(This is an addendum to a lengthy post on the new Dutch intelligence bill.)

In December 2014, the Dutch Review Committee on the Intelligence & Security Services (CTIVD), the independent expert committee that oversees lawfulness of Dutch intelligence practices, decided to publish statistics on the use of specific interception and on the use of the power to select from bulk-intercepted ether communication — but got censored by the Minister. While the CTIVD operates independently (it has its own million-euro budget, has full access to information, buildings and personnel, and can decide for itself what it wants to review), its reports are published via the Minister. The CTIVD can make recommendations, but those recommendations are not legally binding.

Other countries do publish some form of statistics, including Belgium (the Belgian ‘Standing Committee I’ publishes very detailed annual statistics for both VSSE and ADIV — see here), Germany, and the UK (the UK Interception of Communications Commissioner publishes aggregate statistics on interception warrants issued to MI5+MI6+GCHQ+MoD).

The CTIVD was, and still is, not amused about the Minister’s decision to censor. In June 2015, the CTIVD in its annual report upheld its opinion that statistics about the use of special intelligence powers should be openly published — notwithstanding the fact that in October 2014, in a court case brought forward by Dutch investigatory journalists, a Dutch court ruled in favor of the governments arguments to keep interception statistics secret. Here is what the CTIVD says about this on page 32 of its annual report (original translation):

The transparency pursued by the Committee in the review year was not achieved without a struggle. Publication of its findings was often preceded by discussions with the intelligence and security services and the responsible ministers, respectively. At these meetings the parties frequently achieved a satisfactory balance, but not always. Under current law the minister concerned has final say by virtue of his responsibility for national security.

In the review year, for instance, the Committee wanted to publish with respect to how many persons and organisations GISS [=AIVD] had exercised the power to intercept, in order to give society some understanding of the scale of these privacy-infringing activities. The minister of the Interior and Kingdom Relations, however, blacked out these figures in the Committee’s review report and thus made them illegible. The minister held that these figures provided insight into the current method used by GISS and must therefore be classified state secret. The Committee did not and still does not agree. The figures give an idea of the scale at which these special powers were exercised, while the outside world cannot deduce from them against which (categories of) persons and organisations the power was actually exercised. Moreover, publishing figures happens in neighbouring countries on an annual basis.

Another point of debate is how much can be disclosed to persons who complain about conduct of GISS or DISS [=MIVD]. Situations are conceivable (and have occurred) in individual cases where the interest of public accountability and awareness must take precedence over the regular policy of secrecy. The Committee discussed this above in §4.3.

An overstrong culture of secrecy not only creates scope for unacceptable practices, it may also give rise to myths and misunderstandings. As Snowden’s revelations have shown, this may eventually come to work against the intelligence and security services themselves. The Committee will continue its efforts to achieve a good balance between openness and secrecy.

In other words, it is imperative that the public debate on the new intelligence bill (details here) addresses statistics transparency as well. As far as I’m concerned, the new Dutch law should by law require statistical reports — ideally following the Belgian example. In Belgium, the oversight committee has the legal task to report statistics of special powers, but still has the legal possibility to withhold data if necessary to protect national security. The latter does however not seem to ever occur: the committee annually publishes detailed statistics. (Note: unlike the Dutch oversight committee, the Belgian oversight committee is also tasked with overseeing efficacy; I don’t know whether that may be a relevant factor here.)

The CTIVD also indicates how it intends to contribute to the public consultation of the new intelligence bill, and suggests topics for debate:

During the internet consultation process the Committee will contribute its comments on the concrete legislative texts and explanatory notes. In preparation for these comments and having regard to all the aforementioned publications and international developments in the field of intelligence and security services and their oversight, the Committee raises the following questions and issues.

1. Is the house now sufficiently in order?

In the course of its investigations the CTIVD has noticed that GISS and DISS are very much aware of the importance of privacy protection. In this sense the house is reasonably in order. There has been no systematic collection of data in disregard of the law. Nevertheless, the quality of the substantiation of the need to exercise special powers and of the reporting on such exercise is a recurring cause for concern. In fact, under the current ISS Act 2002 [=Wiv2002, the present law] the services have not yet been able to establish a procedure that ensures their consistent compliance with the statutory safeguards when selecting from untargeted interception (sigint). The Committee therefore wonders how the government thinks the services can achieve such compliance in the case of their having new and wider powers.

2. To what extent is increasing the interception powers effective and necessary?

The Committee considers it a shortcoming that up to the present there has been almost no debate on the necessity of increasing the powers of the services. The main focus of the debate is placed too readily on the lawfulness of the acts of the services and less on the efficiency or effectiveness of the interception powers. The discussion may thus never go beyond the finding that nowadays 90 percent of communications goes via the cable and that therefore the ‘traditional’ power of untargeted interception of satellite communications (the remaining ten percent) is no longer enough. But can this finding alone and by itself carry the conclusion that the powers of the services must be increased? Is it not necessary, before one can come to this conclusion, to have a picture of the effectiveness and/or the lack thereof of the existing powers? On the international level, too, this is a question which continues to be a matter of concern, without however eliciting any definite answers. The starting point should be that it must first be convincingly demonstrated that new powers are necessary because the present powers are insufficient before considering an increase of the statutory powers. The test of effectiveness also finds support in the test of legitimacy which article 8 of the European Convention on Human Rights prescribes for reasons of privacy protection. This test must not only assess the damage to national security that will be prevented, but also the harm that the powers of interception will cause to individual persons.

3. How can the privacy of innocent citizens be protected as much as possible?

The government wishes to increase the powers of untargeted interception. This means that the services will on a larger scale intercept communications of persons who are not targets of the intelligence and security services. This calls for additional obligations and safeguards. In spite of being untargeted, the interception should be ‘targeted’ as much as is possible. The data should be filtered right from the first phase of interception. The separation of relevant and non-relevant communications should be made as soon as possible after interception. Storage periods of non-relevant communications must be short and must be specifically laid down by law. Destruction of such communications should mean that the data is really and definitely destroyed. And access and use of the intercepted data must be made subject to conditions and restricted by both organisational and technical means.

4. What are the minimum requirements that must apply to the oversight of the (increased) powers of interception?

The Dessens evaluation committee makes the increase of powers conditional on reinforced oversight. It recommends in particular that the Committee’s findings of lawfulness or unlawfulness must be given binding force. The government is explicitly not following this recommendation. Notably, it puts its faith in broadening the scope of the current requirements that the ministers responsible for the performance of their tasks by the services must themselves grant permission for interception, and not in strengthening independent assessment of applications. The position and powers of the Committee are strengthened only in the field of complaints handling. International judgments appear to indicate, however, that this does not suffice to meet human rights standards in the area of privacy protection. In order to settle the issue the Committee has commissioned Leiden University to conduct a scientific study of the minimum requirements set by international law on oversight in this field. The results of the study will be published on the Committee’s website in May 2015.

EOF

TSCM expert James M. Atkinson (more) made a large TSCM repository available via a restricted directory. To obtain access, US citizenship and a static IPv6 address are required. He announced his initiative via the following message posted to the TSCM-L mailinglist:

Many of you know that I am a pretty heavily published computer programmer, and that i am skilled in C, C++, Objective C, assembler, and embedded controllers, and programs to control devices, with a special emphasis on software that is use to control TSCM gear, and which studies the noise floor and then which detects and catalogs anything that is not noise. I have also written a great deal of software to break ciphers and codes, and published some fairly secure mechanisms of encryption that subverts even the most aggressive of eavesdropping by government funded entities.

For these who are interested, I have uploaded several tens of thousands of pages of documents in PDF format to the restricted directory on my website (www.tscm.com). The directory also contains hundreds of thousands of lines of SOURCE code for computer programs that are of value in the performance of TSCM, such as programs that you can load directly on your spectrum analyzer and have it crunch through the spectrum, and controllers I have written for all kinds of Watkins-Johnson and Ma-com gear over the decades.

There is also a large flood of ITC student texts, and texts form the National Crypto school which were acquired through a FOIA request. A huge library of .gov TSCM reports spanning decades.

In order for you to access the directory I have to issue you a user name and a password, and this user and passwords are solely for your use, on your account. Do not share that user name or the passwords as the account will automatically lock when it detects multiple people using the same account. I also need a static IPV6 address for you (if you are a TSCM person, I do not need to explain what this is) as the account is locked to your device IPV6 address.

Due to the nature of the material in this directory I will only issue User Name/Password data to a U.S. Citizen only, and the only way do to this is to present an unexpired U.S. Passport that lists you as a U.S. Citizen. Also, you have to agree in writing to not disclose the data to any other person unless the person presents to you proof that they in turn are a U.S. Citizen and the only mechanism is by them presenting an unexpired U.S. Passport to you. No un-expired U.S. passport, means zero access. Additionally, you can not have access to the directory (I will not issue a user name or password) to any person who is a convicted felon, or who has been dishonorably discharged from the U.S. Military. I also will not issue user names or passwords to any person who I have good reason to believe will disclose the information in the directory to people who can not lawfully have access to this materials. I also will not provide access to well know con artists who have a proven track record of theft of intellectual property and claiming as their own. You also actually have to be someone who actually performs big sweeps, and not merely a fringe player, or someone with spy-shop grade gear.

The first step is the passport, no passport, no access, period. Prove that you are a U.S. Citizen first in order to obtain consideration for access, then prove you are not a convicted felon or that you have been dishonorably discharged. Then ensure that your device has a IPv6 address that can be routed through your ISP.

The directory currently holds over 285,000 printed pages.

Please remember that all of the source code is of my own creation, and that I hold full copyright on it, so if you need to use it for a project you are developing, then we will need to work out suitable usage/licensing arrangements. You will notice that the software spans form 1981 to the current date, and that I am sharing the actual source code for the iPhone encryption program I developed two years ago to place a massively powerful encryption system that is fairly bullet proof into iOS.

Each user will be bandwidth restricted to 1 TB, per month in order to moderate traffic to a reasonable level.

EOF

UPDATE 2015-11-28: further updates moved to the bottom.

UPDATE 2015-07-09: addendum: Dutch intel oversight committee (still) seeks to publish statistics on use of special powers, suggests topics for debate on the new bill.

On July 2nd 2015, the Dutch government released (in Dutch) for public consultation the long-awaited bill (.pdf, in Dutch) + explanatory Memorandum of Understanding (MoU) (.pdf, in Dutch) that overhauls the Dutch Intelligence & Security Act of 2002 (aka “Wiv2002”). The bill is a complete rewrite of the current law (.pdf, in English), and includes expansions of power, as well as improvements to oversight, and new provisions for activities that the current law didn’t foresee (e.g. metadata analysis, small-scale use of DNA). Public consultation closes on September 1st 2015.

The post below covers, among others, the parts of the bill related to hacking and non-specific (‘bulk’) interception. First, some background.

The Wiv2002 covers both the General Intelligence & Security Service (AIVD) and the Military Intelligence & Security Service (MIVD). The cyber & sigint tasks are carried out by the Joint Sigint Cyber Unit (JSCU) that launched in June 2014. The JSCU is tasked with the collection of data from technical sources, making it accessible and searchable, perform analysis (correlation, data mining), and delivering sigint and cyber capability in support of the intelligence requirements of the AIVD and MIVD (possibly on-site in military mission areas). The JSCU will have some 350 employees. The Dutch Ministry of Defense established a Defense Cyber Command (DCC), which is affected by this bill to the extent that the DCC has relations with the MIVD or JSCU as part of its (military) tasking and operations. Roughly put, the DCC is the Dutch equivalent to USCYBERCOM, and the JSCU is the Dutch equivalent to the NSA.

Some background on the overall new interception framework — which is now divided in the phases collection, (pre)processing and analysis — is available here (note: that post was written on the basis of preliminary documents released by the government prior to release of the bill).

The approval requests that the services must send to the Minister prior to the use of most special powers are a primary source of information for legal oversight by the Dutch Review Committee on the Intelligence & Security Services (CTIVD). The CTIVD is an independent expert committee (not a court) that carries out its task on an ex post basis. For certain uses of special powers, the bill requires that the CTIVD be immediately informed by the intelligence service, and the CTIVD will then carry out an ad hoc review. If the CTIVD finds the approved practice to be illegal, the CTIVD can require the Minister to reconsider his/her decision; and then, if still necessary, inform the parliamentary standing committee on the intelligence services. The CTIVD has unrestricted access to information up to the highest classification (Dutch: “Stg. Zeer Geheim”, comparable to NATO Cosmic Top Secret), as well as to the AIVD’s building and employees. Regarding interception and hacking, neither the current law nor the bill include ex ante oversight or involvement of a court.

The non-specific interception power includes mandatory cooperation from (to be selected categories of) “providers of communication services” — a term that is defined in a way that includes not only providers of public electronic communications networks and services, but also providers of closed networks, and includes telcos, access providers, hosting providers and website operators. The use of this power requires approval from the Minister, and requires specification of the investigation (which can be long-running; think of non-proliferation and terrorism), the purpose of interception — “purpose-orientation” (Dutch: “doelgerichtheid”) is introduced as a new requirement that intends to limit bulk interception to what is relevant to a “purpose” that must be specified ‘as specific as possible’; a general indication does not suffice —, the type of telecommunications (e.g. GSM, radio, satellite, internet; optionally including geographic boundaries), optionally the types of traffic that are relevant (e.g. voice, chat, file transfer), and in the case of cable networks, the cable infrastructure that is targeted. In other words, no blanket authorizations for non-specific interception will exist, although blanket-like authorizations may, depending on how broad a “purpose”, in the context of a specified investigation, is allowed to be in practice; the requirement “as specific as possible”, mentioned in the MoU, leaves room for interpretation.

Specific interception, i.e., interception that only targets a specific individual, organization or technical characteristic (phone number, IP address, etc.), is omitted from this post, as that part of the law is not notably changed. The hacking power is included because it includes a new paragraph aimed at reconnaissance of computer networks (e.g. mapping computers and networks, running port scans, inquiring software/hardware configurations, etc.; think of GCHQ’s HACIENDA).

Now, moving on to selected texts from the bill and the MoU.

WARNING: the below contains unofficial translations. Feel free to contact me if you have questions.

The hacking power is pretty much unchanged, except that a specific provision is introduced for reconnaissance (Art. 30-1-a):

Article 30

1. The services are authorized to:
   1. explore the technical characteristics of automated works that are connected to a communications network;
   2. whether or not using technical interference, false signals, false keys, false identity or through intervention of the automated work of a third party, access an automated work;
2. The power meant in the first paragraph, under b, includes the power to:
   1. break any security;
   2. make technical provisions to undo the encryption of data stored or processed in the automated work;
   3. make technical provisions in relation to exercising the power meant in Article 25, first paragraph [=observation of persons], and Article 32, first paragraph [=specific interception];
   4. take over the data stored or processed in the automated work.

[…]

The MoU mentions that the power meant in the first paragraph, under a, will be used “semi-continuously” in order to detect relevant changes and keep an up-to-date picture of parts of digital infrastructure relevant to specific investigations. The MoU explains that the hacking power also includes the possibility of hacking a third-party system if a target’s own system cannot be directly broken into (as seen in Art.30-1-b):

The technical reality shows that targets are generally security-aware, but that operational opportunities for using weaknesses in technical peripheral users, such as co-tenants of a certain server, which can lead to successful breaking into the automated work of the target.

(Side note: to non-targets, some reassurance might be found in the following remarks in CTIVD oversight report 19 (.pdf, 2009) considering the interception of communication of non-targets, assuming its findings still apply today:

The AIVD can exercise a special power against a person in the (immediate) environment of the target, in order the obtain information about the target via this person (the non-target). The Committee considers this to be an extremely heavy means and finds that the AIVD must be very reluctant with its use. This means in not applied in large numbers and in nearly all cases in which the means is applied, the Committee finds that it is necessary as result of a threat to national security, because other means do provide insufficient insight into the target.)

The bill then introduces the term “provider of a communication service”, derived from the term “service provider” introduced in the Budapest Convention on Cybercrime (2001) (note: possibly, the official English translation of the Dutch law will mention “service provider”; I translated the text as literal as possible):

Article 31

In this paragraph and the provisions based thereon, the following definitions apply:

1. provider of a communication service: the natural or legal person who, in carrying out their profession or business, offers users of the service the possibility to communicate via an automated work, or who processes or stores data for the purpose of such a service, or for a user of that service;
2. user: the natural or legal person who has a contract with the provider of a communication service concerning the use of that service or who actually uses such a service.

[…]

From the MoU it is clear that “provider of communication service” at least includes providers of public telecommunication services and networks (public telcos and internet access providers) and providers of closed services and networks, as well as hosting providers (e.g. cloud) and website operators. The paragraphs cited below will apply to a “limited number” of such entities, in categories that will be determined by governmental decree.

(Side note: the term “automated work” is linked to the Dutch computer crime legislation. The Dutch government is preparing another bill that will grant police hacking powers. That bill won’t be released until after the parliamentary summer break, which ends on August 31st 2015. Some details available here.)

The intelligence services are granted the power of non-specific interception of “any form of telecommunications or data transfer via an automated work” (cable, ether, whatever; regardless of its source & destination, thus including domestic communication):

Article 33

1. The services are authorized to, using a technical aid, wiretap, receive, record and listen to any form of telecommunications or data transfer via an automated work regardless of location in other cases than meant in Article 32 [= the specific interception power], if what has been required or provisioned by law is complied with. The power, meant in the previous sentence, includes the authority to undo encryption of telecommunications or data, as well as technical analysis of the data, insofar this is aimed at optimizing the use of the power meant in the previous sentence.

[…]

Article 34 provides the power to carry out sigint search/exploration on bulk-intercepted data (e.g. DPI, analyzing traffic flows, anomaly & signature based intrusion detection, etc.):

Article 34

1. The services are authorized to carry out research using the data collected on the basis of the power meant in Article 33, for the purpose of:
   
   1. determining the characteristics and nature of the telecommunication;
      
   2. determining the identity of the person or organization related to the telecommunication.
2. The services are furthermore, in the context of exercising the power meant in Article 35, second paragraph, authorized to carry our research on the basis of data collected on the basis on Article 33, for the purpose of:
   
   1. determining and verifying selection criteria related to persons and organizations or keywords related to topics of investigations;
      
   2. identifying persons or organizations, who in the context of ongoing investigations are eligible for being investigated by the service.

[…]

Note that the current sigint search power (Article 26 Wiv2002) is limited to communication that has a foreign source and/or destination. The above article in the bill no longer contains that restriction, thus enabling sigint search on domestic communications as well.

Providers of communication services can be required to hand over data that is needed to exercise the non-specific interception power (exercise of this power does not require separate approval from the Minister):

Article 36

1. The services are authorized to request a provider of a communication service to provide data, which are necessary to exercise the power meant in Article 33, first paragraph. The categories of data, to which the request mention in the previous sentence can apply, will be determined by governmental decree.

[…]

4. The provider of a communication service is required to comply with a request as meant in the first sentence of the first paragraph.

[…]

The MoU sheds a dim light on what data is meant in Article 36-1 (p.79):

[…] This involves acquiring information that can help map the communications landscape, which is necessary to, at some point in time, exercise the interception power meant in Article 33.[…]

[…] This involves, among others, the technical data of for instance the telecommunications network exploited by the provider, and the equipment used etc., which are necessary to — in consultation with the provider — determine what technical provisions that need to be made to carry out the authorized interception. […]

Footnote 63 of the MoU sheds slightly more light on this, and refers to the newly introduced requirement that interception must be purpose-oriented:

63: In order to intercept in a purpose-oriented manner, it must be made clear where, what type of communication is processed c.q. transported. This involves for instance information concerning business customers/tenants and data commonly known as part of daily operations of providers of communication services about the services offered, characteristics of traffic flows, and communication channels.

The data meant in Article 36 hence include data about the physical and/or logical layout of infrastructure, routing, signal properties, etc.

Providers of communication services must, at the request of the intelligence services as approved by the Minister, cooperate in enabling the intelligence services to exercise their non-specific interception powers, in that the providers must provide access to their systems/networks:

Article 37

1. The services are authorized to request a provider of a communication service to cooperate in exercising the authorized interception as meant in Article 33, second paragraph.

[…]

5. The provider of a communication service that is not already required to cooperate based on Article 13.2 of the Telecommunications Act, is required to comply with a request as meant in the first paragraph. The services are authorized to contact a provider of a communication service to request cooperation in the exercise of an authorized request as meant in Article 33, second paragraph.
6. The provider must maintain, for twelve months, the technical provisions made as part of the requested cooperation as authorized per the second paragraph [= Ministerial authorization].

[…]

Per Article 132, not complying with an order is punishable as felony (if intent can be proven) or misdemeanor (if intent can not be proven). Page 202 of the MoU indicates that use of Article 37 will initially be limited to “several physical access points” (at telcos and/or internet exchanges):

(…) Partially to gain experience, on the basis of which more specific next steps can be taken, the interception will be limited to several physical access points in the first years after the law is enacted.

Raw bulk intercepts can now remain available for selection (by persons, organizations, technical characteristics and topic for keyword-based searches) three years instead of one year, as is presently the case. This increase is due to problems the services experience concerning (long-running) investigations into non-proliferation. Article 49 allows the services to share raw bulk intercepts — metadata and contents — with foreign intelligence & security services, under certain conditions, and only if approved by the Minister.

Providers of communication services can also be required, after approval from the Minister, to hand over users’ (stored) telecommunications contents (Art. 38; e.g. this is not a bulk power, telecommunications data can only be requested for a specified person, number, account, etc., such as the mailbox(es) of specified webmail users):

Article 38

1. The services are authorized to contact a provider of a communication service to request data concerning the telecommunication of a user that has been stored by the provider as part of the communication service offered. The categories of data, to which the request mention in the previous sentence can apply, will be determined by governmental decree.

[…]

4. The provider of a communication service is required to comply with a request as meant in the first sentence of the first paragraph.

[…]

Furthermore, the intelligence services are authorized, under certain conditions and after approval from their Minister (Art.30-6 and Art.41-2), compel anyone (Dutch: “een ieder”) — also including organizations — to help decrypt data in an automated work (Art.30-5 to 30-8) or help decrypt conversations, telecommunications or data transfer (Art.41-1), e.g. by handing over keys or providing decrypted data. (A similar provision is present in the current law.) Another legal option to defeat encryption is the use of the hacking power (Art.30, see below), which requires after approval from the Minister; and yet another legal option is the use of agents (who can be tasked with interception or hacking) or informants (e.g. a sysop who, as part of daily work, has access to cryptographic keys). Again, per Article 132, not complying with such an order is punishable as felony or misdemeanor.

New provisions are present concerning “automated data analysis” — think of metadata analysis based on non-specific intercepts:

Article 35

1. The services are authorized to:
   1. select the data that have been collected through the use of the power meant in Article 33.
   2. apply automated data analysis as meant in Article 47 concerning data collected using Article 33 that concerns data other than the content of that telecommunication.

[…]

Article 47

1. The services are authorized to apply automated data analysis concerning:
   1. data from the services’ own automated databases,
   2. data from information sources accessible to anyone,
   3. data from automated databases to which the services have direct automated access, and
   4. data from databases provided by third parties.
2. For the purpose of processing the data meant in the first paragraph the data can at least:
   1. be compared in an automated way, or be compared in combination with each other;
   2. be searched on the basis of profiles;
   3. be compared for the purpose of tracing certain patterns.

[…]

In Article 47-2 the words “can at least” mean that the list (a, b, c) in Article 47-2 is not exhaustive. Concerning the profiling ex Art.47-2-b, the MoD states that hits found during automated profile matching must first be analyzed by a human before measures can be taken against the person(s) that match a profile.  The “data from databases provided by third parties” (Art. 47-1-d) refers to databases that are provided voluntarily ex Article 22; there is no power to compel third parties (e.g. the private sector) to provide data(bases) in the way that US intelligence services can under FISA Section 215 on the basis of the “tangible things”-provision.

Lastly, Article 28 introduces provisions for the processing and storing of DNA by the intelligence services. This follows recommendations made in an oversight report concerning the lawfulness of the services’ (small-scale) use of DNA; some details available here.

The bill still restricts the use of the interception (non-specific and specific) and hacking powers to specific legal tasks, but a new task has been added for both the AIVD (‘g-task’) and MIVD (‘h-task’) concerning security screening of agents and informants (but excluding security screenings as meant in the Security Screenings Act (Dutch: “Wet veiligheidsonderzoeken”, or “Wvo”), e.g., the screening of candidate-employees of the intelligence services, defense industry, etc.). Interception is currently not permitted in that context. For the AIVD, use of special powers remains restricted to their security task (‘a-task’; think of national security) and their foreign intelligence task (‘d-task’; think of non-proliferation). For the MIVD, use of special powers remains restricted to their task concerning enemy forces (‘a-task’), their task concerning the Dutch armed forces  (‘c-task’) and their military foreign intelligence task (‘e-task’). According to oversight report 38 (in Dutch), raw data from non-specific interception can not be used for the services’ other legal tasks, but evaluated data (i.e., data that has been processed and analyzed) can.

Article 18 limits — as does current law — processing of personal data by the services to specific categories of relevant persons (targets, persons voluntarily undergoing a security screening, etc.). But as the MoU explains, automated data analysis (e.g. metadata analysis) can involve processing data, e.g. collected via bulk intercepts, from other persons (non-targets) as well. And recall that raw bulk intercepts can be retained for three years.

Article 22 provides — as does current law (details) — the services permission to ask private parties (e.g. banks, public transport, or candidate-informants elsewhere) to voluntarily hand over data or databases, or make those accessible via automated means. The handover of personal data is exempted from Dutch Data Protection Act (“Wbp”). Article 22 combined with Article 35-1-b and/or 47 enables profiling, social network analysis etc. on the basis of voluntarily provided data; in addition to possible combination with data collected through other means, such as bulk interception, specific interception, and hacking. The related provision in the current law is used, for instance, in the context of tracking terrorist’s finances. Requests for data can be made only in the context of a specified purpose/investigation; the MoU states: “arbitrary requests for data are not allowed”.

Someone told me the bill seems quite polarizing; indeed, there are a lot of “musts” present, and the definition of “provider of a communication service” is very broad. But further things are relevant to assessing the bill as a whole:

• the proposed (permanent) five-year mandatory re-examination of the law (Article 147);
• the proposed introduction of required “purpose-orientation”, which intends to limit the hay stack created using non-specific interception to relevant information. The MoU mentions that “filters” will be used to filter (ir)relevant data;
  • caveat: it remains to be seen what filters will be applied (filters for volume reduction? of course; filters for privacy? only if possible) and how broad a “purpose” can be defined for the collection phase and the (pre)processing phase in the new interception framework;
• the proposed provisions that provide new ways of reporting wrongdoing (Article 114-120). The provisions extend to ‘anyone involved in the exercise of this law’ (including e.g. employees of providers) and cover reporting violations of law, dangers to security, and dangers to the proper functioning of “the public service” (the latter is mentioned in Article 114-c but not explained in the MoU; presumably it refers to the intelligence service);
• the proposed mandatory reporting about the use of special powers (Article 45);
  • caveat: related existing requirements have not always been met in the past;
• the proposed limitations on retention of intercepts — raw bulk intercepts can be stored for three years ex Art. 33-5, irrelevant yields of hacking, specific interception and obligated telecoms data hand-over can be stored for max 12 months ex Art. 30-9, 32-10 and 38-7;
  • caveat: encrypted data obtained via non-specific interception can (still) be stored indefinitely; the retention period does not start until the data is decrypted — think of collecting TLS-encrypted traffic until you know what to do with it (possibly compel someone to decrypt it or hand over keys). Also, raw bulk intercepts can now remain available for selection three years instead of one year, as is presently the case;
• the proposed specification of information that must be present in approval requests sent to the Minister. Concerning bulk interception, the MoU states that the approval request must specify the relevant ongoing investigation, the purpose of the requested interception (that must be specified ‘as specifically as possible’; ‘a general indication does not suffice’), the type of telecommunications (e.g. GSM, radio, satellite, internet; ‘possibly’ including geographic boundaries), ‘possibly’ the types of traffic that are relevant (e.g. voice, chat, file transfer), and, in the case of bulk cable interception, the cable infrastructure that is targeted.
  • caveat: it has always been required that approval requests include a motivation (in terms of necessity, proportionality and subsidiarity), but oversight reports show that it has often been missing or was inadequate in the case of the use of the existing (ether-only) sigint power — which is why I stated oversight is currently broken. The new bill aims to fix that (e.g. through the new three-phase interception framework, and by no longer requiring separate approval requests from the Minister prior to selecting persons, organizations, characteristics or keywords from raw bulk intercepts), but we won’t really know what has (not) been fixed until the bill is adopted and new oversight reports are published based on the new legal framework;
• the proposed increase of the level of authorization required for hacking (ex Art.30-3) and sigint search (ex Art.34) from head of service to Minister;
  • caveat: the risk of rubber-stamping remains a point of attention, because — as is clear from past oversight reports and parliamentary papers — the Minister usually has a lot of approval requests to decide on. In fact, the number of requests is likely to increase as result of the heightened approval regime for various (old and new) powers; although sigint selection (selecting data about specific persons, organizations, technical characteristics, or keywords from raw bulk intercepts) no longer requires separate, per-case approval from the Minister;
• the many other proposed changes concerning oversight — but alas, still no ex ante or court oversight —, complaint handling, aspects of freedom of information, and more.

The compelled-decryption provision laid down in Article 41 references, in Article 41-1, the non-specific (‘bulk’) interception power laid down in Article 33-1. If I’m interpreting the bill and MoU correctly, this permits the Minister to compel organizations (such as providers) to decrypt data or hand over keys also for the purpose of exercising the non-specific (‘bulk’) interception power. Think of requiring handover of TLS keys used on shared servers, cloud CDNs, or crypto used to protect links between data centers. If this is indeed in scope of the law, then that’s probably a topic for debate — regardless of the fact that page 202 of the MoU indicates that use of the compelled-access power will be limited to “several physical access points” in the initial years, and without leaving this up to assumptions about whether the intelligence services will or will not apply the law this way, and whether the Minister and CTIVD would approve in specific cases.

Appendix 3 of the MoU provides an overview of all powers and safeguards in the bill:

(Also available as .pdf here.)

UPDATES (new to old)

UPDATE 2016-04-29: the confidential revised draft + MoU that the Dutch government submitted for advice to the Council of State was leaked via Dutch newspaper Volkskrant. An analysis by Bits of Freedom is available here (in English). I posted some notes on my blog here and here (both in Dutch).

UPDATE 2016-04-15: an additional NOS report states that the existing (targeted) interception power and (targeted) hacking power, too, will be subject to ex ante and binding oversight. The newly to be established oversight committee is entitled ‘Toetsingscommissie Inzet Bevoegdheden’ (TIB), and will consist of persons that have a background in the judicial branch.

UPDATE 2016-04-14: NOS reports that according to unnamed sources, the Dutch government will, with regard to the upcoming cable interception power, consider ex ante oversight by a new independent committee. (Note: ‘new independent committee’ presumably means it’s not about the CTIVD, the existing independent expert committee that has been carrying out ex post non-binding oversight since 2002.) Furthermore, requiring prior court approval for the interception of communications of lawyers and journalists will also be considered. The report states these topics will be discussed in the cabinet. The cabinet changed “purpose-oriented interception” (my translation from the Dutch word “doelgericht” used previously) to “investigation-bound interception” (my translation of “onderzoeksopdrachtgericht”). It’s just different words for the same thing: interception that is carried out in the context of an intelligence task, but that is not targeted/limited to specific known persons or organizations.

UPDATE 2015-11-11: the transcription of a parliamentary debate of September 2nd 2015 on intelligence affairs, including the draft bill, is now available here (in Dutch). When the cabinet submits the revised bill to the House of Representatives (lower house), the house will also receive the Privacy Impact Assessment (PIA) performed on the draft bill by PI.lab (a cooperation between Radboud University, Tilburg University, SIDN and TNO) and coordinated by professor Bert-Jaap Koops.

UPDATE 2015-11-04: the oversight committee (CTIVD) published its response (in Dutch) to the draft bill. An English outline of that response is available here.

UPDATE 2015-10-21: the current progress of the bill within the legislative process can be viewed at the ‘live’ webpage here (in Dutch). The bill is currently at the end of the preparatory phase: public consultation closed on September 1st, and the government is now processing the public comments. Next, the government will submit the bill, possibly changed as result of public comments, to the Council of State for advice. Then, the government will submit the bill, possibly changed as result of the Council’s advice, to the House of Representatives. If the bill is adopted by a majority vote of the House, the bill, possibly changed, will be submitted to the Senate. If it is adopted by the Senate, the law and a date of enactment will be published. Conceivably, whatever the new law will look like, it seems likely it won’t be enacted before 2017.

UPDATE 2015-07-23: today, three weeks after publication of the bill, legal scholars from the University of Amsterdam published a report (.pdf, in English) entitled “Ten standards for oversight and transparency of national intelligence services”. Short write-up here. Notably, the authors of the report plead for ex ante review of interception and intelligence operations by a court. The bill neither includes independent ex ante review, nor any court involvement.

EOF

On June 29th 2015, the Dutch Minister of the Interior sent a letter (.pdf, in Dutch) to the House of Representatives in response to a request from the House in the context of the allegations, made by Austrian MP Peter Pilz and reported (in Dutch) in May 2015, that 71 phone communication links (STM-1) of Dutch telco KPN were wiretapped by the German Bundesnachrichtendienst (BND) on behalf of the NSA. The letter mostly refers to the ongoing investigation by the Dutch General Intelligence & Security Service (AIVD), but for the sake of completeness, here’s a translation (hyperlinks are mine):

On June 25th 2015, the House’s standing committee for the Interior asked me to respond to KPN’s statement about the wiretapping of its  telephony links by the German security service BND. Furthermore, the committee wants to know whether the BND has responded to the allegations, and whether the Netherlands carries out similar espionage on behalf of the NSA. Following the claims from Austrian MP Pilz, the AIVD is currently carrying out an investigation. In that context, consultations take place with mr. Pilz, the German authorities, and KPN. The AIVD also performs its own analysis.

KPN published a statement that mentions that the links named by Pilz start or end in the Netherlands. KPN can, on the basis of information in its own systems, not determine whether the links have in fact been wiretapped. The AIVD takes these findings into account in its investigation.

The German authorities reports that the Netherlands is not, and has not been, a target of the German BND. Previously, the director of the American NSA stated that the Netherlands is not a target of the NSA. I have informed the House on that.

Because the investigation is ongoing, it is too early to make conclusions concerning the claims by mr. Pilz. The Dutch intelligence & security services AIVD and the Military Intelligence & Security Service (MIVD) carry out their activities on the basis of the Dutch Intelligence & Security Act of 2002 (Wiv2002). The Dutch Review Committee on the Intelligence & Security Services (CTIVD) oversees the lawfulness of the execution of the Wiv2002. In CTIVD report 38 [2014, in Dutch], on telecommunications data processing, the CTIVD concluded that the AIVD and MIVD do not structurally collect (personal) data outside the legal framework.

On May 28th 2015, the House transferred a request from MP Voortman to the Minister of the Interior and the Minister of Foreign Affairs for receiving a letter with a response to the claims by Austrian MP Pilz. When said investigation is completed, I will inform the House.

One may recall that Pilz also claimed that the Netherlands, France, Luxemburg an Austria were targets of BND spying during operation Eikonal in the period 2004-2008.

Also recall that it was a former chief of the German BND, mr. Hansjörg Geiger, who suggested to establish an “intelligence codex”, i.e., a no-spy agreement — for instance between a group of European countries — to mutually abstain from “political, economic and diplomatic” espionage. That proposal was included in Pieter Omtzigt’s PACE report on mass surveillance (.pdf). On March 3rd 2015, in response to a request from the House, the idea of a codex was rejected by the Dutch government.

EOF

TL;DR: there is no reason to believe Ixquick/StartPage.com discloses user IP addresses to Google.

Sometimes a question pops up (for instance here, here, here and here) about 1) how the privacy-oriented search engine Ixquick/StartPage.com (wikipedia) shows localized Google search results and AdWords to its users, and 2) how it is possible that Google CAPTCHAs are never shown. I could not find answers in the Ixquick/StartPage.com FAQs or support forums. Because some Reddit commenters wondered whether Ixquick/StartPage.com discloses IP addresses to Google, I asked Ixquick/StartPage.com, and received answers that — as expected — provide more plausible explanations. The questions and answers are posted below, as well as on Reddit, with the intent to counter some unnecessary FUD.

First, here’s my question to Ixquick/StartPage.com about how localized search results are shown (summarized from two mails):

How does StartPage show localized Google search results & AdWords? When using an English browser and searching for “computers” from a Dutch IP address, StartPage shows Dutch AdWords and search results. When doing the same from a German IP address, German results are shown. Does StartPage map the user IP to a country, and use that in the query that Startpage sends to Google’s servers? Does it work exactly like this?

• step 1: perform geolookup of user IP to retrieve country code
• step 2: send country code to Google in the “gl” parameter  (in addition to the search phrase etc.)

The answer from Ixquick/StartPage.com’s support desk:

The two steps you’ve outlined are exactly correct:

• step 1: perform geolookup of user IP to retrieve country code
• step 2: send country code to Google in the “gl” parameter  (in addition to the search phrase etc.)

Indeed, showing localized Google search results does not require Ixquick/StartPage.com to disclose the IP addresses of users to Google. Ixquick/StartPage.com explicitly states that users’ IP addresses are not shared with Google.

Second, here’s my question to Ixquick/StartPage.com about the absence of Google CAPTCHAs:

How can it be that users of Ixquick/StartPage are never (?) shown a Google CAPTCHA, even though Ixquick/StartPage’s servers send, on a daily basis, lots of queries to Google from a limited set of IP addresses? Is this an agreement between Ixquick/StartPage and Google, in which Google agreed to, for instance, whitelist those IP addresses to exempt them from the CAPTCHA?

Answer from Ixquick/StartPage.com:

StartPage has a contract with Google that allows us to use their official “Syndicated Web Search” feed. We have to pay them to get those results.

Indeed, preventing the Google CAPTCHA does not require Ixquick/StartPage.com to disclose the IP addresses of users to Google; a paid contract takes care of that.

According to a StartPage.com Knowledge Base article from 2013, 99% of the money they earn comes from the ads they show on results pages. Those ads are included via Ixquick/StartPage.com’s own servers, not from third-party domains. It is not until you click an AdWord — and thus help Ixquick/StartPage.com survive as a free, privacy-enhancing way to access Google search (and search results, if you use Ixquick/StartPage.com’s awesome proxy service) — or a search result, that your browser communicates with other parties.

In general, if you don’t want to expose your IP address and/or browser fingerprint to a website, access the website from the Tor Browser, and use Tor Browser properly. StartPage.com is nowadays included as a preset search engine in Tor Browser, and StartPage.com’s “compatibility” with Tor (“we don’t block Tor”, I suppose) is mentioned in a StartPage.com Knowledge Base article from 2014. Don’t forget about the possibility of vulnerabilities in Tor Browser itself: set the new security level setting to “high” to mitigate some of that risk, and lower it only whilst being fully aware that doing so increases risk, especially when allowing JavaScript and canvas fingerprinting. You won’t see localized information unless the Tor exit node happens to be in your country, or when you use a non-English version of Tor Browser and disagree to the following question that is asked at first use (translated from the Dutch version):

To increase your privacy, Torbutton can request web pages in the English language. This can mean that web pages you want to read in your own language are shown in English. Do you want to request web pages in English for better privacy?

Normally, Tor Browser sends the following header to websites to indicate the desired language (tested w/Tor Browser 4.5.2; “q” essentially denotes the preference order; see RFC2616 (HTTP/1.1) Section 14.4 for details):

Accept-Language:en-us,en;q=0.5

If you disagree to the prompt, the Dutch version of Tor Browser sends the following header:

Accept-Language:nl,en-US;q=0.7,en;q=0.3

Generally speaking, the latter will decrease your anonymity, because you are likely to blend in with a smaller crowd — and possibly a far smaller crowd if your particular non-default language setting in Tor Browser (such as Dutch) is used nearly exclusively by relatively small populations (such as the Dutch and the Belgians). Note that, similarly, setting Tor’s security level to “high” also results in a smaller crowd, specifically in the eyes of websites that run tests (through JavaScript, CSS, etc.) to determine and record the browser configuration, including (un)availability of properties and functions.

EOF

On June 23rd 2015, the Dutch Minister of the Interior submitted the outlines of the 2015 year plan (in Dutch) of the General Intelligence & Security Service (AIVD) to the parliament.

The idea of a “year plan” was proposed by the oversight committee (CTIVD), and is intended to inform intelligence consumers, stakeholders, the parliament and society about what they can expect from the AIVD in the next year. Due to the nature of it contents, the year plan itself is a state secret. The year plan has been discussed with, and approved by, the government’s Council for the Intelligence & Security Services (RIV) on June 9th 2015, and was subsequently accepted by the cabinet. The present letter from the minister, the first of its kind, is referred to in Dutch as “Jaarplanbrief”, which (literally) translates to “Year Plan Letter”. It is scheduled as input, among other inputs, for the parliamentary General Meeting on intelligence & security services’ affairs that will take place on July 1st 2015  [postponed to September 2nd 2015].

The cabinet is currently preparing an intelligence bill that will, besides change the oversight framework and safeguards, grant the AIVD and the Military Intelligence & Security Service (MIVD) to perform unspecific (bulk) interception of cable communications. That bill is yet to be released into public consultation (it will appear here); the letter below precedes it.

The remainder of this post consists of a translation of that letter; hyperlinks are mine.

National security and the role of the AIVD

Security is a core task of the government. The AIVD ensures national security by timely identification of threats, (political) developments and risks that are not immediately visible. To this end, the AIVD carries out domestic and foreign investigations, taking into account the safeguards of the Dutch Security & Intelligence Act of 2002 (.pdf) (Wiv2002). Collecting and interpreting intelligence is not an objective on and by itself. It is an essential condition to thwart terrorist attacks, disrupt terrorist traveling, detect espionage, and, more generally, support government policy to protect the democratic rule of law and other important state interests. The AIVD shares specific knowledge and information with its partners (for instance public administrators, policy makers, the National Police) and instigates other organizations to act.

AIVD year plan on the basis of Integrated Intelligence & Security Policy (Dutch: “Geïntegreerde Aanwijzing I&V”)

The AIVD Year Plan 2015 is, for the first time, based on the system of an Integrated Intelligence & Security Policy [“GA I&V”, abbreviating its Dutch title, “Geïntegreerde Aanwijzing Inlichtingen & Veiligheid”], as introduced following the cabinet response to the review of the Wiv2002 [by the Dessens Committee] (Parliamentary Papers, 2013-2014, 33 820, nr. 2). Although the GA I&V will not have a formal legal basis until the Wiv2002 has been changed, the cabinet has decided to start using the system this year. The GA I&V describes the needs of intelligence consumers concerning various themes and focus areas, and is, from now on, the basis for the year plans of the AIVD and the MIVD. The accompanying Year Plan Letter intended for the parliament will as of 2016 be available before January 1st of each year, in accordance with the motion filed by Van der Staaij c.s. (Parliamentary Papers, 2014-2015, 29 754, nr. 295).

Strengthening of AIVD budget

On June 30th 2014 the cabinet decided to grant a structural addition of EUR 25 million to the AIVD budget as of 2015. Reason for this budget increase was the changing threat landscape. Worrying developments happened both nationally and internationally. The intensification is meant for investigations concerning the threat from persons traveling to Syria for jihad, developments in Iraq, and developments concerning instability in the Middle-East and the outside borders of Europe. Intensification was also necessary concerning cyber threats.

On February 25th 2015 the cabinet decided on a new strengthening of the security chain. This concerns the prolonged nature of the worsened threat landscape concerning jihadism. This strengthening enables the services and organizations involved to counter the jihadist threat in the coming years. The structural addition to the AIVD’s budget increases in phases up to EUR 40 million a year per 2020. The AIVD’s budget is then EUR 230 million. This enables the structural strengthening of the investigation capability concerning radicalization and counter-terrorism, without harm to other important investigations (left-wing and right-wing extremism, foreign intelligence).

The AIVD Year Plan 2015 establishes the priorities and accents, as reflected in this Year Plan Letter, considering the aforementioned strengthening.

Priorities and accents of AIVD investigations

Concerning the legal tasks of the AIVD, insight is given below into the priorities and accents that are put central in 2015 in each focus area:

Jihadist terrorism

The Netherlands has a terrorist threat level that is qualified as “substantial” [explanation] since March 2013. Approximately 200 jihadists have left the Netherlands to join the fight in Syria and Iraq. Furthermore, a number of persons with a Dutch background support the jihad in other conflict zones, such as Somalia. They train, and obtain knowledge, expertise and fighting experience, and get into contact with local, regional and international terrorist groups. They are a threat for the (regimes in the) countries concerned, but often also for the Western interests there. When these jihadists return to the Netherlands, they are a potential threat. Part of these persons can continue their terrorist activities in the Netherlands.

There is also a threat from jihadist groups that are active in various countries, and that also have an international agenda. The most well-known organizations are core al-Qa’ida (AQ core), the related groups AQAS (AQ on the Arabian Peninsula), AQIM (AQ in the Islamic Maghreb), al-Shabaab (Somalia) and Jabhat al-Nusra (Syria). Besides that, the Islamic State in Iraq and al-Sham (ISIS) intends to carry out attacks in the West. The increasing role of old, transnational jihadist networks that were active in the 1990s is also worrying. Active veterans seem to increasingly put themselves forward as facilitators for a new generation of jihadists. These veterans have the right contacts to have a supporting role to groups with an international agenda.

The jihadist threat against the West is currently also stems from individuals who are not associated with a particular group, and who have or have not traveled abroad. Sympathizers are used worldwide to carry out relatively simple attacks. The attacks in Paris and Copenhagen are examples, and can inspire radical muslims to carry out similar terrorist activities. Moreover, the attacks in Paris make clear that various independent elements can come together: individuals, sympathizers, diffuse local networks, relations with and inspiration from old transnational networks and persons sympathizing with rival jihadist groups, but who nonetheless on their own grasp opportunities to carry out attacks nearly simultaneously and jointly.

Furthermore, jihadists who’s travels are disrupted can pose a threat to the West. The attacks that were carried out in Canada and Australia in the Fall of 2014 and can be related to ISIS illustrate this threat. In the Netherlands as well, signs exist that a threat can exist from jihadists who’s travels were disrupted.

The AIVD’s efforts are aimed at timely identification of the aforementioned national and international jihadist threats, to provide operational perspectives to the relevant government organization(s). Besides that, efforts are aimed at contributing to the prevention of Dutch youngsters traveling abroad to conflict zones, and at identifying the threat from (returned) jihad fighters. The AIVD also attempts to impede the supporting and recruiting activities for participation in the international violent jihad. Naturally, the AIVD can not act alone concerning jihadi terrorism, and active cooperation takes place with other organizations, such as the NCTV, the National Police, the Public Prosecution Service, the municipalities and Child Protective Services. Also, international cooperation takes place with foreign intelligence and security services.

Radicalization and extremism

Radicalization of various groups in the Dutch public is reason for concern to the AIVD, and reason for the intensification of the investigation. Recent developments in, among others, the Middle-East have effects that stretch to the Netherlands. In the last two years, a large number of people traveled to the conflict in Syria and Iraq. A far larger number feels involved in this conflict, for personal or ideological reasons. The attraction of jihadism has various consequences.

The public AIVD report Transformation of jihadism in the Netherlands (.pdf, 2009) points out the potential threat from the broad group of sympathizers and supporters of radical islam in the Netherlands, who are not immediately involved with or can not be related to actual jihadist activities, but who create support and growing potential. It is therefore important to have good insight into radicalization processes among this group. Not only the strong momentum that the jihadi movement has gained is reason for serious concern. Also the growth of a different specific form of radical islam, dawa-salafism, is an increasing risk. Dawa-salafism has in recent years taken more ground in the islamic landscape of the Netherlands, both physically and online. Preachers who work outside the established dawa-salafist organizations loudened the intolerant and anti-democratic message that dawa-salafism and jihadism share. The voices of established salafist preachers have hardened. The resistance that established dawa-salafist organizations claimed they could offer against jihadism is decreased partially because of that.

The threat from (the growth of) radical islam in the Netherlands is twofold: on the one hand, this growth can lead to violence in the form of jihadist terrorism, on the other hand it can itself form a threat to the democratic rule of law because of the intolerant and anti-democratic message that is spread. The AIVD investigates both types of threat. The investigation into persons and organizations who spread jihadist thoughts helps in timely insight into jihadists, and facilitates the AIVD research into the focus of investigations into jihadist terrorism. The investigation into non-jihadist radical islam helps, among others, the NCTV, the local governments and other relevant organizations in taking measures against individuals who promote anti-integrative and intolerant isolationism.

The left-wing extremism in the Netherlands in characterized by erratic developments, with sometimes large peaks in intensity and threat. In the right-wing extremism, a form of hardly organized and unstructured ‘new’ right-wing extremism is developing next to the some remaining small ‘classic’ right-wing extremist groups. The latter involves ‘anti-islamic’ persons and groups who often ad hoc focus on (alleged) islamist excesses. Besides the actual threat from this, the perceived threat and the societal unrest must be taken into account that follows from that as a result of inflation of the threat from right-wing extremism by left-wing activists and extremists from their anti-fascist viewpoint. The interpretation of the factual threat that the AIVD recognizes from left-wing extremism and right-wing extremism is essential in providing an operational perspective for local and national officials.

Proliferation of WMDs

WMDs potentially pose a significant threat for international peace and security. The Netherlands has signed treaties aimed at countering proliferation of such weapons. The joint Unit Counterproliferation (UCP) of the AIVD and MIVD investigates countries that are suspected of — in violation of international treaties — pursuing WMDs and  means of transfer, or already possess those. The efforts of the AIVD and MIVD are aimed at obtaining an independent information position concerning WMD programs in risk countries, so as to inform the Dutch government. Acquisition activities by or on behalf of risk countries via the Netherlands is countered. This prevents that Dutch companies knowingly or unknowingly contribute to the proliferation of (parts of) WMDs.

Investigations into states

Considering the uncertain and unpredictable international environment and the risks involved for international peace and security, intelligence is of vital importance to the establishment of Dutch foreign policy. The AIVD’s investigations into states are carried out to provide the government with background information and an operational perspective, and to use it in consultations on topics that affect the Dutch national and international political interests. The investigations into states are increasingly related to the AIVD’s security tasks. For a number of states, a joint intelligence need is defined by intelligence consumers in the GA I&V for the AIVD and MIVD. The execution of these investigations takes place in close (operational) cooperation and consultation with the MIVD.

(Digital) espionage and cyber threats

The AIVD carries out structural investigations into foreign intelligence activities (espionage) that take place in the Netherlands or are targeted at Dutch interests. This investigation is aimed at identifying and disrupting unwanted activities through independent AIVD action, or by providing operational perspectives to the relevant authorities.

Concerning digital espionage, the AIVD has in recent years observed various digital attacks aimed at espionage and gathering vulnerable and valuable (political, military, economical and technical) information. Examples are numerous, and the threat and damage is significant. Additionally, digital attacks aimed at sabotage or societal disruption can be involved. Digital attacks such as Flame, Shamoon and Stuxnet, but also less advanced attacks such as DDoS attacks showed in recent years how (parts of) vital sectors can be disrupted or damaged. A significant problem of cyber attacks is that they can often be difficult to trace to a perpetrator or whoever commissioned the attack, and that they can be deployed from and via nearly every country. The AIVD investigates cyber attacks, and if necessary in cooperation with the National Cyber Security Center (NCSC).

Promoting protection and the guarding and security of designated property and services

On the area of the promotion of measures to protect designated interests, the efforts of the AIVD are aimed at promoting measures for protecting processes, organizations and sectors that are important for national and economical security. This involves, for instance, the protection of vital parts of government and the private sector from terrorism, but also the protection of data that is classified on grounds of national security. The AIVD’s efforts are also aimed at informing the government and (vital) private parties about threats and risks, and at providing recommendations for the purpose of taking adequate protective measures. Furthermore, threat analyses are made for the NCTV’s Counterterrorism Alert system (ATb). The NL-NCSA (NBV), part of the AIVD, advises the national government about information security, for instance concerning preventive measures for detection of and response to security breaches. The AIVD also, at request, evaluates security products before they are used by the national government.

Concerning the guarding and security of designated property and services, the AIVD provides insight into the (potential) threat against politicians, the government, diplomatic representatives, international organizations and large-scale events. This information is provided to the NCTV in the form of threat estimates, threat analyses and risk analyses, and the NCTV then decides about security measures. This task has immediate relations to other investigation objectives, including with regard to radicalization and extremism.

Other AIVD priorities and accents

The other priorities and accents for the AIVD in 2015, including with regard to security screenings and business operations, are discussed below:

Security screenings and designated jobs

Since this year a new, re-calibrated method is used for designating trust positions, and for carrying out security screenings. Only positions that can cause serious and plausible damage to national security are designated as trust positions. Also, the legal principle is that security screenings are the breech block of security, among others because of the privacy infringement involved. In the execution of security screenings, the protection of national security is leading. Research in AIVD systems is the basis of each security screening, in which the nature of the threat recognized by the AIVD determines which information is most relevant. It is intended that at least 90% of the security screenings are completed within the legal term of eight weeks.

Following a recent change of law, the costs of security screenings for private sector appointments can charged to the private requester. This has already been implemented in 2013 for screenings for public sector appointments. In 2015, a cooperation model is developed within the exploratory inquiry into a joint AIVD/MIVD unit for carrying out security screenings. A joint unit should be established by 2017 at the latest.

Inflow of new staff

In the coming years, the inflow of new (operational) personnel will have high priority in the AIVD’s business operations. On the one hand, this new personnel results from the budget increases decided on by the cabinet, on the other hand from vacancies following from the completion of the reorganization per January 1st 2015. A task force has been established within the AIVD for the purpose of optimizing the chain of personnel flow and inflow, for instance concerning recruitment, security screenings, facilities, training and education.

Information provisioning and IT

The AIVD is highly dependent on timely and secure information provisioning. For that reason, it is necessary to make significant investments in renewal of IT. This need is increased as result of the AIVD having to process more data to determine the behavior of targets, of the fact that the AIVD must be present with systems on more locations, and the fact that data processing is increasingly threatened by new forms of cyber attacks. The focus within IT is unabated the continuous assurance of the continuity of IT systems and the renewal and further development of (operational) IT systems.

Inquiry into co-location AIVD and MIVD

At the end of 2014, and interdepartmental project started in which, in cooperation between the ministries of General Affairs, Defense and the Interior, it is investigated to what extent, and under what conditions, it is possible to accommodate the AIVD and the MIVD jointly on the Frederikskazerne. In the summer of 2015, the outcomes of the preliminary investigation on housing will be presented, after which, depending on the outcomes, further decisions will be made.

Follow-up on investigation by Court of Auditors

On May 19th 2015, the Court of Auditors published the report “Budget cuts and intensifications at the AIVD” (.pdf, in Dutch) [note: that report qualifies an earlier EUR 68 million budget cut — a third of the AIVD’s annual budget — as irresponsible]. In the cabinet’s response (.pdf, in Dutch) to this report, it was promised that the targeted investments by the cabinet in the AIVD and the GA I&V will be developed into a multi-year implementation plan. This plan will be delivered by the AIVD in 2015. Education, informatization and permanent innovation will be addressed in assuring this multi-year perspective.

Reports and accountability

Through this Year Plan Letter I provided insight in the priorities and accents for the AIVD in 2015, also in relation to the budget and the cooperation with (chain) partners in the security domain. Public accountability for the execution of the Year Plan will take place in the departmental annual report of the Ministry of the Interior, and in the AIVD’s own annual report. The AIVD will report ad interim about the progress of the Year Plan via, among others, four-monthly progress reports. These progress reports will be shared and discussed with the House Committee for the Intelligence & Security Services. 

EOF

The Dutch National Police website reports (in Dutch) that five persons have been arrested as suspects in a million euro ‘car phishing’ scam. Here is a translation of that report:

EOF

BNR Newsradio reports that the Dutch Data Protection Authority (DPA) rejects the idea of matching online searches made from school computers for jihad-related phrases. Here is a translation of that report (hyperlinks are mine):

The Dutch Data Protection Authority (DPA) sees nothing in placing anti-jihad software on school computers. It is too infringing on pupils’ privacy.

The software can track whether pupils use the school computer to search for jihad-related phrases. The Importunus Foundation is currently developing such a system, supported by the Ministry of Education. The system is in fact developed to fight cyberbullying, but is now extended to address radicalization.

The DPA finds that such software is too infringing on pupils’ privacy. Pupil organization LAKS also does not approve of the plan.

Wilbert Tomesen, vice chairperson of the DPA: “If the eventual idea is a sort of massive tracking system for children — innocent pupils — then that is a massive privacy infringement (…). The first question should be: is this, in this relation and in this context, really necessary? Are alternative methods available?”

Dragnet

When asked about his primary objection, Tomesen says: “The eventual consequence is that a dragnet is thrown over the deepest depths of human communication.”

Tomeses emphasizes that he does take the risks of radicalization into account. “Every sane person believes that schools should keep their eyes and ears open, and must be alert for radicalization. The next question is: is this the right means?”

The Importunus Foundation states to have close contact with the DPA about the system. “Well, not about this”, Tomesen responds, “We have contact with Importunus about their anti-bullying program. (…) We have certainly not discussed this program.”

For further reading on radicalization, see this lengthy blogpost (in Dutch).

EOF

The FBI website has had an informative page on elicitation techniques. In the spirit of LOCKSS, I hereby keep a copy below.

Elicitation Techniques

Download print version (.pdf)

This brochure is an introduction to elicitation and elicitation techniques. Understanding the techniques and the threat may help you detect and deflect elicitation attempts.

Elicitation is a technique used to discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought. It is usually non-threatening, easy to disguise, deniable, and effective. The conversation can be in person, over the phone, or in writing.

Conducted by a skilled collector, elicitation will appear to be normal social or professional conversation. A person may never realize she was the target of elicitation or that she provided meaningful information.

Many competitive business intelligence collectors and foreign intelligence officers are trained in elicitation tactics. Their job is to obtain non-public information. A business competitor may want information in order to out-compete your company, or a foreign intelligence officer may want insider information or details on US defense technologies.

Elicitation Defined

The strategic use of conversation to extract information from people without giving them the feeling they are being interrogated.

Elicitation attempts can be simple, and sometimes are obvious. If they are obvious, it is easier to detect and deflect. On the other hand, elicitation may be imaginative, persistent, involve extensive planning, and may employ a co-conspirator. Elicitors may use a cover story to account for the conversation topic and why they ask certain questions.

Elicitors may collect information about you or your colleagues that could facilitate future targeting attempts.

Elicitation can occur anywhere— at social gatherings, at conferences, over the phone, on the street, on the Internet, or in someone’s home.

Elicitation is Not Rare

It is not uncommon for people to discover information about a person without letting on the purpose. For example, have you ever planned a surprise party for someone and needed to know their schedule, wish list, food likes and dislikes or other information without that person finding out you were collecting the information or for what purpose? The problem comes when a skilled elicitor is able to obtain valuable information from you, which you did not intend to share, because you did not recognize and divert the elicitation.

Why Elicitation Works

A trained elicitor understands certain human or cultural predispositions and uses techniques to exploit those. Natural tendencies an elicitor may try to exploit include:

• A desire to be polite and helpful, even to strangers or new acquaintances
• A desire to appear well informed, especially about our profession
• A desire to feel appreciated and believe we are contributing to something important
• A tendency to expand on a topic when given praise or encouragement; to show off
• A tendency to gossip
• A tendency to correct others
• A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
• A tendency to believe others are honest; a disinclination to be suspicious of others
• A tendency to answer truthfully when asked an “honest” question
• A desire to convert someone to our opinion

For example, you meet someone at a public function and the natural getting-to-know-you questions eventually turn to your work. You never mention the name of your organization. The new person asks questions about job satisfaction at your company, perhaps while complaining about his job. You may think, “He has no idea where I work or what I really do. He’s just making idle chat. There’s no harm in answering.” However, he may know exactly what you do but he relies on his anonymity, your desire to be honest and appear knowledgeable, and your disinclination to be suspicious to get the information he wants. He may be hunting for a disgruntled employee who he can entice to give him insider information.

Techniques

There are many elicitation techniques, and multiple techniques may be used in an elicitation attempt. The following are descriptions of some of those techniques.

Assumed Knowledge: Pretend to have knowledge or associations in common with a person. “According to the computer network guys I used to work with…”

Bracketing: Provide a high and low estimate in order to entice a more specific number. “I assume rates will have to go up soon. I’d guess between five and 15 dollars.” Response: “Probably around seven dollars.”

Can you top this? Tell an extreme story in hopes the person will want to top it. “I heard Company M is developing an amazing new product that is capable of …”

Confidential Bait: Pretend to divulge confidential information in hopes of receiving confidential information in return. “Just between you and me…” “Off the record…”

Criticism: Criticize an individual or organization in which the person has an interest in hopes the person will disclose information during a defense. “How did your company get that contract? Everybody knows Company B has better engineers for that type of work.”

Deliberate False Statements / Denial of the Obvious: Say something wrong in the hopes that the person will correct your statement with true information. “Everybody knows that process won’t work—it’s just a DARPA dream project that will never get off the ground.”

Feigned Ignorance: Pretend to be ignorant of a topic in order to exploit the person’s tendency to educate. “I’m new to this field and could use all the help I can get.” “How does this thing work?”

Flattery: Use praise to coax a person into providing information. “I bet you were the key person in designing this new product.”

Good Listener: Exploit the instinct to complain or brag, by listening patiently and validating the person’s feelings (whether positive or negative). If a person feels they have someone to confide in, he/she may share more information.

The Leading Question: Ask a question to which the answer is “yes” or “no,” but which contains at least one presumption. “Did you work with integrated systems testing before you left that company?” (As opposed to: “What were your responsibilities at your prior job?”)

Macro to Micro: Start a conversation on the macro level, and then gradually guide the person toward the topic of actual interest. Start talking about the economy, then government spending, then potential defense budget cuts, then “what will happen to your X program if there are budget cuts?” A good elicitor will then reverse the process taking the conversation back to macro topics.

Mutual Interest: Suggest you are similar to a person based on shared interests, hobbies, or experiences, as a way to obtain information or build a rapport before soliciting information. “Your brother served in the Iraq war? So did mine. Which unit was your brother with?”

Oblique Reference: Discuss one topic that may provide insight into a different topic. A question about the catering of a work party may actually be an attempt to understand the type of access outside vendors have to the facility.

Opposition/Feigned Incredulity: Indicate disbelief or opposition in order to prompt a person to offer information in defense of their position. “There’s no way you could design and produce this that fast!” “That’s good in theory, but…”

Provocative Statement: Entice the person to direct a question toward you, in order to set up the rest of the conversation. “I could kick myself for not taking that job offer.” Response: “Why didn’t you?” Since the other person is asking the question, it makes your part in the subsequent conversation more innocuous.

Questionnaires and Surveys: State a benign purpose for the survey. Surround a few questions you want answered with other logical questions. Or use a survey merely to get people to agree to talk with you.

Quote Reported Facts: Reference real or false information so the person believes that bit of information is in the public domain. “Will you comment on reports that your company is laying off employees?” “Did you read how analysts predict…”

Ruse Interviews: Someone pretending to be a headhunter calls and asks about your experience, qualifications, and recent projects.

Target the Outsider: Ask about an organization that the person does not belong to. Often friends, family, vendors, subsidiaries, or competitors know information but may not be sensitized about what not to share.

Volunteering Information / Quid Pro Quo: Give information in hopes that the person will reciprocate. “Our company’s infrared sensors are only accurate 80% of the time at that distance. Are yours any better?”

Word Repetition: Repeat core words or concepts to encourage a person to expand on what he/she already said. “3,000 meter range, huh? Interesting.”

Deflecting Elicitation Attempts

Know what information should not be shared, and be suspicious of people who seek such information. Do not tell people any information they are not authorized to know, to include personal information about you, your family, or your colleagues.

You can politely discourage conversation topics and deflect possible elicitations by:

• Referring them to public sources (websites, press releases)
• Ignoring any question or statement you think is improper and changing the topic
• Deflecting a question with one of your own
• Responding with “Why do you ask?”
• Giving a nondescript answer
• Stating that you do not know
• Stating that you would have to clear such discussions with your security office
• Stating that you cannot discuss the matter

If you believe someone has tried to elicit information from you, especially about your work, report it to your security officer.

EOF