van technische systemen is transparantie en controleerbaarheid, onder andere met het oog op toezicht door de CTIVD, een uitgangspunt. De onderstaande bedragen (in miljoen €) berusten op technisch onderzoek en ervaringsgegevens en zijn inclusief de voorgaand geschetste vergoedingen die samenhangen met de toepassing van onderzoeksopdrachtgerichte interceptie en de overige bevoegdheden bij aanbieders van een communicatiedienst.

20160429_kosten-kabelinterceptie

[…]”

Met betrekking tot onderscheid tussen domestic-domestic communicatie en domestic-foreign en foreign-foreign communicatie: dat onderscheid wordt, in tegenstelling tot in Duitsland, VK en Frankrijk, ook in de gelekte versie van de Wiv20xx en MvT nog niet gemaakt. De argumenten vóór en tegen zulk onderscheid zal ik hier niet herhalen, maar ik ben niet overtuigd door de argumenten zoals die in de gelekte MvT worden genoemd. Ik hoop (en verwacht) dat de TIB en CTIVD bij ongerichte search/selectie van domestic-domestic internet- en telefonieverkeer streng(er) toetsen aan noodzaak/subsidiariteit/proportionaliteit, voorzover het niet slechts gaat om digitale aanvallen (indicators of compromise, anomaly-based & signature-based detectie). (Geen idee, trouwens, in hoeverre met het geïntroduceerde bindende ex ante toezicht door de TIB wordt voldaan aan de gerelateerde aanbevelingen in het IViR-rapport Ten standards for oversight and transparency of national intelligence services, dat ook is ingestuurd als reactie op de consultatie.)

Tot slot een iets minder belangrijke opmerking m.b.t. de volgende alinea in de paragraaf “De dreiging die we niet kennen” (MvT, p.17):

“Van bovenaf gezien lijkt het kabellandschap op onze watervoorziening. Deze vergelijking doortrekkend voor de dreiging die via de kabel tot ons komt, leidt tot de conclusie dat we nu geen waterzuiveringssysteem hebben. We kunnen een filter plaatsen op de wateraansluiting van een enkel huis, namelijk het bedrijf dat meldt dat zijn IT is aangevallen. Maar een systeem waarbij de kwaliteit van het water daar waar nodig kan worden onderzocht bij het binnenkomen van ons land, is er niet.”

De analogie met waterzuivering is niet helemaal jofel, omdat bij waterzuivering voor iedereen duidelijk is wat “zuivering” inhoudt en het bijna per definitie gaat over het gezondheidsbelang van individuele burgers. Bij onderzoek aan internetverkeer i.h.k.v. de IVD-taakstellingen ligt dat anders (modulo aanvallen op ICS-systemen voor waterzuivering natuurlijk). Verderop in de MvT worden overigens alsnog enkele voorbeelden van “(nagenoeg) ongekende dreigingen” genoemd (MvT, p.124):

  • “Hierbij kan het onder meer gaan om nog niet onderkende terroristische cellen. Het is van belang om te weten of er vertakkingen zijn naar Nederland vanuit cellen in Frankrijk, België of Syrië/Irak.
  • Het kan ook cyberdreigingen betreffen, zoals digitale spionage en de heimelijke beïnvloeding van ICT-systemen als onderdeel van hybride oorlogvoering (door bijvoorbeeld Rusland of Iran).
  • Het kan gaan om de voorbereiding en ondersteuning van Nederlandse militaire operaties in een onbekende omgeving (zoals enige jaren geleden Uruzgan en thans Mali e.o., door IS ingenomen gebieden en in het kader van anti-piraterij).
    Ook wordt onderzoek gedaan naar de capaciteiten en intenties ten aanzien van specifieke landen en regio’s op het gebied van massavernietigingswapens. Een dreiging kan bestaan uit de export van dual-use goederen naar een risicoland.”

EOF