UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

On November 15th, the Dutch Minister of the Interior and Kingdom Relations, Ronald Plasterk, sent a letter (in Dutch) to the Dutch Senate. The letter addresses questions concerning the impact of the Snowden revelations on ongoing TAFTA negotiations and EU Data Protection negotiations, and mentions SWIFT. Below is my translation. Parts in [] are mine.

WARNING: this is an unofficial translation.

Date: November 15th 2013 Subject: NSA, privacy and (economic) espionage

1. Did the revelations of Mr. Snowden come as a surprise to the government?
Yes.

Original Dutch: “1. Kwamen de onthullingen van de heer Snowden voor de regering als een verrassing?
Ja.”

2. Has the government thoroughly informed itself about the significance of the revelations of Mr. Snowden for the constitutional protection of the privacy of citizens?

Yes. The government is committed to careful and adequate protection of personal data. This is a point of attention in the bilateral discussions currently taking place with the U.S. government in response to the revelations about the NSA. The Minister of Foreign Affair already expressed his concerns about the NSA’s activities to his American colleague Kerry, and I spoke with the director of the NSA. The Netherlands also assesses the initiative of Germany and France to reach agreements with the Americans as positive, has contacted with both countries, and will make an active contribution where possible.

An EU-US expert group exists that is deliberating on protecting the privacy and electronic data of citizens. The aim of this expert group is to gain insight into each other’s programs and how they are anchored in the rule of law.

Also, the State Secretary of Security and Justice and I are actively involved in the negotiations on the new EU legislation on the protection of privacy. The significance of the revelations of Mr. Snowden will be included in this.
Also see the answer to question 3.

Original Dutch: “2. Heeft de regering zich diepgaand op de hoogte gesteld van de betekenis van de onthullingen van de heer Snowden voor de grondrechtelijke bescherming van de persoonlijke levenssfeer van de burgers?
Ja. Het Kabinet hecht aan zorgvuldige en deugdelijke bescherming van persoonsgegevens. Dit is een punt van aandacht in de gesprekken die momenteel bilateraal worden gevoerd met de Amerikaanse overheid naar aanleiding van de onthullingen over de NSA. Zo heeft de minister van Buitenlandse Zaken reeds zijn zorgen over de activiteiten van de NSA overgebracht aan zijn Amerikaanse collega Kerry en heb ik gesproken met de directeur van de NSA. Daarnaast beoordeelt Nederland het initiatief van Duitsland en Frankrijk om te komen tot afspraken met de Amerikanen als positief, heeft hierover contact met beide landen, en zal waar mogelijk een actieve bijdrage leveren.
Er is een EU-VS expertgroep gestart die zich buigt over de bescherming van de persoonlijke levenssfeer en van elektronische gegevens van burgers. Het doel van deze expertgroep is inzicht krijgen in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtstaat.
Tevens zijn de staatssecretaris van Veiligheid en Justitie en ik actief betrokken bij de onderhandelingen over de nieuwe Europese wetgeving voor de bescherming van de persoonlijke levenssfeer. De betekenis van de onthullingen van de heer Snowden zal hierbij worden meegenomen. Zie ook het antwoord op vraag 3.”

3. What are consequences of the disclosures for the negotiations on EU legislation regarding the protection of personal data?

During the JHA Councils of July and from October 2013 an – always informal – exchange of views took place on the consequences that could be associated with the revelations. Decisions have not been made on these matters. I refer the Parliament to the reports on the council meetings.

On September 16th, is a “Friends of the Presidency”-meeting (an informal meeting where no formal decisions are made) was held dedicated to two proposals to amend Chapter V of the EU Data Protection Regulation. This chapter covers the transfer of personal data from the EU to third countries. For a report of that discussion, I refer to the report on the negotiations relating to the Q3/2013. The discussion on Chapter V of the Regulation will be continued. The outcome of the ongoing discussions between the EU and the U.S. on the collection of data and the underlying legislation will be taken into account.

In addition to the Council, the European Parliament is also deliberating on the legislation. The European Parliament pays specific attention to the transfer of personal data from the EU to the authorities of third countries. It goes without saying that the issue will be explicitly addressed in due course in the trialogue between the Commission, Council and European Parliament.

Original Dutch: “3. Welke gevolgen hebben de onthullingen voor de onderhandelingen over de te wijzigen EU-wetgeving ten aanzien van de bescherming van persoonsgegevens?
Tijdens de JBZ-Raden van juli en van oktober 2013 is – telkens informeel – van gedachten gewisseld over de consequenties die aan de onthullingen verbonden zouden kunnen worden. Besluiten zijn terzake niet genomen. Ik verwijs de Kamer naar de verslagen over de raadsvergaderingen.
Op 16 september 2013 is er een zogeheten Friends of the Presidency-vergadering (een informele vergadering waarin geen formele besluitvorming plaatsvindt) gewijd aan twee voorstellen tot aanpassing van hoofdstuk V van de EU verordening gegevensbescherming. In dat hoofdstuk wordt de doorgifte van persoonsgegevens uit de EU naar derde landen geregeld. Voor een verslag van dat beraad, verwijs ik graag naar de rapportage over de onderhandelingen die betrekking heeft op het derde kwartaal van dit jaar. De discussie over Hoofdstuk V van de verordening zal nog worden voortgezet. Daarbij zullen de uitkomsten van het nog lopende beraad tussen de EU en de VS over de verzameling van gegevens en de daaraan ten grondslag liggende wetgevingssystemen betrokken worden.
Naast de Raad beraadslaagt ook het Europees Parlement over het wetgevingspakket. Het Europees Parlement schenkt nadrukkelijk aandacht aan de doorgifte van persoonsgegevens uit de EU aan de overheden van derde landen. Het spreekt voor zich dat het onderwerp te zijner tijd in de triloog tussen Commissie, Raad en Europees Parlement nadrukkelijk aan de orde komt.”

4. What are the consequences of the revelations for the negotiations between the EU and the U.S. to establish a free-trade agreement[, the Transatlantic Free Trade Area (TAFTA)]? Does the EU demand that EU standards regarding privacy apply where EU citizens are involved in the implementation of that agreement?

The government believes it is still important that we shortly come to an ambitious and comprehensive agreement with the United States. It is the Netherlands itself that has a lot to gain: in addition to a expected structural growth of the Dutch GDP by 4 billion a year, the agreement also provides new jobs and lower prices. The government makes no connection between EU standards regarding privacy and the free-trade agreement.

Original Dutch: “4. Welke gevolgen hebben de onthullingen voor de onderhandelingen tussen de EU en de VS over een te sluiten vrijhandelsverdrag? Eist de EU dat de EU-normen ten aanzien van privacy van toepassing zijn voor zover Unieburgers betrokken zijn bij de toepassing van het verdrag?
Het kabinet vindt het nog steeds van belang dat we spoedig tot een ambitieus en veelomvattend akkoord met de Verenigde Staten komen. Juist Nederland heeft daar veel bij te winnen: naast een structurele verwachte groei van het Nederlandse BNP met 4 miljard per jaar, levert het akkoord ook nieuwe banen en lagere prijzen op. Het kabinet legt geen verband tussen EU-normen ten aanzien van privacy en het verdrag.”

5. How has the government responded to the relevation that financial data was tapped by the NSA via SWIFT, which has server in the Netherlands? What preventive measures have been taken? Can the government confirm whether this data is still tapped by the NSA?

I can not confirm the accuracy of the messages on the interception of SWIFT by the NSA. I am aware that Commissioner Malmström, following the media reports of the tapping of SWIFT by the NSA on September 12th, has asked the U.S. authorities to clarify this issue and that this topic is part of the discussions between the U.S. and the EU. See also the answer to the questions posed by the MP’s Koolmees and Schouw (both D66) on the media reports that the servers of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) may be tapped by the NSA (publication date October 16th, 2013, reference: 2013D41109).

Original Dutch: “5. Op welke wijze heeft de regering gereageerd op de onthulling dat ook de bankgegevens via SWIFT, waarvan er in Nederland servers staan, getapt worden door de NSA? Welke maatregelen ter voorkoming zijn er getroffen? Kan de regering aangeven of deze gegevens nog steeds getapt worden door de NSA?
Ik kan de juistheid van de berichten over het aftappen van SWIFT door de NSA niet bevestigen.
Het is mij bekend dat Eurocommissaris Malmström de Amerikaanse autoriteiten op 12 september jl. per brief om opheldering heeft gevraagd naar aanleiding van de berichtgeving over de het aftappen van SWIFT door de NSA en dat dit onderwerp deel uit maakt van het beraad tussen de VS en de EU. Zie ook het antwoord op de Kamervragen van de leden Koolmees en Schouw(beiden D66) inzake over het bericht dat de servers van de Society for Worldwide Interbank Financial Telecommunication (SWIFT) mogelijk zijn afgetapt door de NSA (publicatiedatum 16 oktober 2013, kenmerk 2013D41109).”

6. Has the government formed a picture of the economic damage that the private sectors suffers as result of the theft of confidential data? If so, what steps will the government take in this?

The government has no insight into the quantitative economic damage that businesses suffer from theft of confidential data. However, there are several qualitative insights into the economic loss due to theft of confidential information and industrial espionage. In a study from 2011 that was commissioned by the British government [0], the annual economic loss in the United Kingdom due to cybercrime was estimated at 27 billion pounds. This is a conservative estimate, the amount is probably higher and increases every year. Industrial espionage takes 28% (7.6 billion pounds) and identity theft accounted for 6.3% (1.7 billion pounds). It is estimated that the industry contributes 75% of the damage. TNO has projected these findings to the Dutch situation and estimates the total national damage caused by cybercrime, with digital espionage as part of it, to be at least 10 billion euros [1]. Industrial espionage accounts for approximately 2 billion. These are estimates, the exact damage is difficult to determine or can not be determined.
The Dutch government is focusing on several areas to avoid digital espionage and combat theft of confidential data:

• The AIVD and MIVD provide briefings to create awareness among government entities and industry about the threat of cyber espionage, and give advice on information security.
• Within the National Cyber ​​Security Center (NCSC), an active information exchange exists between government services and the private sector – for instance the vital sectors – on (direct) threats and vulnerabilities.
• In the Second National Cyber ​​Security Strategy (NCSS2) that the government has recently presented to the Parliament, an action is taken to develop a detection and response network. This partnership between public and private parties will be an important step to make the Netherlands digitally more secure and resilient.
• The government commissioned the development of the Vulnerability Analysis Espionage (KWAS) and an associated manual and e-learning module. The Espionage Vulnerability Assessment Manual helps companies and organizations to investigate the risks of espionage themselves.
• Hardware and software are vulnerable to cyber crime; computer infected with malware are also used for espionage. Besides awareness programs, a quality mark is being developed for secure software.
• The Minister of Security and Justice, being the coordinating minister for cyber security, has sent the new government-wide National Cyber ​​Security Strategy to the Parliament. This includes extensive coverage of measures to increase the overall resilience in the digital domain.

Also see the answer to the questions posed by the MP’s Schouw and Sjoerdsma (both D66) on media reports that Russian spies are very active in the Netherlands (publication date May 23, 2013rd, reference: 2013D20939).

Original Dutch: “6. Heeft de regering zich een beeld gevormd van de economische schade die het bedrijfsleven lijdt door de diefstal van vertrouwelijke gegevens? Zo ja, welke stappen zal de regering hierin nemen?
Het Kabinet heeft geen inzicht in de kwantitatieve economische schade die het bedrijfsleven lijdt door diefstal van vertrouwelijke gegevens. Wel bestaan er diverse inzichten in de kwalitatieve economische schade als gevolg van diefstal van vertrouwelijke gegevens en industriële spionage. In een onderzoek uit 2011 dat is uitgevoerde in opdracht van de Britse overheid1, wordt de jaarlijkse economische schade in het Verenigd Koninkrijk als gevolg van cybercrime geschat op 27 miljard pond. Dit is een conservatieve schatting; waarschijnlijk is het bedrag hoger en neemt het ieder jaar toe. Industriële spionage neemt 28% (7,6 miljard pond) voor zijn rekening en identity theft 6,3% (1,7 miljard pond). Geschat wordt dat het bedrijfsleven 75% van de schade draagt. TNO2 heeft deze bevindingen geschaald naar de Nederlandse situatie en schat de totale nationale schade als gevolg van cybercrime, met als onderdeel daarvan digitale spionage, op minimaal 10 miljard euro. Binnen dit bedrag neemt industriële spionage ca. 2 miljard euro voor zijn rekening. Het gaat hier om schattingen, de exacte schade is lastig of niet vast te stellen.
De Nederlandse overheid zet in op verschillende vlakken om digitale spionage en diefstal van vertrouwelijke gegevens te voorkomen en te bestrijden:
– De AIVD en de MIVD geven briefings om bewustzijn te creëren bij overheden en het bedrijfsleven voor de dreiging van digitale spionage en geeft advies over informatiebeveiliging.
– Binnen het Nationaal Cyber Security Centrum (NCSC) wordt actief informatie uitgewisseld tussen overheidsdiensten en bedrijfsleven – zoals de vitale sectoren – over (directe) dreigingen en kwetsbaarheden.
– In de Tweede Nationale Cyber Security Strategie (NCSS2) die het kabinet recent heeft aangeboden aan de Tweede Kamer, is een actie opgenomen om een detectie- en responsenetwerk te ontwikkelen. Met dit samenwerkingsverband tussen publieke en private partijen zal een belangrijke stap gezet worden bij het digitaal veiliger en weerbaarder maken van Nederland.
– Het kabinet heeft de Kwetsbaarheidsanalyse Spionage (KWAS) en een bijbehorende handleiding en e-learningmodule laten ontwikkelen. De Handleiding Kwetsbaarheidsonderzoek spionage helpt bedrijven en organisaties zelf onderzoek te doen naar de risico’s van spionage.
– Hard- en software zijn kwetsbaar voor cybercriminaliteit; computers met besmette componenten of waar malware is binnengedrongen, worden ook ingezet voor spionage. Naast bewustwordingsprogramma’s wordt gewerkt aan de ontwikkeling van een keurmerk voor veilige software.
– De minister van Veiligheid en Justitie heeft als coördinerend minister voor cyber security de nieuwe kabinetsbrede Nationale Cyber Security Strategie aan de Kamer gezonden. Hierin is uitgebreid aandacht voor maatregelen ter verhoging van de algehele weerbaarheid in het digitale domein.
Zie ook het antwoord op de Kamervragen van de leden Schouw en Sjoerdsma (beiden D66) inzake bericht dat Russische spionnen erg actief zijn in Nederland (publicatiedatum 23 mei 2013, kenmerk: 2013D20939).”

7. What steps has the government taken to counter the ongoing privacy breaches?

See the answer to question 2.

Original Dutch: “7. Welke stappen heeft de regering genomen om de voortgaande inbreuken op de privacy tegen te gaan?
Zie het antwoord op vraag 2.”

8. What diplomatic steps does the government usually take when there is economic espionage? Has the government now also taken those?

The government considers any action outside the framework of the Dutch law to not be acceptable. This includes espionage for economic reasons by foreign powers in the Netherlands. The AIVD and MIVD therefore carry out structural investigation of espionage by foreign powers in the Netherlands. If such espionage is detected, measures always follow, both diplomatically and in other areas.

Original Dutch: “8. Welke diplomatieke stappen neemt de regering doorgaans als van economische spionage sprake is? Heeft de regering die thans ook genomen?
Het kabinet acht enig optreden buiten de kaders van de Nederlandse wet niet aanvaardbaar. Spionage om economische redenen van buitenlandse mogendheden in Nederland, valt hier ook onder. De AIVD en de MIVD doen om die reden structureel onderzoek naar spionage van buitenlandse mogendheden in Nederland. Indien dergelijke spionage wordt geconstateerd, dan volgen altijd maatregelen, zowel diplomatiek of op andere terreinen.”

9. Has the government itself and in cooperation with other countries taken measures to get countries that commit these offences to stop? 

See the answers to question 2 and 8.

Original Dutch: “9. Heeft de regering zelf en in samenwerking met andere landen maatregelen genomen om de landen die zich aan deze inbreuken schuldig maken ertoe te brengen deze te beëindigen?
Zie de antwoorden op vraag 2 en 8.”

[0] https://www.gov.uk/government/publications/the-cost-of-cyber-crime-joint-government- and-industry-report
[1] http://www.tno.nl/content.cfm?context=overtno&content=nieuwsbericht&laag1=37&laag2=69&item_id=2012-04-10%2011:37:10.0&Taal=1

Dutch readers are referred to Bits of Freedom’s posts about TAFTA (in Dutch):

• 2013-10-10: https://www.bof.nl/2013/10/10/tafta-miljardenclaims-voor-de-nederlandse-staat/
• 2013-07-05: https://www.bof.nl/2013/07/05/tafta-europees-parlement-mist-kans-om-amerikaanse-spionage-te-bestrijden/
• 2013-06-17: https://www.bof.nl/2013/06/17/tafta-europese-commissie-regeert-met-onduidelijk-mandaat-over-graf-heen/
• 2013-05-01: https://www.bof.nl/2013/05/01/tafta-een-herhaling-van-zetten/

Related:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-11-09: Oversight on Dutch SIGINT is still broken (blog)
• 2013-11-05: Viviane Reding: “The NSA needs a counterweight. My [proposal is] to set up a European Intelligence Service by 2020.” (blog)
• 2013-10-28: Dutch govt position concerning U.S. spying for economic purposes + answers to Parliamentary questions re: Snowden/Le Monde (blog)

EOF

UPDATE 2015-07-02: the Dutch government released their draft intelligence bill into public consultation. Details here.
UPDATE 2014-08-07: last May, I submitted a FOIA request to the AIVD seeking any of their (work/legal) instructions related to the legal requests for permission to use special powers — specifically also including selection from bulk-intercepted non-cablebound (=ether) communications. Today I received a standard “request denied” letter citing grounds of national security as motivation for denying the request. No explanation specific to the request was given; nor why it was denied altogether as opposed to disclosing partially redacted information.
UPDATE 2014-03-11: today, a new CTIVD oversight report was published, together with the Dutch cabinet’s response to the Dessens report. The report covers exercises of various telecom-related powers by the AIVD and MIVD. Concerning the undirected (bulk) collection of phone metadata from ether sources, the CTIVD has now established that it has not been motivated as required by law: nothing is known about necessity, proportionality or subsidiarity of such collection. IMHO the new report — which only exists as a result of Snowden’s revelations — reemphasizes that up until today, oversight on Dutch SIGINT is broken. 
UPDATE 2013-12-16: the Minister responded (.pdf, in Dutch) today. Here is the relevant part:

“The cabinet thinks, as does the Parliament, that it is very important that the CTIVD can assess the legality of SIGINT selection activities [carried out by the AIVD and MIVD]. Measures have been taken, and are being taken. These are aimed at enabling the CTIVD to assess legality of SIGINT selection activities in future reports.”

Original Dutch: “De regering hecht er, evenals de Kamer, zeer aan dat de CTIVD ook tot een rechtmatigheidsoordeel kan komen over de selectie van sigint. Op dit vlak zijn en worden maatregelen getroffen. Deze zijn erop gericht de CTIVD in staat te stellen in toekomstige rapporten tot een oordeel te komen.”

Unfortunately, nothing is stated about what measures have been taken.

UPDATE 2013-12-04: on December 2nd, the Dessens Committee published their final report — I’m blogging about it here.
UPDATE 2013-11-28: the below was brought up (in Dutch) by MP Gerard Schouw (D66 party) during yesterday’s Parliamentary debate on the FY2014 budget for the Ministry of the Interior & Kingdom Relations. My translation of Schouw’s words:

“Today I want to talk about political responsibility. We have the CTIVD, that oversees the legality of information collection by the AIVD and MIVD. A close look at their reports shows that the CTIVD regularly or even systematically withholds from making a statement about the general picture of legality of the activities of the AIVD and MIVD. The legality of the AIVD and MIVD activities concerning Article 27 [SIGINT selection, mk] cannot be established by the CTIVD, as we can read in CTIVD reports 19, 26, 28, 31 and 35. These span the years 2008 to 2013. In those five years, the CTIVD has not been able to assess the legality. I’d like to know what the successive Ministers of Internal Affairs have done about that. I mentioned the reports. The Minister should be able to find his way with that. What did the previous Ministers do? What has this Minister done? How does this relate to the statement of the Minister that both services comply with the law? Isn’t that very difficult if the CTIVD says it can not assess the legality?”

Original Dutch: “Ik wil het vandaag hebben over de politieke verantwoordelijkheid. Wij hebben de CTIVD, die de rechtmatigheid van de informatiewinning van de AIVD en MIVD controleert. Wie echter goed naar de verslagen kijkt, ziet dat de CTIVD zich regelmatig of zelfs stelselmatig onthoudt van een oordeel hierover. De rechtmatigheidstoepassing van de AIVD en de MIVD rondom artikel 27 is door de CTIVD niet vast te stellen, zo lezen wij in verschillende rapporten met de nummers 19, 26, 28, 31 en 35. Dat zijn de jaargangen 2008 tot en met 2013. In die vijf jaar heeft de CTIVD de rechtmatigheid niet kunnen vaststellen. Ik wil weleens van de minister weten wat achtereenvolgende ministers van Binnenlandse Zaken daaraan hebben gedaan. Ik heb de rapporten genoemd. De minister zal daarmee dus wel weg weten. Wat hebben zij daaraan gedaan? Wat heeft deze minister daaraan gedaan? Hoe verhoudt zich dit tot de opmerking van de minister dat beide diensten zich aan de wet houden? Dat kan toch heel moeilijk als de toezichthouder zegt dat hij de rechtmatigheid niet kan beoordelen?”

Let’s see how the Minister (Ronald Plasterk) will respond. A big Parliamentary debate on surveillance is scheduled for January 2014.

====== START OF ORIGINAL BLOGPOST FROM 2013-11-09 ======

In this previous post I explained the following about the Dutch Intelligence and Security Act 2002 (WIV2002):

• the WIV2002 is the legal framework for Dutch intelligence & security services;
• Article 25 regulates wiretapping powers, Article 27 regulates SIGINT powers;
• the use of either power requires explicit prior permission from the Dutch Minister of the Interior and Kingdom Relations (in case of the AIVD) and/or the Minister of Defense (in case of the MIVD);
• unlike wiretapping, SIGINT is legally restricted to non-cablebound communications (i.e., radio and satellite). SIGINT on cablebound communications is illegal.
• the WIV2002 is being reviewed by the Dessens Committee, and it is expected that one change they will propose is to extend the SIGINT power to cablebound communications. I don’t know what changes, if any, will be proposed concerning safeguards and oversight.

The Review Committee on the Intelligence and Security Services (CTIVD) was born in 2003 by means of Article 64. The CTIVD is tasked with oversight on legality of the operations of the Dutch intelligence & security services; providing solicited and unsolicited advice to the relevant Dutch Ministers about the CTIVD’s findings; handling complaints; and providing solicited and unsolicited advice regarding the Article 34 notification to former subjects of investigation.

The CTIVD has three members (including the chair person) who are appointed for a period of 6 years by royal Decree and nominated by the relevant Ministers. (Yes, it is the Ministers who nominate the persons that will perform oversight on their Ministries. This is not necessarily a problem, but worth noting.)

The CTIVD has published some 35 oversight reports so far. In 2009, the first oversight report specifically aimed at legality of the use of wiretapping and SIGINT powers was published (CTIVD Nr. 19). In 2010, the CTIVD decided that SIGINT and wiretapping would become topics of an annually recurring in-depth examination.

Based on the method of oversight and the contents of the oversight reports, I am convinced that the CTIVD is generally doing a good job. The CTIVD can and does access the highest level of classified information `Stg. ZEER GEHEIM’ (TOP SECRET), consult intelligence personnel, etc. The oversight reports on SIGINT and wiretapping are primarily based on the requests for permission sent by the AIVD/MIVD to the relevant Ministers.

Below are some observations from CTIVD oversight reports on SIGINT and wiretapping CTIVD Nr.19 (.pdf, in Dutch), CTIVD Nr.26 (.pdf, in Dutch), CTIVD Nr.28 (.pdf, in Dutch), CTIVD Nr.31 (.pdf, in Dutch) and CTIVD Nr.35 (.pdf, in Dutch).

WARNING: for full context, read the original documents. 

The general picture according to the CTIVD regarding the use of Article 25 (e.g. microphone, phone tap, internet tap; more specifically: wiretapping, receiving, recording and monitoring any kind of conversation, telecommunication or datawiretapping; where `telecommunication’ in Dutch law means any transmission, emission or reception of signals of any kind by means of cables, radio, by optical means or by other electromagnetic means):

• Nr.19 (2008-2009): AIVD operates carefully (Dutch: `zorgvuldig’ and `doordacht’);
• Nr.26 (2010-2011): AIVD operates carefully;
• Nr.28 (2011-2012): MIVD operates unlawfully in that it (also) intercepts `generic identities’
  • e.g. types of persons instead of identified persons. (Note that for MIVD, use of Article 25 mainly means interception of HF frequencies, e.g. by the Dutch National SIGINT Organization (NSO), which recently became a part of the new Joint SIGINT Cyber Unit, and military SIGINT detachments in Dutch military missions abroad.)
• Nr.31 (2011-2012): AIVD operates carefully;
  • the CTIVD noted that in one instance, the AIVD used two differently-classified motivations where used to get Art.25 permission for the same operation. One motivation was classified as `Stg. GEHEIM’ (SECRET), the other as `Stg. ZEER GEHEIM’ (TOP SECRET). The stated explanation involved practical difficulties of working with `Stg. ZEER GEHEIM’-classified information. The CTIVD strongly rejected this m.o.;
  • the CTIVD noted that the quarterly bundled requests-for-permission (Dutch: `driemaandelijkse verzamelbeschikkingen’) concern a large number of taps and microphones, and are insufficiently motivated. The Minister of the Interior and Kingdom Relations does not have departmental support in judging the requests.
• Nr.35 (2012-2013): AIVD operates carefully;
  • the CTIVD noted that again, in one instance, the AIVD used two differently-classified motivations where used to get Art.25 permission for the same operation. CTIVD rejected that.
  • the CTIVD noted that in one instance, the AIVD used the line of reasoning “necessity implies proportionality”. CTIVD rejected that.
  • the CTIVD noted that in five operations, the use of Article 25 powers was not proportional and therefore unlawful. (Although not specified in the report, I believe these involve some instances where Dutch journalists were wiretapped.)
  •  the CTIVD noted that in one instances, Article 25 powers were exercised based solely on a comment posted on the internet. The CTIVD stated that that is insufficient ground for the use of Article 25 powers. In addition, the wiretapping had already seized after one period (max. three months).

The general picture according to the CTIVD regarding the use of Article 27 (SIGINT selection; restricted to non-cablebound communications; unencrypted intercepted data can be retained for a period of one year; encrypted intercepted data can be retained indefinitely until the encryption has been undone, the unencrypted outcome can, again, be stored for a maximum of one year (Article 26, paragraph 10)):

• Nr.19 (2008-2009): legality unknown.
  • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
  • the CTIVD noted that it is `not careful’ that it is not explained whom the numbers or technical characteristics belong to that are used to select SIGINT;
• Nr.26 (2010-2011): legality unknown.
  • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
• Nr.28 (2011-2012): legality unknown.
  • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
• Nr.31 (2011-2012): legality unknown.
  • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
• Nr.35 (2012-2013): legality unknown.
  • the CTIVD noted that a single operation was examined in-depth, and unlawful activities were found related to lack of adequate motivation.
  • the CTIVD noted that the use of Article 27 is modest when compared to Article 25 powers.

To me it seems that the above warrants the conclusion that the Netherlands has a structural problem regarding the oversight on (and hence democratic control of) the use of Article 27 powers. Given the expectation that an (overdue) proposal for change of the WIV2002 will emerge that will extend SIGINT powers to cablebound communications, there’s some scrutiny to be done by the Dutch Members of Parliament.

Furthermore, from the 2011 report CTIVD Nr. 28 (concerning the MIVD, not the AIVD), I translate the following part (note: `searching’ is done to identify the radio/satellite channels to include in bulk data collection; then `selection’ can be done within the collected data, which requires Ministerial permission. under WIV2002, searching is only allowed if at least either the receiver or sender of communication is outside the Netherlands, i.e., the Dutch services are not permitted to search domestic-only communication):

“The CTIVD notes that the reason for and purpose of conducting a SIGINT search focused on SIGINT selection can vary. At least the following common practices can be distinguished:

1. The searching of the bulk of communication to determine whether it is possible to generate the desired data using the selection criteria for which permission has been granted;
2. The searching of the bulk of communication to identify targets;
3. The searching of the bulk of communication for data from which, in the context of an expected new area of investigation, future selection criteria can be derived. “

Original Dutch: “De Commissie constateert dat de aanleiding voor en het doel van het uitvoeren van een searchactiviteit gericht op selectie gelegen kunnen zijn in meerdere zaken. Zij onderscheidt in ieder geval de volgende gangbare praktijken:
1. Het searchen van de bulk aan communicatie om te bepalen of met de selectiecriteria waarvoor toestemming is verkregen de gewenste informatie kan worden gegenereerd
2. Het searchen van de bulk aan communicatie om potentiële ‘targets’ te identificeren of te duiden;
3. Het searchen van de bulk aan communicatie naar gegevens waaruit, in het kader van een verwacht nieuw onderzoeksgebied, toekomstige selectiecriteria kunnen worden afgeleid.” 

The CTIVD stated that (1) is permissible and that (2) and (3) are not permissible (hence: unlawful). Interestingly, CTIVD hinted at changing the law rather than changing the practice:

“The CTIVD leaves it to be considered whether, in accordance with privacy protection, it is necessary that wider powers be granted that better reflect this (desired) practice at the MIVD (and AIVD).”

Original Dutch: “De Commissie geeft in overweging te bezien of het, met inachtneming van de privacybescherming, noodzakelijk is dat aan de MIVD (en de AIVD) ruimere bevoegdheden worden toegekend die beter aansluiten op deze (gewenste) praktijk.”

While the CTIVD also stated the following:

“The CTIVD has noticed that not all individuals who are daily engaged in Sigint processing appropriately estimate the infringement associated with Sigint.”

Original Dutch: “Het is de commissie opgevallen dat niet alle personen die zich dagelijks bezighouden met de verwerking van Sigint de inbreuk van dit middel op waarde schatten.”

Lastly, I refer Dutch readers to Tot het lachen ons vergaat – Over de noodzaak van parlementaire aandacht voor inlichtingen- en veiligheidsdiensten (.pdf, 2013), an excellent piece by @ConstantHijzen who is a PhD student at Leiden University.
I welcome anyone with relevant insights or information to contact me.

Related:

• 2013-12-04: Outcome of official review of Dutch Intelligence & Security Act of 2002 (blog)
• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-11-17: Reading notes on ethics of intelligence collection: the `Just Intelligence Principles’ (Ross Bellaby, 2012) (blog)
• 2013-11-14: Hoe doe je dat: een serieus debat voeren over inlichtingendiensten? (in Dutch; article in De Correspondent by @mauritsmartijn)
• 2013-10-25: SIGINT and wiretapping: the Dutch Intelligence and Security Act 2002 (blog)
• 2013-09-24: Project Symbolon completed: the Dutch Joint SIGINT Cyber Unit (JSCU) is born (blog)
• 2012-xx-xx: What’s the Harm? The Ethics of Intelligence Collection (academic paper, Ross Bellaby, 2012)
• 2002-xx-xx: Het onderscheppen van telecommunicatie door de inlichtingen- en veiligheidsdiensten (in Dutch, academic article by Anton Ekker, 2002)

Related in U.S. (let’s learn from what is happening there):

• 2013-11-22: N.S.A. Report Outlined Goals for More [SIGINT] Power (NY Times)
• 2013-11-19: Secret U.S. court approved wider NSA spying even after finding excesses (Reuters)
• 2013-11-18: Congress and Courts Weigh Restraints on N.S.A. Spying (NY Times)

EOF

UPDATE 2015-12-08: now, following the 11/13 Paris attacks, Belgian PM Charles Michel calls for a European CIA.

UPDATE 2015-03-30: unrelated but similar: on January 22nd 2015, Belgian MEP Guy Verhofstadt stated (in Dutch) in newspaper NRC Handelsblad that he believes that a European equivalent should be created of the CIA. Today, in response to questions, the Dutch Minister of Security & Justice states (in Dutch) the Dutch cabinet opposes this idea.

UPDATE 2015-02-09: the Draft Council Conclusions on Counter-Terrorism (.pdf, Feb 6) states: “Reinforcing, within the existing parameters, the role of EU INTCEN as the hub for strategic intelligence assessment at EU level, including on counter-terrorism”. I.e., no new mandate for EU intelligence centre.

UPDATE 2015-01-13: EU Observer reports that following the attack on Charlie Hebdo, the EU Commission stated it has no plan for an EU spy agency.

UPDATE 2014-01-13: Simon Davies on this matter: EU Justice Commissioner Reding wants an EU spy agency. Has she lost her mind or her morals?

According to this article on EUobserver.com the Vice President of the European Union, Viviane Reding, said:

“What we need is to strengthen Europe in this field, so we can level the playing field with our US partners. (…) I would therefore wish to use this occasion to negotiate an agreement on stronger secret service co-operation among the EU member states – so that we can speak with a strong common voice to the US. The NSA needs a counterweight. My long-term proposal would therefore be to set up a European Intelligence Service by 2020.”

According to an official cited in the article, setting up a European Intelligence Service would require a EU treaty change and would have to be dealt with after EU elections in 2014 (and thus exceeding Reding’s current appointment that expires in 2014).

Reding is also the EU Commissioner for Justice, Fundamental Rights and Citizenship, which also covers data protection. In that role, Reding visited the United States in October and called for strong data protection rules to restore trust. Although it might be possible that intelligence services and adequate privacy protection are not mutually exclusive, the Snowden revelations might be interpreted as indications a different reality today. Depending on one’s perspective, there is irony in Reding both calling for better data protection and suggesting that a new intelligence agency be set up.

As stated in the article at EUobserver, the EU currently has the EU IntCen (formerly SitCen), a branch of the EU foreign service where classified information on conflicts and terrorist threats are shared. In Secret Truth. The EU Joint Situation Centre (.pdf, in English, 2009), Jelle van Buuren concluded that:

“[SitCen] suffers from a profound lack of transparency – and therefore is not as accountable as could be expected in democratic societies.”

I’ve been told that the situation has not really improved since then, and that Van Buuren’s conclusions still apply. Some supporting evidence: the 16 July 2013 meeting report (.pdf) and the September 12th 2013 meeting report (.pdf) of the Terrorism Working Party refer to classified information, making it difficult for outsiders to judge the policy decisions — which some may interpret as a lack of transparency.

I don’t know whether Reding would propose to expand IntCen or to establish a new entity. Either way, considering that IntCen produces intelligence-based classified assessments, IntCen may be a reasonable indicator of what to expect. I therefore cite Van Buuren’s entire concluding remarks about SitCen (now IntCen):

“What do we know of the EU Joint Situation Centre? How does it operate? In other words: how transparent is the EU Joint Situation Centre? These were the central questions of this paper. The answer has to be that SitCen suffers from a profound lack of transparency – and therefore is not as accountable as could be expected in democratic societies. Documents available in the public domain make it possible to reconstruct the trajectories of SitCen, its tasks and its position within the EU counterterrorism field. It is however impossible to assess the substance of the work of SitCen and the influence SitCen has on the development of the EU as a security actor, the securitization of the EU and the constitution of threats and solutions. It is only through informal ways that it was possible to shed for the first time some light on the substance of the work of SitCen regarding its internal security dimension and remove partly the blanket of mystery SitCen is shrouded in. It seems obvious that further research on SitCen is needed, as it is an organization that has developed almost outside the political and public spotlights from an ‘empty shell’ into a crossroad of internal, external and military intelligence cooperation in the EU. SitCen is also an organisation that stands in the centre of the merger between horizontal and vertical networks of intelligence and security agencies; an ‘in-security field’ that is in transformation and the outcome of this transformation will subsequently determine partly the future of the EU as a security actor and the constitution of threats. ‘Secret truth’ of security and intelligence agencies is determining partly the European response to the terrorist threat and can have a great impact on citizens and the formation of the future political and social order of the EU. For instance, the European Council Strategy for combating Radicalisation and Recruitment to Terrorism (Council of the European Union 2005d) has according to De Goede (2008: 170-171) created ‘an extra- legal sphere of intervention’, where a wide array of functionaries, including teachers, prison workers and community workers, are authorized to intervene in people’s lives in the name of preventing radicalization. According to De Goede, the Council Strategy thus authorizes functionaries to decide on rights of travel and internet use, rights of worship and education, for an undefined group of citizens who may be thought prone to radicalization. ‘In this manner, the Strategy enables far-reaching practices of bio-political governing, which distinguishes some population groups for exceptional monitoring and treatment.’

Further research is needed to analyze the way intelligence influences European and national policy making. It will be a real challenge, in view of the level of transparency of SitCen, to research if and how the list of SitCen reports we have revealed, have been translated in political recommendations; if and how the transformation of the ‘in-security field’ is changing the relations, culture, power and influence of intelligence and security services, law enforcement agencies, customs and border agencies; if and how these European transformation is affecting the security relations ‘at home’; how the ‘uncertain and controversial’ discussions supported by SitCen assessments proceeded within Council structures, Commission structures and national structures and which positions were taken by the different member states; how SitCen assessments are structuring and directing the emerging European foreign and military policy; how the difference between the member states that are ‘insiders’ of SitCen and member states that are ‘outsiders’ influence the securitization of the European Union; how the emergence of SitCen is influencing the position of other security actors in the EU like Europol; and if and how the essentially contested and precarious relationship between the political/executive level and the intelligence community is being shaped by the emergence of SitCen. Hopefully this paper can contribute a little to the realisation of this research agenda.”

Related:

• 2014-01-13: EU Justice Commissioner Reding wants an EU spy agency. Has she lost her mind or her morals? (blog by Simon Davies)
• 2014-01-10: Dutch govt response to Parliamentary questions about EU IntCen (this blog)
  2013-11-xx: A European Transgovernmental Intelligence Network and the Role of EU IntCen (.pdf, academic paper by Mai’a K. Davis Cross, 2013)
• 2013-11-xx: PRISM and privacy: will this change everything? ($, editorial in journal of Int’l Data Privacy Law (2013) Vol.3 Issue 4)
• 2013-10-25: SIGINT and wiretapping: the Dutch Intelligence and Security Act 2002 (blog)
  
• 2013-08-xx: Security, privacy and surveillance in European policy documents (.pdf, academic paper by David Barnard-Wills in journal of Int’l Data Privacy Law (2013) Vol.3 Issue 3)
• 2007-06-08: Accountability of Intelligence & Security Agencies and Human Rights (.pdf, conference proceedings by Radboud University & Dutch Review Committee on the Intelligence and Security Services).

EOF.

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.
 
UPDATE 2013-11-02: note that the below concerns the NSA program “BOUNDLESSINFORMANT” — that’s where the “1.8M” number comes from. See details at Cryptome and Wikipedia. 

UPDATE 2013-11-01: according to this Parliamentary Paper (.pdf, in Dutch) of October 31st, the (unclassified) letter that the Dutch Minister received from the NSA contains the following (original) English text:

Hence, as was already clear to the informed observer, the data collected by the NSA concerns metadata, not audio signals. If the NSA got that data without consulting AIVD/MIVD, that is illegal in the Netherlands — as stated by the Minister himself. Nu.nl reports (in Dutch) that the Dutch Public Prosecution Service is currently not investigating this matter.

UPDATE 2013-10-30+31: in the Dutch TV news program `Nieuwsuur Politiek’, the Dutch Minister of the Interior and Kingdom Relations, Ronald Plasterk, stated that the 1.8M telephone calls’ metadata were not collected by the Dutch govt or shared by Dutch govt with NSA. Plasterk stated that he received a written statement from the NSA confirming that the NSA collected such metadata in December 2012. The letter does not mention the reported number of “1.8M”. The question then is whether or not the data was collected with permission of the Dutch govt: an article from October 30th in El Mundo suggests (in Spanish), based on Snowden documents, that the Netherlands is one of 19 countries that have a ‘specific cooperation’ with the NSA, and that the NSA collected telecommunications (voice and internet data) in the Netherlands.

====== START OF ORIGINAL BLOGPOST FROM 2013-10-28 ======
On October 28th 2013, the Dutch cabinet 1) responded (.pdf, in Dutch) to the media report that the NSA intercepted 1.8M telephone calls in the Netherlands, and 2) responded (.pdf, in Dutch) to Parliamentary questions concerning that topic. Below is my English translation of both documents. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Date: October 28th 2013 Subject: Response to the report “NSA intercepted about 1.8 million calls in one month in the Netherlands”.
Motivation
On October 21st, a report was published on the website Tweakers on the eavesdropping of Dutch citizens by the U.S. National Security Agency (NSA). The report is based on an article in the French newspaper Le Monde of October 21st. The report in Le Monde provides further interpretation of a graph that was published on August 5th by the German weekly Der Spiegel. On October 22nd, the Parliament asked me to respond to this (Parliamentary Papers 2013Z20253/2013D41837). I hereby inform you on behalf of the Minister of Security and Justice, the Minister of Foreign Affairs and the Minister of Defense.

Media reports
From the media reports it would appear that the U.S. services store telephone traffic for further analysis. This concerns, for instance, data on who is calling, when, for how long, and from what location. After this additional analysis, the NSA could choose to inspect the content of the communication, in accordance with U.S. law. Given the U.S. law, including the Foreign Intelligence Surveillance Act (FISA), the cabinet is aware of the possibility that the U.S. can intercept telephone communications. Using the analysis of metadata, networks of people and organizations can be identified, and the intensity of the contacts can be estimated.

Position of the Dutch cabinet
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable. It is possible that other countries believe there is good reasons to gather intelligence in or from the Netherlands. In that case, the country involved must address a request to the AIVD or MIVD. That request will then be examined within the WIV 2002. The cabinet considers any action outside that legal framework unacceptable.

The two services therefore carry out structural investigation of espionage by foreign powers in the Netherlands. If such espionage is detected, measures are always taken. This applies even if allies carry out unwanted spying activities in the Netherlands. In the Netherlands, the Dutch law applies, also to allies.

Action by Dutch cabinet
Following the revelations of Mr. Snowden I spoke with the director of the NSA on a bilateral solution, as reported in the general meeting of October 16th. Further consultations are taking place between the Dutch intelligence and security services and the NSA. The Netherlands assesses the initiative of Germany and France as positive, will contact both countries, and will actively contribute where possible. The Minister of Foreign Affairs has previously expressed the Dutch concerns during his visit to Washington to his Dutch colleague Kerry, and called for more transparency. The Minister of Security and Justice, as coordinating minister for cyber security, submitted the new government-wide National Cyber Security Strategy [.pdf, in Dutch] to the Parliament. This includes extensive attention to measures for increasing the overall resilience in the digital domain. Moreover, the State Secretary of Security and Justice and I are also actively involved in the negotiations on the new EU legislation on the protection of privacy.

Actions of Parliament and the EU
At the request of the Parliament, the Review Committee on the Intelligence and Security Services (CTIVD) is investigating the data processing by the AIVD and the MIVD concerning telecommunications. The report is expected this fall and will be sent to the Parliament as soon as possible with a cabinet response. At the EU level, an EU/US expert group started with the aim of getting insight in each other’s programs and how they are anchored in the rule of law. The cabinet supports the activities of this expert group. The report of the expert group is expected this fall. The European Parliament is also holding hearings, following the revelations by Mr. Snowden. The report on these hearings is also expected this fall. International cooperation The CTIVD supervises the legality of the activities of the services, including the cooperation with foreign intelligence and security services, and on that account has access to all information at the AIVD and MIVD. The CTIVD reports to Parliament through the responsible minister.

The Minister of the Interior and Kingdom Relations,

Dr. R.H.A. Plasterk

And here are the Parliamentary questions and answers:

Questions from members Verhoeven and Schouw (both D66) to the Ministers of Economic Affairs and the Interior and Kingdom Relations concerning the signals that the U.S. NSA is also eavesdropping leaders in the corporate sector (submitted October 25th, 2013) 1. Have you taken note of the report “Snowden leaks: France summons U.S. envoy over NSA surveillance claims”? [1]
Yes.

2. Can you elaborate on the suggestion that not only potential terrorists are wiretapped, but also leaders in the corporate sector, and also respond to reports concerning the Brazilian Petrobras company?
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable.

3 Can you rule out that the U.S. security services are spying on Dutch companies for economic purposes?
4 How many examples of such corporate espionage are known to you, which sectors are involved, and what do you intend to do?
The AIVD investigates of espionage by foreign powers for the national security. No public statements can be made about the methods and information position of the AIVD, including examples of corporate espionage.

5. What are the risks to Dutch companies and Dutch citizens due to spying for economic purposes?
The AIVD has repeatedly highlighted the risks for espionage, including in the Annual Report 2012 [.pdf, in English] (Parliamentary Papers, 30977 No. 52). The [third] Cyber ​​Security Assessment Netherlands [.pdf, in English] (Parliamentary Papers, 26643 No. 285), which is established under coordination by the Minister of Security and Justice, appoints digital espionage as one of the greatest threats to government and industry. Moreover, the vulnerability of ICT remains high.

6 To what extent does industrial espionage remain a priority for the AIVD? The AIVD investigates espionage by foreign powers for national security. Moreover, the AIVD supports the vital sectors in improving security. You have been informed about this, including through the Annual Report 2012. Investigations into corporate espionage outside the context of national security is not a task of the AIVD, this is a matter for the companies themselves (supported by the AIVD via the Espionage Vulnerability Analysis [.pdf, in Dutch] and advice).

7 Are you willing to send an explicit signal to the U.S. that corporate espionage does not fit into a relationship between friendly countries?
Yes, see the activities described in my letter of October 28th, 2013.

8 Are you prepared to answer these questions before Monday October 28th 12:00?

[1] http://www.theguardian.com/world/2013/oct/21/snowden-leaks-france-us-envoy-nsa- surveillance
[2] http://www.theguardian.com/world/2013/sep/09/nsa-spying-brazil-oil-petrobras

Related:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-10-26: UN Draft on Privacy
• 2013-10-25: SIGINT and wiretapping: the Dutch Intelligence and Security Act 2002
• 2013-10-18: Dutch govt response to Parliamentary questions concerning U.S. spying / AMS-IX expansion to U.S. 
• 2013-10-11: Dutch govt response to Parliamentary questions about NSA wiretapping international phone traffic
• 2013-09-14: Dutch govt response to revelations by Edward Snowden

EOF