UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-11-07: Automatisering Gids reports (in Dutch) that AMS-IX evades the PATRIOT Act in its expansion to the U.S.:

“AMS-IX has found a legal structure to operate in the U.S. without having to deal with the PATRIOT Act in the Netherlands.

AMS-IX is setting up a fully independent company in Delaware which will manage the exchange nodes in the United States. This also means that employees and directors cannot be exchanged between the two organizations. The U.S. company is a subsidiary of AMS-IX BV, that acts as the sole shareholder. The U.S.-based entity will be granted access to the necessary intellectual property through licensing.

This structure is devised with the international law firm Jones Day and aims to protect the Dutch AMS-IX BV and the AMS-IX Association against U.S. laws such as the USA PATRIOT Act.

Earlier the plans of AMS-IX for expansion into the United States were opposed because of the possible interference of the U.S. justice and security services in the Dutch establishment of AMS-IX.

AMS-IX takes into account a possible extension of the PATRIOT Act that would allow the construction to still become subject to U.S. jurisdiction. In that case, an independent Dutch foundation can be set up within a week to further separate the activities. AMS-IX chooses the current structure because the benefits from economy of scale.”

This is the provisional end of the story.

UPDATE 2013-11-06: AMS-IX USA Inc. to Deploy an Open-IX Internet Exchange in New York  

On October 15th, the Dutch cabinet responded (.pdf, in Dutch) to Parliamentary questions concerning planned AMS-IX expansion to U.S. in the light of U.S. spying. The response is only available in Dutch; here is my English translation. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Answers to Parliamentary questions by Members of Parliament Van Raak (SP party) and Oosenbrug (PvdA party)Questions by Van Raak (SP party) to the Secretary of the Interior and Kingdom Relations concerning the danger of the Amsterdam internet exchange AMS-IX being required to hand over data to the U.S. National Security Agency (NSA) (submitted September 24th 2013).
Original Dutch: “Vragen van het lid Van Raak (SP) aan de minister van Binnenlandse Zaken en Koninkrijksrelaties over het gevaar dat het Amsterdamse internetknooppunt AMS-IX gegevens moet afstaan aan de Amerikaanse National Security Agency (NSA) (ingezonden 24 september 2013)”

Do you remember your remark that the Amsterdam Information [sic] Exchange (AMS-IX) is `the most important internet-exchange of the Netherlands and the second-biggest exchange in the world’?Yes
Original Dutch: “1 Herinnert u zich nog uw opmerking dat de Amsterdam Information Exchange (AMS-IX) ‘het belangrijkste internet-knooppunt van Nederland en het op één na grootste ter wereld’ is? [0]
Ja.”

Is it true that AMS-IX is considering expanding its activities to the U.S.?
That is known from media reports. Meanwhile it has become clear that on September 27th, the majority of members of the AMS-IX association voted in favor of the establishment of a legal entity in the U.S., during an extraordinary general meeting. The Board of Directors of the AMS-IX association will further examine the formation of a legal entity in the U.S.
Original Dutch: “2 Klopt het dat deze AMS-IX overweegt haar activiteiten uit te breiden naar de Verenigde Staten?
Dit is bekend uit de mediaberichten. Inmiddels is ook bekend dat op 27 september jongstleden in een buitengewone algemene ledenvergadering van de vereniging AMS-IX een meerderheid van de leden voor de opzet van een juridische entiteit in de VS heeft gestemd. De Raad van Bestuur van de vereniging AMS-IX zal de formatie van een juridische entiteit in de VS verder onderzoeken.”

Do you share our concern that the AMS-IX, by expanding to the U.S., risks becoming subject to U.S. legislation and can be forced to hand over information to the NSA?
If a company conducts activities on U.S. territory, these activities are subject to U.S. legislation, such as the Patriot Act and the Foreign Intelligence and Surveillance Act. Under this U.S. legislation, the provider can be forced, if mandated so by a U.S. court, to comply with requests of the U.S. authorities. The scope of the U.S. legislation and the possible violations of privacy are discussed in the joint EU-US expert group that was established following the revelations by Mr. Snowden. This group discusses the protection of privacy and electronic data of citizens, with the aim of understanding each other’s programs and how they are anchored in the rule of law.
The operating company of AMS-IX, AMS-IX B.V., has reported on its website that it explores the legal possibilities and the risks of expansion to the U.S. AMS-IX B.V. has sought legal advice from various parties on the applicability of U.S. law.
Original Dutch: “3 Deelt u de vrees dat de AMS-IX door deze uitbreiding de kans loopt onder de Amerikaanse wetgeving te vallen en gedwongen kan worden informatie af te staan aan de NSA?
Indien een bedrijf activiteiten op het grondgebied van de VS uitvoert, dan vallen deze activiteiten onder de Amerikaanse wetgeving, waaronder de Patriot Act en de Foreign Intelligence and Surveillance Act. Op basis van deze Amerikaanse wetgeving kan de aanbieder, na tussenkomst van een Amerikaanse rechter, verplicht worden mee te werken aan verzoeken van de Amerikaanse autoriteiten. De reikwijdte van de Amerikaanse wetgeving en de mogelijke schendingen van de persoonlijke levenssfeer zijn onderwerp van gesprek van de gezamenlijke EU-VS-expertgroep, die naar aanleiding van de onthullingen van de heer Snowden is ingesteld. Deze groep bespreekt de bescherming van de persoonlijke levenssfeer en elektronische gegevens van burgers, met als doel inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat.
De werkmaatschappij van AMS-IX, AMS-IX BV, heeft op haar website gemeld de juridische mogelijkheden en de risico’s van de uitbreiding naar de VS te verkennen. AMS-IX B.V. heeft bij diverse partijen juridisch advies ingewonnen over de toepasselijkheid van de Amerikaanse wetgeving.”

Are you willing to request advice on this from the Dutch National Cyber Security Center (NCSC)?
No. The NCSC is the knowledge and expertise center on cyber security, implemented the so-called computer emergency response task, and is responsible for crisis coordination in the event of a cyber crisis. Advising on the expansion of a Dutch legal entity to the U.S. is not a task of the NCSC.
Original Dutch: “4 Bent u bereid het Nationaal Cyber Security Centrum advies te vragen over deze kwestie?
Nee. Het Nationaal Cyber Security Centrum is het kennis- en expertisecentrum op het gebied van cyber security, geeft invulling aan de zogeheten computer emergency response-taak en is verantwoordelijk voor de crisiscoördinatie in het geval van een cybercrisis. Adviseren over de uitbreiding van een Nederlandse rechtspersoon in de VS behoort niet tot de taken van het Nationaal Cyber Security Centrum.”

Can you ensure that the AMS-IX will not conduct activities in the U.S. before the Parliament has full certainty that the data of Dutch citizens are safe at all times?
No. Dutch companies are free to expand abroad. Dutch companies that conduct activities in the U.S., must be aware that in the case of seizing or provisioning of data, the requirements of the Dutch Data Protection Act (DPA) must be met regarding the provision of data to third countries that lack adequate data protection. Under the DPA, the responsibility for assessing the circumstances in which data can be passes to such countries firstly lies on the company that is responsible for the data processing (Article 76 DPA).
Original Dutch: “5 Kunt u verzekeren dat de AMS-IX geen activiteiten in de Verenigde Staten gaat ontplooien voordat de Kamer volledige zekerheid heeft dat gegevens van Nederlandse burgers te allen tijde veilig zijn?
Nee. Het staat Nederlandse bedrijven vrij om zich in het buitenland te vestigen. Nederlandse bedrijven die ook in de Verenigde Staten actief zijn, dienen er op bedacht te zijn dat in het geval van vordering van gegevens of doorgifte van gegevens, de verstrekking daarvan dient te voldoen aan de eisen die de Nederlandse Wet bescherming persoonsgegevens (Wbp) stelt aan de verstrekking van gegevens aan derde landen waar naar Europees recht geen passend niveau van gegevensbescherming bestaat. De Wbp legt de verantwoordelijkheid voor het beoordelen van de omstandigheden waaronder gegevens naar een derde land kunnen worden doorgegeven in de eerste plaats bij het bedrijf dat voor de verwerking verantwoordelijk is (art. 76 Wbp).”

[0] Aanhangsel Handelingen, vergaderjaar 2012-2013, nr. 2649

Questions by Van Raak (SP party) to the secretaries of Economic Affairs, and Security and Justice concerning the possible expansion of the AMS-IX to the U.S. (submitted September 30th 2013)
Original Dutch: “Vragen van het lid Oosenbrug (PvdA) aan de ministers van Economische Zaken en van Veiligheid en Justitie over een mogelijke uitbreiding van de AMS-IX naar de Verenigde Staten (ingezonden 30 september 2013)”

Are you aware of the intention of the AMS-IX to set up shop in the U.S.?
Yes.
Original Dutch: “1 Heeft u kennisgenomen van het voornemen van de Amsterdam Internet Exchange (AMS-IX) om een filiaal in de Verenigde Staten te openen? [2]
Ja.”

Can you give us insight in the risks of expansion the the U.S. for the protection of data exchanged over the AMS-IX? How can the U.S. government use its Patriot Act and FISA in this?
[Same answer given to first question by Van Raak. See above.]
Original Dutch: “2 Kunt u inzicht geven in de risico’s van uitbreiding naar de Verenigde Staten voor de bescherming van gegevens die over de AMS-IX uitgewisseld worden? Op welke wijze kan de Amerikaanse overheid haar Patriot en FISA wetgeving hierbij gebruiken?
Indien een bedrijf activiteiten op het grondgebied van de VS uitvoert, dan vallen deze activiteiten onder de Amerikaanse wetgeving, waaronder de Patriot Act en de Foreign Intelligence and Surveillance Act. Op basis van deze Amerikaanse wetgeving kan de aanbieder, na tussenkomst van een Amerikaanse rechter, verplicht worden mee te werken aan verzoeken van de Amerikaanse autoriteiten. De reikwijdte van de Amerikaanse wetgeving en de mogelijke schendingen van de persoonlijke levenssfeer zijn onderwerp van gesprek van de gezamenlijke EU-VS-expertgroep, die naar aanleiding van de onthullingen van de heer Snowden is ingesteld. Deze groep bespreekt de bescherming van de persoonlijke levenssfeer en elektronische gegevens van burgers, met als doel inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat.
De werkmaatschappij van AMS-IX, AMS-IX BV, heeft op haar website gemeld de juridische mogelijkheden en de risico’s van de uitbreiding naar de VS te verkennen. AMS-IX B.V. heeft bij diverse partijen juridisch advies ingewonnen over de toepasselijkheid van de Amerikaanse wetgeving.”

Do you see a difference between the protection of personal data in the U.S. concerning U.S. citizens and others? If so, do you see it as a reason to restrict the full provisioning of data to U.S. authorities?
Yes. The U.S. Constition, particularly the Fourth Amendment, only applies to U.S. citizens. The Fourth Amendment requires judicial review in order to permit search and seizure.

Under Article 76 of the Dutch DPA,personal data may only be transferred to countries outside the EU that provide a so-called adequate level of protection. In other cases, transmission is only possible under a legal exception or a license from the Dutch Ministry of Security and Justice. Dutch companies operating in the U.S. must be aware that in the case of seizing or provisioning of data, the requirements of the Dutch Data Protection Act (DPA) must be met regarding the provision of data to third countries that lack adequate data protection. Under the DPA, the responsibility for assessing the circumstances in which data can be passes to such countries firstly lies on the company that is responsible for the data processing (Article 76 DPA).
Original Dutch: “3 Ziet u ook een verschil in bescherming van persoonsgegevens in Amerika, tussen de gegevens van Amerikaanse ingezetenen en anderen? Zo ja, ziet u daarin reden om het volledig ter beschikking stellen van gegevens aan de Amerikaanse overheden te beperken?
Ja. De Amerikaanse grondwet, in het bijzonder het Vierde Amendement, is alleen van toepassing op Amerikaanse burgers. Het Vierde Amendement vereist een rechterlijke toets bij bevelen tot doorzoeking en inbeslagneming.
Op grond van artikel 76 van de Nederlandse Wet bescherming persoonsgegevens mogen persoonsgegevens alleen worden doorgegeven aan landen buiten de EU die een zogeheten passend beschermingsniveau bieden. In de overige gevallen is doorgifte alleen mogelijk op grond van een wettelijke uitzondering of een vergunning van de Minister van Veiligheid en Justitie. Nederlandse bedrijven die ook in de Verenigde Staten actief zijn, dienen er op bedacht te zijn dat in het geval van vordering van gegevens of doorgifte van gegevens, de verstrekking daarvan dient te voldoen aan de eisen die de Nederlandse Wet bescherming persoonsgegevens (Wbp) stelt aan de verstrekking van gegevens aan derde landen waar naar Europees recht geen passend niveau van gegevensbescherming bestaat. De Wbp legt de verantwoordelijkheid voor het beoordelen van de omstandigheden waaronder gegevens naar een derde land kunnen worden doorgegeven in de eerste plaats bij het bedrijf dat voor de verwerking verantwoordelijk is (art. 76 Wbp).”

To what extent do you see an increase in the risk of people being prosecuted by U.S. companies, such as information law professor Van Eijk expected?
At present, there only is consensus on the establishment of a legal in the U.S. It is not yet clear what legal form that entity will get. The Board of Directors of the AMS-IX association is doing further research into the possible structure.
Original Dutch: “4 In hoeverre ziet u een vergroting van het risico dat mensen vervolgd worden door Amerikaanse bedrijven, zoals hoogleraar informatierecht Van Eijk verwacht?
Op dit moment is er alleen sprake van instemming met de opzet van een juridische entiteit in de VS waarbij het nog niet duidelijk welke juridische vorm die entiteit zal krijgen. De Raad van Bestuur van de AMS-IX Vereniging doet nader onderzoek naar de mogelijke structuur.”

Is it true that on September 27th, members of the AMS-IX association decided on the desirability of expanding into the U.S.? If so, what is the next stage that the AMS-IX will follow in the development of the expansion to America?
Yes. AMS-IX has consulted its members on September 27th (also see the website www.ams-ix.net). A majority approved of the expansion to the U.S. AMS-IX states the following: “With the approval of our members, the Board of Directors of the AMS-IX association will further examine the formation of a legal entity in the U.S. The best possible structures for the establishment of a legal entity will be further examined and shared with our members. The structure should protect the current operational activities of the AMS-IX, and the customers and members, against commercial, legal, financial and technical risks, and most specifically interception activities by U.S. authorities.” The options for this legal entity are now being developed and the members will be informed about this by the AMS-IX.
Original Dutch: “5 Is het correct dat de leden van de AMS-IX op 27 september beslissen over de wenselijkheid van uitbreiding naar de Verenigde Staten? Zo ja, wat is het vervolgtraject dat de AMS-IX zal volgen in de ontplooiing van de uitbreiding naar Amerika?
Ja. AMS-IX heeft haar leden op 27 september geraadpleegd. (zie ook de website www.ams-ix.net) Daarbij heeft een meerderheid ingestemd met de uitbreiding naar de VS. AMS-IX meldt daarbij het volgende: “Met de goedkeuring van onze leden, zal de Raad van Bestuur van de AMS-IX vereniging de formatie van een juridische entiteit in de VS verder onderzoeken. De best mogelijke structuren voor het opzetten van deze juridische entiteit zullen worden bekeken en met onze leden worden gedeeld. De structuur dient de huidige operationele activiteiten van de AMS-IX BV en de klanten en leden van de AMS-IX vereniging te beschermen tegen commerciële, juridische, financiële en technische risico’s en meest specifiek tegen interceptie- activiteiten door de overheidsinstanties in de VS.” De opties voor deze juridische entiteit worden nu uitgewerkt en de leden worden hierover door AMS-IX nader geïnformeerd.”

Do you agree that the AMS-IX is vital infrastructure that is of national importance? How is the public interest in the AMS-IX guaranteed, and do you see reasons to reinforce this assurance?
AMS-IX is an important link in the Dutch ICT infrastructure. As the largest internet exchange in the world [sic] and more than 600 connected networks, AMS-IX contributes to a more attractive business climate for ICT companies in the Netherlands. AMS-IX is of economic importance to the Netherlands as Digital Gateway to Europe. This is recognized in the Digital Agenda [2] of the Dutch administration. AMS-IX is currently not considered to be vital infrastructure. Sufficient built-in guarantees exist concerning continuity. Currently we are working on an interdepartmental review of the vital sectors, including a review the position of AMS-IX.
Original Dutch: “6 Deelt u de mening dat de AMS-IX vitale infrastructuur vormt, die van nationaal belang is? Hoe is het publieke belang dat de AMS-IX dient op dit moment geborgd en ziet u reden om deze borging te versterken?
AMS-IX vormt een belangrijke schakel in de Nederlandse ICT-infrastructuur. Als grootste internetknooppunt (internet exchange) ter wereld met meer dan 600 aangesloten netwerken draagt AMS-IX bij aan een aantrekkelijker vestigingsklimaat van ICT-bedrijven in Nederland. AMS-IX van economisch belang voor Nederland als Digital Gateway to Europe. Dit wordt onderkend in de Digitale Agenda [1] van het kabinet. AMS-IX is op dit moment niet aangemerkt als vitale infrastructuur. Er zijn overigens voldoende waarborgen ingebouwd ten behoeve van de continuïteit. Momenteel wordt gewerkt aan een interdepartementale herijking van de vitale sectoren, waarbij ook de positie van AMS-IX wordt bezien.”

Does the AMS-IX currently conduct activities abroad, or does it have plans to do so? How are these activities legally and technically organized?
Yes. AMS-IX is a private company of which the AMS-IX association is sole shareholder. The voting rights rest with the members. These are various providers of Internet traffic [sic]. AMS-IX is involved in three internet exchanges abroad. These activities are managed directly by AMS-IX B.V., that has contracts with local partners.

1) AMS-IX Caribbean (Curacao). This internet exchange is organizationally and legally placed directly under AMS-IX B.V., which is registered in the local chamber of commerce. Parties that exchange Internet traffic at this point have a contract with AMS-IX B.V. and are not members of the AMS-IX association.

2) AMS-IX Hong Kong. This internet Exchange is a collaboration between AMS-IX B.V. and Hutchison Global Communications (HGC). AMS-IX B.V. designs, builds and manages the technical platform. HGC carries out customer relations. Customers enter into a contract with HGC and are not members of AMS-IX association. AMS-IX B.V. receives a fee per connection.

3) AMS-IX East Africa (Mombasa, Kenya) . This internet exchange is under construction. It is a collaboration between AMS-IX B.V., the Kenya Internet Exchange Point (KIXP) and the company Seacom. AMS-IX redesigns and rebuilds an existing exchange and will manage it. KIXP provides technical personnel. Seacom provides the data center and acts as a seller. Parties that connect directly to the exchange are customer of AMS-IX B.V..
Original Dutch: “7 Ontplooit de AMS-IX op dit moment al andere buitenlandse activiteiten, of zijn hier plannen voor? Op welke wijze zijn deze activiteiten juridisch en technisch georganiseerd?
Ja. AMS-IX is een besloten vennootschap waarvan de vereniging AMS-IX enig aandeelhouder is. Het stemrecht binnen de vereniging berust bij de leden. Dit zijn diverse aanbieders van internetverkeer. AMS-IX is betrokken bij drie buitenlandse internet exchanges. Deze activiteiten vallen rechtsreeks onder AMS-IX BV die contracten heeft met lokale partners.
1) AMS-IX Caribbean (Curaçao). Deze internet exchange valt organisatorisch en juridisch rechtstreeks onder AMS-IX BV, die plaatselijk ingeschreven staat in de kamer van koophandel. Partijen die op dit punt internetverkeer uitwisselen hebben een contract met AMS-IX BV en zijn geen lid van de vereniging AMS-IX.
2) AMS-IX Hong Kong. Deze internet exchange is een samenwerking tussen AMS-IX BV en Hutchison Global Communication (HGC). AMS-IX BV ontwerpt, bouwt en beheert het technisch platform. HGC behandelt het klantcontact. Klanten gaan een contract aan met HGC en zijn geen lid van de vereniging AMS-IX. AMS-IX BV ontvangt een vergoeding per aansluiting.
3) AMS-IX East Africa (Mombasa, Kenia). Deze internet exchange is in opbouw. Het is een samenwerking tussen AMS-IX BV, het Kenya Internet Exchange Point (KIXP) en het bedrijf Seacom. AMS-IX herontwerpt en herbouwt een reeds bestaande exchange en zal deze beheren. KIXP levert technisch personeel. Seacom levert het datacentrum en treedt op als verkoper. Partijen die direct aansluiten op de exchange worden klant van AMS-IX BV.”

Are you willing to advise the AMS-IX Board of Directors on how to Dutch interests can be best served through a robust legal and technical construction between the Dutch and foreign branches?
Dutch companies are free to expand abroad. It is not reasonable that the government advises in this. AMS-IX stated that it examines the further legal development abroad with the aim of establishes a robust legal and technical construction. Moreover, the Ministry of Economic Affairs immediately contacted the AMS-IX after publication of the intention to expand to the U.S. and concerns about that.
Original Dutch: “8 Bent u bereid om het bestuur van de AMS-IX te adviseren over de manier waarop de Nederlandse belangen optimaal gediend kunnen worden door een robuuste juridische en technische constructie tussen de Nederlandse en buitenlandse vestigingen? Zo ja, op welke wijze wilt u dit doen?
Het staat Nederlandse bedrijven vrij om in het buitenland te ondernemen. Het ligt niet in de rede dat de overheid daarin adviseert. AMS-IX heeft overigens aangegeven de verdere juridische uitwerking in het buitenland verder te verkennen om te komen tot een robuuste juridische en technische constructie. Overigens heeft het ministerie van Economische Zaken direct na bekendmaking van het voornemen en de zorgen daarover contact gelegd met AMS-IX.”

[2] http://nos.nl/artikel/553680-nederland-opent-deur-voor-nsa.html

[3] Zie voor de meest recente actualisatie d.d. 4 februari 2013 Kamerstukken 29515, nr 346

Related:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-10-11: Dutch govt response to Parliamentary questions about NSA wiretapping international phone traffic
• 2013-09-26: SURFnet: ‘AMS-IX should not set up shop in U.S.; we ought to deliberate on U.S. spying capabilities’

EOF

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-11-01: also see Dutch govt position concerning U.S. spying for economic purposes + answers to Parliamentary questions re: Snowden/Le Monde 

On October 11th, the Dutch cabinet responded (.pdf, in Dutch) to Parliamentary questions about the NSA intercepting international phone traffic via telecom providers. The response is only available in Dutch; here is my English translation. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Answers by the Dutch Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs, and the Ministry of Security and Justice to questions by Dutch ParliamentQuestions by Members of Parliament Schouw and Verhoeven (D66 party) to the secretaries of the Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs, and the Ministry of Security and Justice about the U.S. National Security Agency (NSA) wiretapping telephone communications via telecom providers (submitted September 18th 2013).
Original Dutch: “Vragen van de leden Schouw en Verhoeven (beiden D66) aan de ministers van Binnenlandse Zaken en Koninkrijksrelaties, van Economische Zaken en van Veiligheid en Justitie over het bericht dat de Amerikaanse National Security Agency (NSA) via telecomaanbieders het internationaal telefoonverkeer afluistert (ingezonden 18 september 2013)”

Are you aware of the news that the U.S. intelligence service NSA has been eavesdropping since 2011 on telephone traffic that is routed via the Belgian telecom provider Belgacom? [0]
Yes.
Original Dutch: “1 Heeft u kennisgenomen van het bericht dat de Amerikaanse inlichtingendienst NSA zich sinds 2011 toegang verschaft tot telefoonverkeer dat via de Belgische telecomprovider Belgacom verloopt? [0]”
Ja.
What is your response to the fact that the U.S. intelligence service NSA has gained access to one of the largest telecom companies in a direct neighbor country of the Netherlands?
The article in De Standaard (English translation) states, among others, that no certainty exists about who is responsible for the compromise of the infrastructure of the Belgian company Belgacom. Covert activities of state actors can not be ruled out, in principal.
Original Dutch: “2 Wat is uw reactie op het gegeven dat de Amerikaanse inlichtingendienst NSA zich toegang heeft verschaft tot een van de grootste telecombedrijven in een direct buurland?
Het bericht in De Standaard meldt onder meer dat niet zeker is wie verantwoordelijk is voor de inbreuk op de infrastructuur van het Belgische bedrijf Belgacom. Heimelijke activiteiten van statelijke actoren zijn in beginsel niet uit te sluiten.”

Did similar security breaches on communication infrastructure of Dutch telecom providers occur in the last two years? If so, what was the nature of the breach, how often did it occur and did it involve placement of malware by a foreign intelligence service?There are no indications for a similar breach of the infrastructure of Dutch providers of telecommunication services. The General Intelligence and Security Service (AIVD) is running an investigation as a result of the news. There are no indication yet that the Netherlands is a direct target of the attack. The breach of KPN in early 2012 was, by the way, no activity of an state actor. KPN has taken additional security measures as a result of that breach.
The AIVD has repeatedly highlighted the vulnerabilities of the Dutch IT infrastructure and the threat of digital espionage. The Dutch society and economy is highly dependent on IT, and the IT infrastructure is highly vulnerable. In addition, digital attacks are increasingly complex and advanced. The impact of digital attacks on the national security and the economic well-being of society can be particularly strong.
Original Dutch: “3 Zijn er afgelopen twee jaar vergelijkbare veiligheidsinbreuken geweest op de communicatieinfrastructuur van Nederlandse telecomaanbieders? Zo ja, wat was de aard van de inbreuk, hoe vaak heeft het zich voorgedaan en was er sprake van malware geplaatst door een buitenlandse inlichtingendienst?
Er zijn geen aanwijzingen voor een vergelijkbare inbreuk op de infrastructuur van Nederlandse aanbieders van telecommunicatiediensten. De AIVD doet onderzoek naar aanleiding van de berichten. Er zijn vooralsnog geen aanwijzingen dat Nederland een direct doelwit is van de aanval.
De inbreuk bij KPN in het voorjaar van 2012 was overigens geen activiteit van een statelijke actor. KPN heeft naar aanleiding van die inbreuk aanvullende veiligheidsmaatregelen genomen.
De AIVD heeft herhaaldelijk gewezen op de kwetsbaarheden van de Nederlandse ICT- infrastructuur en de dreiging van digitale spionage. De afhankelijkheid van de Nederlandse samenleving en de economie van ICT is aanzienlijk, en de kwetsbaarheid van de ICT is hoog. Digitale aanvallen worden daarnaast steeds complexer en geavanceerder. De impact van digitale aanvallen op de nationale veiligheid en het economisch welzijn van de samenleving kan bijzonder groot zijn.”

Do you know whether Dutch telecom providers commissioned an examination for very advanced malware on their communications infrastructure in the last three years? If so, what is the outcome? If not, do you intend to insist that these companies commission such an investigation, considering the U.S. practice and possible hacks by other nations?
Private parties, including the providers of public electronic communication services, are responsible for the security of their own infrastructure. The Telecommunications Act obliges the providers to ensure the integrity and security of their networks and services, and the confidentiality and availability of services. This involves technical and organizational measures. The major provides structurally use their own capacity. If they deem it necessary, they involve expertise of third parties. Recent media reports underline the importance of these measures. If necessary, the government can require the provider to take certain technical or organizational measures or to commission a security examination by an independent party (fifth and sixth paragraph of section 11a of the Telecommunications Act). Following the news reports, KPN commenced additional investigations.
The AIVD and National Cyber Security Center (NCSC) support vital sectors in securing IT infrastructure. The AIVD has, among others, developed a method for the analysis of vulnerability to espionage. Digital espionage is one of the areas of interest. This method has been brought to the attention of vital sectors to support them in eliciting vulnerabilities.
Original Dutch: “4 Is u bekend of Nederlandse telecomaanbieders afgelopen drie jaar een veiligheidsonderzoek hebben laten uitvoeren naar zeer geavanceerde malware op hun communicatie-infrastructuur? Zo ja, wat is daarvan de uitkomst? Zo nee, bent u in het licht van de Amerikaanse praktijken en mogelijke hacks door andere landen, voornemens om bij telecomaanbieders aan te dringen op een dergelijk onderzoek?
Private partijen, waaronder aanbieders van openbare elektronische communicatiediensten, zijn zelf verantwoordelijk voor de veiligheid van hun infrastructuur. De Telecommunicatiewet (Tw) bevat voor deze aanbieders verplichtingen voor de borging van de integriteit en de veiligheid van hun netwerken en diensten, waaronder het waarborgen van de vertrouwelijkheid van de telecommunicatie en de beschikbaarheid van de dienstverlening. Het gaat daarbij om technische en organisatorische maatregelen. De grote aanbieders zetten hiervoor structureel eigen capaciteit in. Indien zij dat nodig achten, zetten zij hiervoor expertise van derden in. De recente berichten in de media onderstrepen het belang van deze maatregelen. Indien daar aanleiding voor is, kan de aanbieder worden verplicht bepaalde technische of organisatorische maatregelen te nemen of een veiligheidscontrole door een onafhankelijke deskundige te laten uitvoeren (art. 11a vijfde resp. zesde lid van de Telecommunicatiewet).
Naar aanleiding van de berichtgeving is KPN gestart met het uitvoeren van aanvullende onderzoeken.
De AIVD en het NCSC ondersteunen de vitale sectoren bij het beveiligen van hun ICT- infrastructuur. De AIVD heeft onder meer een methodiek ontwikkeld voor de analyse van kwetsbaarheden voor spionage. Digitale spionage is daarbij één van de aandachtspunten. Deze methodiek is bij de vitale sectoren onder de aandacht gebracht om hen te ondersteunen de eigen kwetsbaarheden inzichtelijk te maken.”

Have you, or have the Dutch telecom providers, in recent years received requests from the U.S. intelligence service NSA or other foreign intelligence services to provide access to international phone traffic? If so, how did you respond?
The government does not know whether foreign powers approached Dutch telecom providers. No public statements are made about contacts between the Dutch intelligence and security services and foreign services.
Original Dutch: “5 Heeft u of Nederlandse telecomaanbieders afgelopen jaren verzoeken ontvangen van de Amerikaanse inlichtingendienst NSA dan wel andere buitenlandse inlichtingendiensten, om toegang te verschaffen tot internationaal telefoonverkeer? Zo ja, wat was daarop de reactie?
Het is de regering niet bekend of buitenlandse mogendheden Nederlandse aanbieders van telecommunicatie hebben benaderd. Over contacten tussen de Nederlandse inlichtingen- en veiligheidsdiensten en buitenlandse diensten worden in het openbaar geen mededelingen gedaan.”

Did you bring up the topic of hacks on European, and Dutch communication systems in particular, with the U.S. government? If so, what was the outcome of those conversations? If not, do you intend to bring up the privacy violation of Dutch citizens with the U.S. government?
Are you willing to actively put the infringements by the U.S. and possibly other countries on the agenda of the next Council of Justice and Home Affairs (JHA Council) and to plead for a joint European stand against these violations of the privacy of European citizens?
The European Commissioners of Justice and Home Affairs have consulted the U.S. Attorney General on June 14th following the media reports. An EU-US expert group is currently addressing the protection of privacy and of electronic data of citizens, with the aim of mutual understanding of each other’s programs and how those are anchored in the rule of law. The Dutch government supports this initiative. It is expected that the expert group will complete its final report this fall. PRISM was discussed in the margins of the JHA Council of October 7th.
Original Dutch: “6 Heeft u de hacks op Europese, en Nederlandse communicatiesystemen in het bijzonder, aan de orde gesteld bij de Amerikaanse regering? Zo ja, was de uitkomst van die gesprekken? Zo nee, bent u voornemens de privacyschending van Nederlandse burgers aan de orde te stellen bij de Amerikaanse regering?
7 Bent u bereid de inbreuken door de VS en mogelijk ook andere landen, actief te agenderen in de eerstvolgende Raad van Justitie en Binnenlandse Zaken (JBZ-Raad) en te pleiten voor gezamenlijk Europees optreden tegen deze schendingen van privacy van Europese burgers?
6 & 7: De Eurocommissarissen van Justitie en van Binnenlandse Zaken hebben naar aanleiding van mediaberichten op 14 juni jl. overleg gevoerd met de Amerikaanse minister van Justitie. Inmiddels buigt een EU-VS expertgroep zich over de bescherming van de persoonlijke levenssfeer en van elektronische gegevens van burgers, met als doel wederzijds inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat. De Nederlandse regering steunt dit initiatief. Naar verwachting voltooit de expertgroep dit najaar zijn eindrapport. Het onderwerp PRISM is besproken en marge van de JBZ-raad van 7 oktober jl.”

[0] http://www.standaard.be/cnt/dmf20130915_00743233 (English translation)

Related:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-10-28 (updated 2013-11-01): Dutch govt position concerning U.S. spying for economic purposes + answers to Parliamentary questions re: Snowden/Le Monde
• 2013-09-14: Dutch govt response to revelations by Edward Snowden

EOF

UPDATE 2013-11-07: Automatisering Gids reports (in Dutch) that AMS-IX evades the PATRIOT Act in its expansion to the U.S.:

“AMS-IX has found a legal structure to operate in the U.S. without having to deal with the PATRIOT Act in the Netherlands.

AMS-IX is setting up a fully independent company in Delaware which will manage the exchange nodes in the United States. This also means that employees and directors cannot be exchanged between the two organizations. The U.S. company is a subsidiary of AMS-IX BV, that acts as the sole shareholder. The U.S.-based entity will be granted access to the necessary intellectual property through licensing.

This structure is devised with the international law firm Jones Day and aims to protect the Dutch AMS-IX BV and the AMS-IX Association against U.S. laws such as the USA PATRIOT Act.

Earlier the plans of AMS-IX for expansion into the United States were opposed because of the possible interference of the U.S. justice and security services in the Dutch establishment of AMS-IX.

AMS-IX takes into account a possible extension of the PATRIOT Act that would allow the construction to still become subject to U.S. jurisdiction. In that case, an independent Dutch foundation can be set up within a week to further separate the activities. AMS-IX chooses the current structure because the benefits from economy of scale.”

This is the provisional end of the story.
 
UPDATE 2013-11-06: AMS-IX USA Inc. to Deploy an Open-IX Internet Exchange in New York 
UPDATE 2013-10-02: here is a blogpost (in Dutch) about how some of the AMS-IX members voted. 
UPDATE 2013-09-30: AMS-IX is expanding to the U.S.: 123 out of some 600 members voted in favor of expanding, 102 opposed, 14 abstained. The U.S. branch of AMS-IX will obviously be subject to FISA and the Patriot Act. One possible outcome is that the U.S. will get more / easier access to EU internet traffic that travels via AMS-IX. The AMS-IX management will examine how the Dutch/European AMS-IX can be legally protected. @sigwinch adds: “Internal AMS-IX post claims ‘INC’ would not expose ‘BV’ directly to US law but org/ops firewall needed to complete pic.“

AMS-IX, the Amsterdam Internet Exchange, is one of the largest internet exchanges in the world. On September 23rd, AMS-IX issued a press release about a proposal to set up shop in the U.S. for possible expansion. On September 27th, the Dutch NOS brought the news that one of the biggest AMS-IX members, SURFnet, is against the proposal, citing concerns about U.S. spying capabilities.

Below I my translation of the NOS news report of September 27th. After reading it, go read Considerations on the expansion of AMS-IX to the US, posted by Bits of Freedom on September 25th. Do NOT forget to read the comments there.

SURFnet against establishment AMS-IX internet hub in U.S.

The proposal of the Amsterdam Internet Exchange (AMS-IX, the most important internet exchange of the Netherlands) to set up shop in the United States is not supported by SURFnet, one of its most important users.

Today, members of the AMS-IX will vote on the directors’ proposal to set up shop in the United States. Some are concerned that it will invite activities of American secret services such as the NSA.

Wiretapping capabilities
SURFnet provides for internet communication between universities, academic hospitals and other scientific institutions. In an email message addressed to other members, SURFnet explains that is against the proposal, among other because of concerns about the wiretapping capabilities of the Americans.

“If data are collected under U.S. law, foreign users only have very limited protection, because U.S. constitutional guarantees do not apply to them,” states SURFnet.

Legal extremism
More and more experts are speaking out against the plan of the AMS-IX. Professor Bart Jacobs (Radboud University) states that it is incomprehensible “that our own critical Internet Exchange AMS-IX” wants to open a branch in the U.S.

According to Jacobs, the AMS-IX thereby voluntarily subjects itself to the Patriot Act, meaning that U.S. authorities can compel access to our internet traffic. “Snowden will ask himself: do they still not understand things in the Netherlands?”

XS4ALL-cofounder Rop Gonggrijp states that “considering the growing legal extremism in the U.S., and recent revelations”, the potential consequences of the AMS-IX proposal should be thoroughly investigated first.

I commend SURFnet for acting prudent, cautious, diligent, in this serious matter.

Related:

• 2013-11-06: AMS-IX USA Inc. to Deploy an Open-IX Internet Exchange in New York 
• 2013-09-25: Bits of Freedom on Considerations on the expansion of AMS-IX to the US
• 2013-xx-xx: European Parliament briefing note (.pdf) on The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens’ fundamental rights. This follows a resolution adopted by the European Parliament on 2013-04-09.  

EOF

UPDATE 2014-07-03: June 15th 2014: Dutch Joint Sigint Cyber Unit (JSCU) officially started
UPDATE 2014-03-07: the JSCU will officially start on May 1st 2014. 
UPDATE 2013-12-12: according to the Dessens report, there is an `Executive Board JSCU’ (Dutch: “de `Bestuursraad’ JSCU”) that consists of the three Secretary-Generals of General Affairs (chair), the Interior, and Defense. Plans exist to extend the `Executive Board’ for other issues than just the JSCU. In the opinion of the Dessens Committee these developments `fit well with the recommendation to give these three persons a joint coordinating role of the intelligence and security services’.

Here’s an English translation of an article in Dutch news paper NRC Handelsblad of September 24th 2013. Hyperlinks are mine.

MIVD and AIVD carry out operations in cyberspace under a new nameThe Dutch General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) join forces in a new unit, the Joint SIGINT Cyber Unit (JSCU), focused on cyber operations and eavesdropping of radio traffic. The JSCU was previously known under the working title Project Symbolon.

This was confirmed by a spokesperson of the services. The unit must be operational at the beginning of 2014. Some 350 people will be working there.

The JSCU head quarters will be located in the AIVD building in Zoetermeer. Other departments will be located in The Hague, where the MIVD is located. The existing joint AIVD/MIVD organization that intercepts and analyzes satellite traffic, the National SIGINT Organization (NSO), will be merged into the new unit. The NSO operates at two locations: dish antennas to receive signals are located in Burum, and the analysis is carried out in Eibergen. These two locations will remain operational.

The JSCU is tasked with, among others, developing instruments to counter “advanced” threats such as cyber attacks. The security of many Dutch government services was endangered as a result of the hijacking of electronic signatures issued by certificate authority DigiNotar. Cooperation with intelligence services of allies to recognize threats and developing responses are crucial, according to the AIVD and MIVD.

The quartermaster appointed by the AIVD and MIVD completed the blueprint for the new organization. The legal framework within which the JSCU should operate is not yet complete, however. The current Dutch Intelligence and Security Act 2002 (Wiv 2002) does not permit the services to wiretap “cable-bound communications” under all circumstances. When it was drafted in 2002, this clause was not significant as all international voice, text and data communication was carried, at some point among the path, via a wireless connection. Today, this is different.

The so-called commission-Dessens is now investigating if and how the Dutch law needs to be changed. The conclusions of the commission’s inquiry are expected to appear in 2013.

The establishment of this joint AIVD/MIVD unit was planned in the Dutch MoD Cyber Strategy (.pdf, September 2012, in English):

In the coming years, the [MIVD] will expand its capability for the covert gathering of information in cyberspace. This includes infiltration of computers and networks to acquire data, mapping out relevant sections of cyberspace, monitoring vital networks, and gaining a profound understanding of the functioning of and technology behind offensive cyber assets. The gathered information will be used for early-warning intelligence products, the composition of a cyber threat picture, enhancing the intelligence production in general, and conducting counterintelligence activities. Cyber intelligence capabilities cannot be regarded in isolation from intelligence capabilities such as signals intelligence (SIGINT), human intelligence (HUMINT) and the [MIVD]’s existing counterintelligence capability. A decisive factor for the effectiveness of operations is the combined deployment of scarce expertise and assets. With that in mind, the [MIVD] and the [AIVD] are intensifying their cooperation in the areas of cyber and SIGINT by establishing a joint SIGINT-Cyber Unit. The establishment of this unit should further improve the effectiveness of the national cyber intelligence capability. The [MIVD] will also contribute to the further development of the National Cyber Security Assessment which is being formulated under the responsibility of the National Coordinator for Counterterrorism and Security of the Ministry of Security and Justice.

EOF

Ben Nagy posted the following very sensible message on the DailyDave mailinglist:

[Dailydave] C…c…c..Cryptopocalypse!]

Recently, a lot of people have been talking and possibly even thinking about the “cryptopocalypse”, surveillance, and the ideal rate of exchange between liberty and safety. I have been vaguely seeking the ideal derisive verse for a while, but this morning I finally realised that it has already been sung.

“When you believe in things  that you don’t understand, then you suffer.”

     – Stevie Wonder [1]

Without quibbling over minor points, I think it’s reasonable to view the period since 2001 as one where privacy and fundamental individual liberties have been at a steady ebb. Some might characterise it as the ‘theft’ of those things by Governments, but really, it’s not. It has been driven by fear, and the belief that “The Government” can provide protection against Dark Forces. However, it’s not the steady advance of ridiculous legislation that I want to focus on. Those shavings of liberty can be counted where they fell, as a simple matter of public record.

What’s interesting is the use of the tools that these Governments already have. Nothing fundamental changed in the last few months. The NSA, GCHQ, MI5, DSD didn’t SUDDENLY ramp up any ops. They haven’t gone rogue. They’ve just been doing the same thing they’ve been doing for years, because people ASKED them for protection, but weren’t too bothered about asking for details. They may not have even had a concept of the missions of these organisations, except as a nebulous part of “Government”. They believed in things that they did not, fundamentally, understand, and now we all suffer.

So now we, the super smart computer crowd, get to be all smug and “I told you so!”, because we called it, just like that guy with no pants and a bird in his beard.

What I find hilarious, however, is the reaction. “Tor is the BEST tool that fails to fix a different but related problem!”, “You should all use CryptoCat because I say sorry every time I screw up!”, “Hemlis messenger is totes unbreakable, and has nice graphic design!”, “5 Weird Tips to NSA-proof YOUR life!”, “Try Silent Circle! We have Beards!”

All of this rubbish is just as much Security Theatre as the shoe removals, crotch-gropings and warrantless detention we’ve been enduring at airports. Statically, you’re just not a target, so it’s ALL going to be as “100% Effective” as Werewolf Repellent. So go nuts, I guess. Use CraptoCat inside TorBB to update your location on Facebook. Whatever.

If you happen to actually BE a person of interest, however, “better than nothing” is actually worse than nothing. If you had zero crypto, you might actually think about the content and traffic / timing patterns of your comms. If you had no ‘anonymisation’ then you might actually give a shit when and from where you connect. In either case you might give some measure of incredibly serious thought to:

– The known capabilities of your anticipated adversary
– Your operating risk
– Your worst case outcome

Because if you don’t have a strong mental picture of these things BEFORE you start deploying tools and being all crypto-ninja-slash-stealth-sexy-leopard, then you’re going to see exactly what that worst case outcome looks like from the inside.

I’m not saying it’s “impossible”. I’m just saying (to quote The Grugq) “Nobody’s going to go to jail for you”, and that includes the authors of these new (and old) “spook-proof” tools. The hard truth is that the only way to stay ‘safe’ from state-level actors is going to involve a consistently disciplined regimen of tools, techniques and procedures, and any software that claims to make it “easy” is flat-out lying.

Don’t outsource understanding.

“When you believe in things that you don’t understand, then you suffer. Superstition aint the way.”

( please now allow the best Clav riff EVER to stick in your head )

Baby Seals,

ben

[1] http://www.youtube.com/watch?v=wDZFf0pm0SE
    (and if you need this WHY ARE YOU SO YOUNG??)

EOF

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-09-21: European Parliament also responds (.pdf; not dated): The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens’ fundamental rights.

On September 13th 2013, the Dutch government responded (.pdf, in Dutch) to the revelations by Edward Snowded. Unfortunately, that response is currently only available in Dutch. I decided to translate it to English myself: see below. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Dutch government-wide response to revelations Snowden
Original Dutch: “Kabinetsbrede reactie onthullingen Snowden”

Motivation
On July 4th, the Dutch House of Representatives requested a government-wide response to the revelations by Mr. Snowden, and a joint European response to the United States (Besluitenlijst van de procedurevergadering van donderdag 4 juli 2013 (.pdf)).
Original Dutch: “Aanleiding
De Tweede Kamer heeft op 4 juli jl. verzocht om een kabinetsbrede reactie op de onthullingen van de heer Snowden en de gezamenlijke Europese reactie richting de Verenigde Staten (kenmerk 2013Z14045/2013D29496). In deze brief wordt de stand van zaken weergegeven.”

On June 21st, the Secretary of the Interior and Kingdom Relations, at request of the House of Representatives, submitted, also on behalf of the Secretary of Defense and the Secretary of Security and Justice, a letter about the powers and duties of the Dutch General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) (Kamerstuk 30977 nr. 56 (.pdf)). The letter covers, among others, the frameworks for international cooperation of these services. On July 3rd, additional information was provided about the international cooperations of the AIVD and MIVD, and the alleged espionage of EU diplomats (Kamerstuk 30977 nr. 59 (.pdf)). On July 9th, the questions by Rep. Schouw (D66) and Rep. Sjoerdsma (D66) about wiretapped EU diplomats were answered (Kamerstuk 2791 (.pdf)).
Original Dutch: “Op 21 juni jl. heeft de minister van Binnenlandse Zaken en Koninkrijksrelaties op verzoek van de Kamer mede namens de minister van Defensie en de minister van Veiligheid en Justitie een brief gestuurd over de taken en bevoegdheden van de AIVD en de MIVD (Kamerstuk 30977 nr. 56). Daarbij is onder meer aandacht besteed aan de kaders voor de internationale samenwerking van de diensten. Op 3 juli jl. is nadere informatie verstrekt over de internationale samenwerking van de AIVD en de MIVD, en de vermeende spionage van EU-diplomaten (Kamerstuk 30977 nr. 59). Op 9 juli jl. zijn de vragen beantwoord van de leden Schouw en Sjoerdsma over afgeluisterde EU-diplomaten (Kamerstuk 2791).”

CTIVD
On July 16th, the House of Representatives requested the Dutch Review Committee on the Intelligence and Security Services (CTIVD) to initiate an investigation inquiring into the data processing by the AIVD and MIVD regarding telecommunication. The CTIVD has now started that investigation.
Original Dutch: “CTIVD
De Tweede Kamer heeft op 16 juli jl. de Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten (CTIVD) verzocht een onderzoek te beginnen naar de gegevensverwerking van de AIVD en de MIVD op het gebied van telecommunicatie. De CTIVD is inmiddels gestart met het onderzoek.”

Response to Snowden’s revelations
The government is closely following the response of the United States to the revelations by Mr. Snowden. The government is committed, as previously stated, to highly meticulous and adequate protection of personal data. Hence, where national security and privacy protection meet, maximum transparency about procedures, powers, safeguards and oversight measures is a necessity. The government considers it encouraging that US Congress Members are specifically debating about those topics, and are submitting proposals for changing legislation, and that President Obama also declared, in his press conference of August 9th, that he is seeking more transparency and oversight. It is also gratifying that the US government has already acted by providing more insight into the powers and by publishing a legal substantiation for a few programs. The Netherlands is in conversation with the US about this.
Original Dutch: “Reactie op onthullingen Snowden
Het kabinet volgt met aandacht de reactie van de Verenigde Staten op de onthullingen van de heer Snowden. Het kabinet hecht, zoals eerder gemeld, zeer aan zorgvuldige en deugdelijke bescherming van persoonsgegevens. Het is daarom noodzaak om waar nationale veiligheid en privacybescherming elkaar raken, zo transparant mogelijk te zijn over procedures, bevoegdheden, waarborgen en toezichtmaatregelen. Het kabinet acht het in dat verband bemoedigend dat Amerikaanse Congresleden juist over die onderwerpen debatteren en voorstellen doen voor wijziging van de regelgeving en dat ook president Obama in zijn persconferentie van 9 augustus jl. heeft verklaard meer transparantie en toezicht na te streven. Het is tevens verheugend dat de Amerikaanse regering hiermee inmiddels een begin heeft gemaakt door meer inzicht te geven in de bevoegdheden en door publicatie van de juridische onderbouwing van enkele programma’s. Nederland is hierover in gesprek met de Verenigde Staten.”

After the initial consultation in Dublin on June 14th 2013, the EU Commissioners of Justice and Home Affairs, Reding and Malmström, the U.S. Minister of Justice Holder in a letter dated July 1st 2013 pledged that the United States will further inform the EU about PRISM and similar programs. Moreover, the United States also expect information from the EU (Member States) on the legal basis for intelligence gathering on foreign countries, and the oversight measures applicable to them.
Original Dutch: “Overleggen met de Verenigde Staten
Na het initieel overleg in Dublin op 14 juni 2013 met de Eurocommissarissen van Justitie en van Binnenlandse zaken, Reding en Malmström, heeft de Amerikaanse Minister van Justitie Holder in een brief van 1 juli 2013 toegezegd dat de Verenigde Staten de EU nader zullen informeren over PRISM en vergelijkbare programma’s. De Verenigde Staten verwachtten overigens ook informatie van de EU-(lidstaten) over de juridische basis voor inlichtingenvergaring over het buitenland en de toezichtmaatregelen die daarop van toepassing zijn.”

A joint EU/US expert group is currently examining the protection of privacy and electronic data of citizens, with the aim of mutual understanding of each other’s programs and how those are anchored in the rule of law (legislation and oversight of intelligence and security services). The EU Member States, including the Netherlands, the European External Action Service (EEAS) and the European Commission have recently been working in consultation with the U.S. at the start of this expert group, including at a meeting in Washington DC on July 8th, 2013. The current Lithuanian Presidency of the Council of the European Union, the European Commission, the EU coordinator for counterterrorism, the EEAS and the so-called `Article 29 Working Party‘ on EU data protection are represented in the expert group. In addition, the group has ten representatives of the Member States. The expert group had its first meeting on July 22/23 this year. A second meeting is planned for September 19th, 2013 in Washington DC.
Original Dutch: “Een EU-VS expertgroep buigt zich momenteel over de bescherming van de persoonlijke levenssfeer en van elektronische gegevens van burgers, met als doel wederzijds inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtstaat (wetgeving en toezicht op I&V-diensten). De lidstaten van de EU, waaronder dus ook Nederland, de Europese Dienst voor Extern Optreden (EDEO) en de Europese Commissie hebben de afgelopen periode in overleg met de VS gewerkt aan de start van deze expertgroep, onder andere tijdens een bijeenkomst in Washington DC op 8 juli 2013. Het huidig Litouwse voorzitterschap van de Raad, de Europese Commissie, de EU-coördinator voor contraterrorisme, de EDEO en de zogenaamde Artikel 29-werkgroep van de EU voor dataprotectie zijn in de expertgroep vertegenwoordigd. Daarnaast zijn er tien afgevaardigden van de lidstaten lid van de expertgroep. De expertgroep heeft op 22 en 23 juli jl. een eerste bijeenkomst gehad. Een tweede bijeenkomst is voorzien op 19 september 2013 in Washington.”

Considering that the collection of data for national security is an exclusive competence of the Member States, it was agreed that EU countries must themselves make agreements with the United States about this.
Original Dutch: “Aangezien het verzamelen van informatie ten behoeve van de nationale veiligheid een exclusieve competentie van de lidstaten is, is afgesproken dat EU-lidstaten zelf hierover afspraken met de Verenigde Staten maken.”

Results of the consultations
In a statement a few days before the first meeting of the expert group, the U.S. Office of the Director of National Intelligence (ODNI) discussed, in detail, the intelligence programs of the United States, and particularly their legal basis and oversight. “
Original Dutch: “Resultaten van de overleggen
In een verklaring enkele dagen voor de eerste vergadering van de expertgroep is het Office of the Director of National Intelligence (ODNI) uitgebreid ingegaan op de inlichtingenprogramma’s van de Verenigde Staten, in het bijzonder op de wettelijke basis en het toezicht.”

In the meeting of the EU/US expert group, the United States provided information about PRISM (targeted investigations on non U.S. citizens), based on the Foreign Intelligence Surveillance Act (FISA). This Act regulates the oversight by, in total, eleven judges, who always assess requests with a total of three judges. Explanations were given about the possibilities that the FISA provides for collecting telecom metadata within the United States, and about the oversight to which it is subjected. In the next phase, the use of the XKeystore [sic] program by the  U.S. National Security Agency (NSA) in the processing of large databases will be discussed. Attention will also be given to the measures announced by President Obama regarding data protection and intelligence gathering, including the evaluation and expected changes in the FISA and the Patriot Act (Article 215). In addition, answers will be given to questions from the U.S., focused on legislation regarding the possibilities for intelligence gathering and oversight of intelligence and security services of the EU Member States. The meetings of the expert group are reported in private (`restreint’) meetings of the EU Committee of Permanent Representatives (COREPER). During these meetings EU Member States also can report on talks with the United States in the bilateral track.
Original Dutch: “In de bijeenkomst van de EU-VS expertgroep gaven de Verenigde Staten informatie over PRISM (gericht onderzoek op niet Amerikaanse burgers), gebaseerd op de Foreign Intelligence Surveillance Act (FISA). In deze wet is het toezicht geregeld door in totaal elf rechters, die verzoeken steeds met drie rechters beoordelen. Tevens is uitleg gegeven over de mogelijkheden die de FISA biedt om metagegevens van telecomverkeer in de Verenigde Staten te verzamelen en over het toezicht dat daarop wordt uitgeoefend.
In het vervolgtraject zal onder meer worden gesproken over het gebruik van het programma XKeystore [sic] door de Amerikaanse National Security Agency (NSA) bij de verwerking van grote databestanden. Tevens zal worden stilgestaan bij de maatregelen die president Obama heeft aangekondigd op het gebied van dataprotectie en inlichtingenvergaring, waaronder de evaluatie en beoogde aanpassingen van de FISA en de Patriot Act (artikel 215). Daarnaast zal antwoord worden gegeven op vragen van Amerikaanse zijde vooral gericht op wetgeving inzake de mogelijkheden van inlichtingenvergaring van en het toezicht op inlichtingen- en veiligheidsdiensten van de EU-lidstaten.
Over de bijeenkomsten van de expertgroep wordt verslag gedaan in besloten (restreint) zittingen van het COREPER. Tevens kunnen EU-lidstaten in deze zittingen melding maken van gesprekken met de Verenigde Staten in het bilaterale traject.”

In addition, the Chairman of the Article 29 Working Party, Mr. Kohnstamm, stated in a letter to Commissioner Reding that the Article 29 Working Party will not only focus on intelligence programs used by the United States, but also is committed to investigating, within its mandate, the impact of PRISM, including the use of information derived from PRISM on European soil. Moreover, the Article 29 Working Party will examine the extent to which the programs of the intelligence and security services of Member States comply with the data protection principles and legislation of the EU. The Article 29 Working Party takes these initiatives in response to the conversations in the EU/US expert group, in which the Article 29 Working Party participates.
Original Dutch: “Daarnaast heeft de voorzitter van de Artikel 29-werkgroep, de heer Kohnstamm, in een brief aan Eurocommissaris Reding te kennen gegeven dat de Artikel 29- werkgroep zich niet alleen zal richten op de inlichtingenprogramma’s die door de Verenigde Staten worden gebruikt, maar zich ook zal inzetten om binnen zijn mandaat de impact van PRISM te onderzoeken, inclusief het gebruik van de van PRISM afgeleide informatie op Europees grondgebied. Bovendien zal de werkgroep onderzoeken in hoeverre de programma’s van de inlichtingen- en veiligheidsdiensten van de lidstaten stroken met de dataprotectieprincipes en de wetgeving van de EU. De Artikel 29-werkgroep neemt deze initiatieven naar aanleiding van de gesprekken in de EU-VS expertgroep, waar de Artikel 29- werkgroep in deelneemt.”

Finally, the European Parliament has taken the initiative to further investigate the U.S. operations for collecting foreign intelligence. From September 2013, the EP anticipates twelve meetings on this subject.
Original Dutch: “Ten slotte heeft het Europees Parlement (EP) het initiatief genomen om de Amerikaanse activiteiten voor het verzamelen van buitenlandse inlichtingen nader te onderzoeken. Vanaf september 2013 voorziet het EP twaalf bijeenkomsten over dit onderwerp.”

Next
The House of Representatives will be informed about new developments.
Original Dutch: “Vervolg
De Kamer zal worden geïnformeerd over nieuwe ontwikkelingen.”

Related links:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)  
• 2013-09-24: Documents of Committee on Civil Liberties, Justice and Home Affairs (LIBE) meeting of 2013-09-05.
• 2013-09-21: European Parliament also responds (.pdf): The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens’ fundamental rights.
• 2013-09-03: Documents of Committee on Civil Liberties, Justice and Home Affairs (LIBE) meeting of 2013-09-05 where Jacob Appelbaum speaks. Also covers ECHELON.
• 2013-07-03: U.S. and EU Member State surveillance programmes: National security does not mean that anything goes (speech by Vivian Reding, the EU Commissioner for Justice)
• 2013-07-01: Joint motion of European Parliament for a resolution to wind up the debate on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ privacy.

EOF

In 2012 I posted a promotion for botnet services found on the web. The below promotion of illegal virtual goods/services was posted today (2013-08-15) somewhere else on the web. Quite comprehensive and detailed; professional, one might say. (Or a good fake.)

hello all,

We glad to represent service on sale Bank logins, ***s, PayPal, Ebay, dumps, poker rooms accts, search SSN, DOB etc

contacts   [REDACTED] 
Support icq : [REDACTED]
mail :[REDACTED]
more information contact HOME - WELCOME TO THE BEST TEACHER PRICE LIST... AND ROOMS FOR STUDENT WHO WANT TO LEARN HOW HACK STUFF..

Always in stock fresh stuff, often updates.
Instant delivery.

What bank logins we have in stock:
-Usa (usually have BOA, Chase and more)
-UK (Abbey, Hsbc and Halifax and more)
-AU (ask support)
-Ca (ask support)

Dumps and ***s worldwide!

Our Price:

Dumps:

USA
MC Standart, Visa Classic - 40$ ,
MC, VisaGOLD,PLATINUM/BUSINESS/CORP/SIGNATURE - 50$
AMEX - 50$
DISCOVER - 50$

Canada
MC,visa classic - 40$
MC,Visa Gold/Platinum/Corporate/Signature/Business - 55$
EU and World: (101)
MC Standart, Visa Classic - 100$
MC,Visa Gold/Platinum/Corporate/Signature/Business - 120$
EU and World: (201)
MC Standart, Visa Classic - 70$
MC,Visa Gold/Platinum/Corporate/Signature/Business - 90$

Bank logins:
Usually 6% from balance
If big balance price cheapest
All info for deal transfer!!!

***s:
Usa - 5 usd per 1
EU - 10-15 usd per 1
Ask support for more information!

Also i can search SSN, DOB, DL, MMN for u! Welcome!

EXCHANGE WU>WMZ! WU>LR! FEE 15%!

I sell poker accts in any poker room! Deposite from cc or mb! Nice prices, nice balances!
(my poker acct=(dedicated server with software poker room with ur acct)
Also i need guy who can help me cashout in poker! Welcome!

Terms of work:

- I sell dumps (track2+track1) without pin (attention rippers!!!), Bank logins, ***s, PayPal, Ebay.
- Sending stuff withing 24 hours after full payment received.
- Dumps before sale can be checked up. They are not subject to replacement, or, Unchecked dumps I replace in a current of 24 hours after you have received them and only pick up/hold-call.
- The minimum order:
- WMZ - no min, WU/MG - 400 usd + 8% drop fee.
- I do not give stuff for test. All real clients have some $ for test service, only nigerian kids asked free! I hope u not nigerian kid?Smile

more information HOME - WELCOME TO THE BEST TEACHER PRICE LIST... AND ROOMS FOR STUDENT WHO WANT TO LEARN HOW HACK STUFF..

Rules

We don't make sometimes SUPPORT IN ICQ . You will get full ignore if u will ask too many questions every time . When checker is working u will receive your card just if it is valid if not you are auto-refunded.

1. We work only with our good buyers . If u dont like our shop u will be lock and willnot support any more in future
2. We Make refund to balance withing 24h period . Dont claim us to make it instant or in 2 min . We a not robots .
3. We sell for you only stuffs which u can see inside our shop .
4. We always very honest and wanna help u in all problems.
5. If you found bug and didnot report to us about it - u will be lock forever. Ppls who help us with bugs will be make bonuses and discounts.
6. Shop make auto discount after 500$ , 2000$ , 5000$ and etc. total orders .
7. We dont make money back for your purses . Only for account balance.

Replacement CC Rules
1. We replace cards which willnot approved in our private checker but in case that checker working we don`t offer replace.
2. If cc approved in our checker - we will inform u with admin message in replacement claim and willnot refund u balance.
3. If cc willnot have balance for u order - we willnot refund or replace u claim.
4. If cc have verified by visa or security 3d mc protect - we willnot replace or refund u claim .
5. For correct work with our cc pls use private checker merchants . About it read Articles in our shop .
6. We make refund or replace ur claim within 24h period.
7. DE cc dont have any refund . UK+DOB dont have any refund if dob bad or info bad . Validate rate 85% .

Replacement Bank Logins Rules * Updated
1. We refund full balance for u if bank logins have incorrect info and canot login .
2. We refund only some part of balance if bank logins have different balance . Like u bought 2k bal and get 1k - we will refund about 50% of price.
3. We dont make transfer from bank logins and etc . We a only sell . All articles will be posted very soon to make u work better .
4. If account have Card Reader Security - we dont make any refund . (natwest-barclays-rbs).
5. If u claim *Its bad* , *Acc Bad* , *This bad* , *Not Open* - u claims will be delete without refund . We need full reason of claims . Pls Copy Error Reason From Bank website after bad try to login .
6. We will lock users who will claim for valid logins - doesnot matter if its have -10$ balance or something else , if u claim it like a dead login but access will be valid - u account will be locked . Unlock will cost 200$ for this mistake . Be Carefully with work together.
7. Halifax - you must known this bank one of the strong of security detect online banking . Halifax can easy lock access if u pc isnot perfect or u ip different of holder ip . if u get message that acc temporary lock we willnot refund any amount for this .
8. If u locked access for logins - we willnot refund u any money .

NEW SECURITY RULES
1. If u willnot buy any stuff with 1 month period - we will lock u access.
2. If u will claims in icq and will teach us how to work - we will lock u access.

Dumps Rules
1. U can buy it searching for Bin .
2. Our checker check dumps with CCCHECKER - u must known it . Its dont guanraty 100% clear check without any flag and etc
3. Minimum order 1 dump
4. If u got 201 dumps and u canot use it - we dont make any refund.

Dumps Replacements
>12 hours for only Decline[05]:
05 | Decline | Do Not Honor
>24 hours for Hold-Call / Pick Up Card:
04 | Hold-Call Or Pick Up Card
07 | Hold-Call Or Pick up Card | Pick Up Card - Special Condition
41 | Hold-Call Or Pick up Card | Pick Up Card - Lost
43 | Hold-Call Or Pick up Card | Pick Up Card Stolen

The rest of responses will not be replaced, especialy:
01 | Call | Refer To Issuer
02 | Call | Refer To Issuer - Special Condition
13 | Decline | Amount Error | Invalid amount
51 | Decline | Insufficient Funds
N4 | Decline | Exceeds Issuer Withdrawal Limit
61 | Decline | Exceeds Withdrawal Limit
62 | Decline | Invalid Service Code, Restricted
65 | Decline | Activity Limit Exceeded
93 | Decline | Violation, Cannot Complete

Paypal Rules
1. If Paypal Email password dont work - we refund only 50% of price.
2. If Paypal Account have Security Meansure - We dont make refund - Use clear socks for it . All anyproxy - 5socks services - blacklisted socks . Be ware and dont use bad socks
3. For correct work use only our socks . Soon socks will be work and we will have only clear and private socks list until then u can enjoy of 1 free time to time socks.
4. Replacement time 24h . You canot claim after 24h period .

Please take care and buy only what u need dont tell us that u have bought it and you don`t need it after.

EOF