Nuttig als referentie: tabel 4-1 uit het TNO-rapport Meetmethoden Weerbaarheid (.pdf) dat ziet op methoden voor het meten van weerbaarheid van de samenleving. Dat rapport is het resultaat van onderzoek dat in opdracht van het WODC is uitgevoerd door TNO ten behoeve van de NCTV in de context van de ontwikkeling van een Nationale Weerbaarheidsmonitor. De onderzoekers onderscheiden kenmerken van een weerbare samenleving in kapitalen/voorraden, capaciteiten en vitale sectoren. Voor uitleg van die begrippen verwijs ik naar het rapport zelf, dat de moeite van het lezen waard is. Tabel 4-1 geeft het overzicht van kapitalen, met per kapitaal een indicatie van de voorraden. Om kwantitatieve en/of kwalitatieve analyse uit te voeren moeten de voorraden eerst nog worden geoperationaliseerd in geschikte indicatoren.

EOF

In 1998, Russia apparently asked the UN to establish international rules to prohibit what has since the US DoD’s Joint Publication (JP) 3-13 — Information Operations (.pdf, 1998) become known as Computer Network Attack (CNA). Russia’s move was deflected by the White House under the Clinton administration. Citing from this letter (.pdf, Sep 1998) from the Minister for Foreign Affairs of the Russian Federation addressed to the Secretary-General of the UN:

For a number of years, the General Assembly has been considering at its sessions the item entitled “Role of science and technology in the context of international security, disarmament and other related fields”. We believe that this issue is still topical; moreover, it has recently begun to acquire new meaning as a result of the qualitatively new stage of the scientific and technological revolution that is occurring throughout the world: the rapid development and application of new information technologies and means of telecommunication.

The information revolution, which affects virtually all aspects of modern life, is opening up broad prospects for the rapid and harmonious development of world civilization, expanding opportunities for mutually advantageous cooperation among States and is sharply increasing mankind’s creative potential. Today it is possible to talk about the formation of a truly global information area for the international community, in which information is taking on the attributes of the most valuable element of both national and universal property, its strategic resource.

At the same time, it is essential to consider the – perhaps for the time being only potential but nevertheless serious – threat of developments in the information field being used for purposes incompatible with the objectives of maintaining international stability and security, the observance of the principles of non-use of force, non-interference in internal affairs and respect for human rights and freedoms. In our opinion, such a threat requires that preventive measures be taken today. We cannot permit the emergence of a fundamentally new area of international confrontation, which may lead to an escalation of the arms race based on the latest developments of the scientific and technological revolution and, as a result, divert an enormous amount of resources that are so necessary for peaceful creativity and development.

I am referring to the creation of information weapons and the threat of information wars, which we understand as actions taken by one country to damage the information resources and systems of another country while at the same time protecting its own infrastructure.

The unprecedented level of information available to the public and, at the same time, the vulnerability of a society’s information structure has lead to the risk of the emergence of such an information weapon, the destructive “effect” of which may be comparable to that of weapons of mass destruction.

In these circumstances, there is a real threat that information resources may be used for terrorist or criminal purposes, the consequences of which may be disastrous.

All these apprehensions lead us to the conclusion that the time has come for the question of international information security to be a topic for substantive and purposeful discussion in the United Nations.

I request that you consider this letter as an explanatory memorandum, in accordance with the rules of procedure of the General Assembly, and circulate it together with the attached draft resolution (see appendix) as a document of the General Assembly under agenda item 63.

EOF

UPDATE 2015-07-02: the Dutch government released the intelligence bill into public consultation. Details here.

UPDATE 2015-06-01: changed “goal-oriented” to “purpose-oriented” everywhere, including in the (translated) diagram; it’s a better, less confusing translation (credits to A).

In the Netherlands, non-specific interception (Dutch: “ongerichte interceptie”; alternative English translation might include “untargeted interception”, “unselected interception” or “bulk interception”) by Dutch intelligence services is interception without a priori specifying the identity of a person or organization, or technical characteristics (IMEIs, IPs, phone numbers, etc.). The legal basis for non-specific interception currently is Article 26 and 27 of the intercepting large quantities of foreign PSTN traffic. This constituted foreign intelligence collected for purposes of counter-terrorism and protecting military operations abroad.

The upcoming bill to change the Wiv2002 seeks to expand the non-specific interception power to cable communications (e.g. fibers and switches of ISPs and telcos), and will include a new interception framework — explained in the post here, and depicted in the diagram below (copied from that earlier post).

The bill will eliminate the word “non-specific” (Dutch: “ongericht”) from the law, and introduces the requirement that such interception must be bound a priori to a specific investigation (which can be long-running), i.e., purpose-oriented (Dutch: “doelgericht”; alternative English translations could include: “objective-oriented” or “goal-oriented”; but preferably not “target-oriented“ because that may be wrongfully interpreted here as being aimed at a target person or organization, which is not the case). Whatever the lingo, it constitutes power to search and select bulk communications — the latter term is also literally mentioned in the government’s diagram (.pdf, in Dutch; see ‘Collection’ phase) of the draft interception framework. As is the current situation, the intelligence services will send requests for approval to the Minister, the Minister decides, and then it is up to the Dutch Review Committee on the Intelligence & Security Services (CTIVD) to afterwards examine whether the activities were lawful.

In the proposed regime, the purpose must be defined increasingly specific depending on the phase of the new interception framework. In the collection phase, the purpose can be defined broader/vaguer, in the preprocessing phase the purpose must be more specific, and in the processing phase and analysis it must be most specific. Collection and preprocessing will be authorized without having to specify persons, organizations and/or technical characteristics; processing and analysis do require such specification. Obvously, the collection and preprocessing phases are most interesting from the perspective of protecting legal and moral rights of non-targets, as those activities are authorized without specifying persons, organizations or technical characteristics. Here is an overview of the activities and safeguards per phase:

• COLLECTION PHASE:
  • Activities:
    • Receiving bulk communications
    • Storing bulk communications
    • Making intercepts ‘accessible’ for processing or preprocessing
  • Safeguards:
    • Approval from Minister, based on purpose-orientation, necessity, proportionality and subsidiarity
    • Time-limited (tbd; max 1 year)
    • Explicit retention and destruction periods
    • Separation of jobs and duties: data access compartments separate from data content processing
• PREPROCESSING PHASE:
  • Activities:
    • Enriching and correlating of data (metadata analysis) in order to identify technical characteristics, identities and keywords for use in Art.27-3 power (Sigint selection)
    • Identifying and technically investigating unknown cyber threats to increase resilience
    • Filtering out non-relevant data
  • Safeguards:
    • Approval from Minister for exploration of the communication (Sigint search), based on purpose-orientation, necessity, proportionality and subsidiarity
    • Separation of jobs and duties: data access compartments separate from data content processing
    • Explicit retention and destruction periods for non-relevant data (tbd)
• PROCESSING PHASE:
  • Activities:
    • Subject-oriented investigation (“subject” meaning specified persons, organizations and technical characteristics) including specific threats (eg IEDs in mission areas or cyber attacks) on the basis of the result of selected data
    • Metadata analysis
  • Safeguards:
    • Approval from Minister for selection of these data, aimed at specific individuals, organizations and technical characteristics, or keywords related to specific topics (Art.27-3), purpose-oriented, and including necessity, proportionality and subsidiarity
    • Time limit for selection (Art.27-3) (tbd; max 1 year)
    • Explicit retention and destruction periods for unselected data (tbd)
• ANALYSIS PHASE:
  • Activities:
    • General investigation, subject-oriented investigation, threat-oriented investigation; combined processing and analysis of Sigint-cyber products using yields from other special intelligence means
  • Safeguards:
    • Strictly speaking, the analysis phase is longer part of the interception process. This phase involves the use of special powers (Art. 17, 20, 21, 23, 24, 25, 28, 29) and applicable safeguards and approval regimes.

The output of the analysis phase is then provided to intelligence consumers. Note that “metadata analysis” (mentioned in both preprocessing and processing phases) can be purely technical (preprocessing phase?), or aimed at identifying subjects and patterns, for instance by linking to other databases such as CIOT, a centralized telco/ISP subscriber database, to look up persons associated with an IP address or phone number (processing phase?).

The requirements of necessity, proportionality and subsidiarity are mentioned repeatedly — but those requirements already apply, and that various CTIVD oversight reports show the requirements are typically not all being met in the practice of Sigint in recent years (2009-current, with 2009 being the first year the CTIVD published an oversight report addressing the use of Sigint powers). That problem is one of the reasons for establishing a new interception framework: grouping activities into phases that have a separate authorization requirement tailors authorizations to specific types of access to and use of (bulk) data. The obvious key question is: how will this interception framework turn out in practice? What lower-bound restriction will apply to the characteristics of the definition of “purpose” in each phase, including the collection phase, in order for the Minister to accept it? And the CTIVD?

For instance, could the Minister — hypothetically — authorize the collection (or for that matter manipulation or disruption) of any or all Tor traffic (e.g. all Tor traffic routed in/via the Netherlands) as part of a (perhaps multi-nation (.pdf)) effort to deanonymize Tor users? The upcoming bill is expected to permit the government to require internet providers and telecom providers to provide access to the communications routed over their cables (might include fiber taps, port mirrors, etc.). Will it be legally possible to copy all AMS-IX-routed Tor traffic to the JSCU and/or foreign partners? Legitimate purposes might include identification or sources behind Tor-anonymized cyber attacks, terrorist propaganda, or trade in precursor chemicals. In this hypothetical case, will the anonymity of the mass of non-targets among the Tor users, and public trust in the Tor network, have weight in the decision to authorize a particular operation that affects them?

It is not hard to think of specific legitimate applications of bulk-style interception (search & select), but — taking into account the law of unintended consequences and the tendency of weasel-like use of language — we should also explore the theoretical limits of the upcoming bill. This can be done by dreaming up hypothetical (but realistic) scenarios in which privacy and trust (in infrastructure) are infringed upon, and then figuring out under what circumstances or conditions each scenario would or would not be lawful under the proposed legislation. To cite from a new CoE report (.pdf, June 2015) on democratic oversight on security services (the Dutch services both are intelligence and security services):

Security service activities impact a variety of human rights, including the right to life, to personal liberty and security, and the prohibition of torture or inhuman, cruel and degrading treatment. They also impinge on the right to privacy and family life, as well as the rights to freedom of expression, association and assembly, and fair trial. It is therefore crucial that security services  uphold the rule of law and human rights in undertaking their tasks.

First, recall that under codename “Argo II”, the Ministry of Defense acquired EUR 17M worth of equipment for processing Sigint, allegedly (primarily?) Sigint related to “the world of the internet protocol” (IP traffic). The equipment is used by both AIVD and MIVD, and replaces existing systems. That’s what’s publicly known. The precise applications of Argo II are not publicly known, but it wouldn’t be a leap of faith to conjecture that 1) the equipment performs Sigint search (preprocessing phase) and selection (processing phase) of bulk-intercepted data (e.g. text, audio, video, images, and/or telemetry), based on keywords, names of persons, names of organizations, and/or technical characteristics, and that 2) the equipment is likely fed live data streams more or less straight from bulk-interception sources in Eibergen (radio), Burum (satellite), and if the bill is adopted, taps at Dutch ISPs of the government’s choice (likely at least the largest ISPs/telcos; and perhaps small(er) ISPs/telcos that have links of strategic value to Dutch intelligence). Presumably, it will be proposed to make it legally possible to place taps between data centers; but the cabinet in November 2014 did state (.pdf, in Dutch) that the services would not get “unrestricted and independent access” (Dutch: “onbeperkte en zelfstandige toegang”) to cables: no clandestine access — only access by legal coercion (we’ll see how the law arranges that).

Next, recall what the first Dutch Defense Cyber Strategy (2012) said about expanding the MIVDs capabilities for covert gathering of information in cyberspace:

“This includes infiltration of computers and networks to acquire data, mapping out relevant sections of cyberspace, monitoring vital networks,  and gaining a profound understanding of the functioning of and technology behind offensive cyber assets. The gathered information will be used for early-warning intelligence products, the composition of a cyber threat picture, enhancing the intelligence  production in general, and conducting counterintelligence activities. Cyber intelligence capabilities cannot be regarded in isolation from intelligence capabilities such as signals intelligence (SIGINT), human intelligence (HUMINT) and the [MIVD]’s existing counterintelligence capability.”

Next, inspire creativity by changing mindset to “Collect it All,” “Process it All,” “Exploit it All,” “Partner it All,” “Sniff it All” and “Know it All”. Make sure you’ve read up on the Snowden leaks here (handy chart), here, here and here, and on the ANT Catalog here. Think of vulnerabilities and strengths in the current design, implementations and configurations of IPv4/IPv6, TLS, IPSec, HTTP(/2), SMTP, DNS, BGP, Tor/I2P, etc.. Think what increasing use of cryptography means to obtaining access to data that’s encrypted in storage (e.g. FDE; non-backdoored/flawed design? non-backdoored/flawed implementation? no useful cryptanalysis possible? can’t rubber-hose the key w/o target detecting they are a target?), in transfer, and perhaps in the future, data when processed (idem for homomorphic crypto). Think of (im)possibilities concerning traffic analysis (correlation attacks), cryptanalysis and attacking keys and end-devices. Read books on intelligence. Read annual reports of the intelligence services, and read the CTIVD’s oversight reports. Read openly advertised job positions at the intelligence services. Read relevant parliamentary papers. Take note of the topics mentioned by the Minister of Defense during the debate of February 10th 2015 about the upcoming bill:

• cyber threats cannot be identified timely;
• Dutch military personnel abroad is probably less protected and supported (the Minister added that cable networks are increasingly used in mission areas and conflict zones);
• terrorist activities may not be identified timely;
• the true intentions of risk countries who may be seeking WMDs will remain hidden (the Minister added, with strong seriousness in voice and facial expression, that we lost insight into activities of countries possibly seeking WMDs, because those countries changed to cable communications);
• we are not able to quickly build an information position in upcoming crises abroad;
• theft of intellectual property, vital economical information, and state secrets goes unnoticed.

Think how strategic objectives are translated to tactical and operational objectives (strategy-to-task planning). Make a list of domestic and foreign interests (political, military, economical, etc.); and who the intelligence consumers might be (decision-makers in the cabinet, ministries — see UK’s relations between GCHQ and ministries (.pdf) –, vital sectors, military, customs, etc.). Dream up hypothetical (but plausible) domestic and foreign intelligence objectives (AIVD). Then dream up hypothetical (but plausible) military Information Operations (IO) objectives (MIVD) using the picture below, taken from the initial version of Joint Publication (JP) 3-13 (.pdf, 1998). Think of both defensive and offensive objectives. Draw high-level attack trees. Visualize intelligence cycles happening at the strategic, tactical and operational level. It’s a lot of effort, but should yield some appreciation of what intelligence is about.

(Note: IO objectives can be pursued by any military means available and do not always depend on interception, certainly not interception alone; IO is an all-source paradigm. Humint, Osint etc. must be taken into account. Ask yourself: what data/information could be needed precisely? What are plausible sources and methods to acquire it? What are the advantages and disadvantages of each method? What communication links are used, which ones should you target, how do you gain access to them? Where is data stored, how do you gain access to it? Etc. Also take into account the qualities, limitations and problems of Sigint.)

To assess the quality of legislation, apply the Dutch government’s own normative framework, entitled “Integraal Afwegingskader beleid en regelgeving” (IAK; in Dutch). The IAK is commissioned and applied by the government itself to evaluate and improve legislative quality, but it would be foolish to assume its outcome is flawless legislation, or even the best possible alternative. After all, politics remain involved. The IAK can be used as a rich source of questions to ask about the legislative quality of the upcoming bill. See the IAK leaflet (.pdf, in Dutch) for a quick overview; non-Dutch readers may get some idea by reading an early publication about this topic: Coping with Uncertainty – A Framework for Evaluation of Legislation (.doc, 2010, Veerman & Mulder). The IAK is commissioned and used by the government, but can be used by anyone to scrutinize legislation. (Again, lots of reading is involved.)

To assess the ethics of intelligence collection, apply Ross Bellaby’s Just Intelligence Principles (2012). Bellaby defines six principles to assess the ethics of intelligence collection. The principles can guide the process of seeking a balance between interests of collecting intelligence and interests of protecting physical and mental integrity, autonomy, liberty, human dignity and privacy — the latter interests being vital human interests, according to Bellaby. (And if a proper balance cannot be struck, the proposed collection should not take place: necessity does not imply proportionality.) These are Bellaby’s just intelligence principles:

• Just cause: there must be a sufficient threat to justify the harm that might be caused by the intelligence collection activity.
  

  “Thomas Aquinas argued that for a war to be just there must be some reason or injury to give cause, namely that ‘those who are attacked must be attacked because they deserve it on account of some fault’. Currently, international law frames ‘self-defence’ as the main justification for going to war.”

• Authority: there must be legitimate authority, representing the political community’s interests, sanctioning the activity.
  

  “For a war to be considered morally permissible according to the just war tradition it must be authorized by the right authority, that is, those who have the right to command by virtue of their position. As Aquinas stated, ‘the ruler for whom the war is to be fought must have the authority to do so’ and ‘a private person does not have the right to make war’. (…) Similarly, one can argue that in order for intelligence collection to be just, there must be a legitimate authority present to sanction the harms that can be caused.”

• Intention: the means should be used for the intended purpose and not for other (political, economic, social) objectives.
  

  “Leaders must be able to justify their decisions, noting that they had the right intentions; ‘for those that slip the dogs of war, it is not sufficient that things turn out for the best’.”

  “Another implication of this principle is reflected in the current debate on personal information databases and how crossover information collection should be restricted. If information is collected – DNA, fingerprints, personal data for example – under a just cause with the appropriate degree of evidence, but was incidentally connected to another crime, then the information can be used since the original just cause and correct intention was present. This would be analogous to finding illegal goods incidentally while performing a legal search. However, what is not permissible is to use a just cause such as tax fraud to justify the collection and retention of DNA, as this type of information is unrelated and is not reflecting the original just cause, clearly outside what should be the correct intention.”

• Proportion: the harm that is perceived to be caused should be outweighed by the perceived gains.
  

  “One can argue that, for the intelligence collection to be just, the level of harm that one perceives to be caused, or prevented, by the collection should be outweighed by the perceived gains.”

• Last resort [=subsidiarity]: less harmful acts should be attempted before more harmful ones are chosen.
  

  “In order for an intelligence collection means to be just, it must only be used once other less or none harmful means have been exhausted or are redundant.”

• Discrimination: There should be discrimination between legitimate and illegitimate targets.
  

  “The principle of discrimination for the just intelligence principles therefore distinguishes between those individuals without involvement in a threat (and thereby protected), and those who have made themselves a part of the threat (and by so doing have become legitimate targets). According to the degree to which an individual has assimilated himself, either through making himself a threat or acting in a manner that forfeits his rights, the level of harm which can be used against him will alter.”

In the proposed Dutch interception framework, the collection phase and preprocessing phase require purpose-orientation, necessity, proportionality and subsidiarity, but the interception is (in some cases likely necessarily) authorized without specifying persons, organizations or technical characteristics. One wonders how the Dutch intelligence laywers, the Minister and the CTIVD would reflect on experiments such as GCHQ’s OPTIC NERVE, in which GCHQ collected webcam images from 1.8 million Yahoo webcam users during a six-month run. It is a case of Sigint search applied to cyberspace. OPTIC NERVE certainly violates Bellaby’s principle of discrimination, and is at odds with the principle of proportion; but Bellaby’s other principles could still be satisfied. Would it be lawful, under the to-be-proposed legislation, for Dutch intelligence to carry out a program like OPTIC NERVE? In the eyes of the intelligence service and the Minister? In the eyes of the CTIVD? Can we anticipate (other?) potential gaps between law and ethics? How about opportunistically, indiscriminately collecting and preprocessing IKE and RSA key exchanges on a large scale, just in case it might be useful in the future for the authorized (broad?) purposes?

One particularly interesting category might be non-specific domestic interception: whereas the Wiv2002 limits non-specific interception to communications that have at least either a foreign source or a foreign destination, it is implausible that the Dutch government will uphold that limitation in the internet age. If eliminated, a strict legal barrier to non-specific domestic interception disappears. And considering the nature of, e.g., jihad-related activity — “swarm dynamics” as the General Intelligence & Security Service (AIVD) put it — certain forms of domestic surveillance can be expected. We’ll find out when the government submits the bill to the House of Representatives, which is any day now.

Further issues to keep in mind are lawyers and journalists, who’s metadata and contents may be searched and/or collected as part of activities in the collection and preprocessing phases. The different authorization levels and separation of jobs and duties are nice, but not foolproof.

Note that the hacking power (Article 24) is separate from the interception framework. There are no CTIVD oversight reports that substantially review uses of Article 24, but from oversight report 39 (.pdf, 2014; about the AIVD’s activities concerning social media, in the period 2011-2014) it is clear that the CTIVD interprets the hacking power to be as a specific power (as opposed to non-specific). It is not clear how the CTIVD would distinguish between placing spyware in a smartphone, or chaining a series of hacks against non-targets to obtain access to a target, or placing spyware inside shared infrastructure (ISPs, telcos, data centers, CDNs, etc.) to enable (bulk?) interception. Think of GCHQ’s plans concerning Belgacom, and programs such as NSA’s QUANTUM INSERT (MitM attacks) and TURBINE (large-scale malware implants). And concerning PRISM it is reported that “some XKeyscore assets are actually compromised third-party services that are queried in place and the results exfiltrated”. (I’m not saying this is unacceptable by definition; I’m saying that a more comprehensive legal framework may be necessary to appropriately regulate the use of hacking powers for such purposes.) And then there’s reconnaissance activities. Port-scanning public IP addresses is hardly infringing (data such as collected in HACIENDA can nowadays be found in the open at Shodan, Scans.io, etc.), but using spyware to gain access to software and hardware configurations (servers? routers? PLCs?), or to pivot access to internal infrastructure, surely is infringing. Is Article 24 — and thus its safeguards — triggered in all circumstances that it should? [UPDATE 2015-07-02: the answer is probably ‘yes’. The draft bill has been published, and it contains a separate paragraph on reconnaissance. From the bill’s MoU it is clear that the permission to perform reconnaissance itself does not cover permission to hack, and hacking will require prior approval from the Minister for hacking.]

One might argue that Dutch intelligence will never plan to carry out programs in a way like PRISM, QUANTUM INSERT or TURBINE (and what have you) because Dutch intelligence is not like GCHQ and NSA — at least not historically (.pdf) — in terms of privacy laws, human rights concerns and legal standards; and of course the smaller Dutch budget. But acquiring access to (possibly-)relevant communications, preferably in cleartext, is one of the core tasks of the JSCU; the Netherlands has relations with NSA (example) and GCHQ (example); and indeed, malware implants and access to shared infrastructure may prove necessary to circumvent cryptography, assuming that the world won’t decide to ban strong cryptography, or to voluntarily or by legal coercion handover cryptographic keys. How will necessity, proportionality and subsidiarity of CNE and CNA be weighed by the intelligence service’s lawyers, the Minister, and the CTIVD? From CTIVD oversight report 39 it is known that bits of unlawfulness took place in the AIVD’s acquisition of web fora: in four cases, the CTIVD found that the AIVD acquired the data of a web forum with large portions of non-target members, and concluded it was disproportionate and thus unlawful. The assessment and monitoring of hacking activities is a point of attention; we’ll hopefully learn more about it during upcoming debates and from future oversight reports.

Citing from page 58 of Aidan Wills’ report Democratic and effective oversight of national security services (.pdf, June 2015), prepared for the Council of Europe:

(…) security service managers and their staff play the leading role in ensuring that their activities are lawful and comply with human rights.  It is individual members of security services, not external overseers, who are present when many decisions with important human rights implications are made. For this reason, the values, ethics and legal knowledge of security service personnel is of utmost importance. With this in mind, security service managers have to implement robust selection vetting criteria to ensure that they only recruit people with appropriate values. They also need to ensure that ongoing training is provided, including on human rights issues (Venice Commission 2007: § 132) and on the role played by external oversight bodies. It is essential that external oversight bodies scrutinise these internal policies and practices of security services.

Let’s recall a statement from CTIVD oversight report 28 (.pdf, 2011):

The Committee found that not all persons dealing with the processing of Sigint on a daily basis, appreciate the infringement [on the protection of personal life] made by this means.

This statement does not imply that the person or persons referred to violated any rule, nor that this attitude exists throughout a larger part of the workplace, i.e. that it would be culture (although group-think might exist some of the time, as it might anywhere). In fact, the CTIVD reports show that on non-sigint issues, the Dutch intelligence services typically use their legal powers in a heedful and lawful way, including the specific interception power that affects specific persons, organizations or technical characteristics. Still, it is worth noting that the CTIVD included that statement in its oversight report. One can’t prevent every possible insider threat (LOVEINT etc.): intelligence personnel are humans too. Also, desensitization to privacy infringement — or not really being sensitized to begin with — seems plausible if employed in intelligence (but quod gratis asseritur, gratis negatur); it the end it depends on individual characters and MICE.

UPDATE 2016-06-07: the Dutch House of Representatives (lower house) voted down the bill proposed by Taverne (VVD) that sought to blow new life in involving electronic means (i.e., computers) in the voting process. The bill itself did not specify what those means should look like, but specifically, an experiment was foreseen to use electronic ballot printers (specifications available here) that printed out a ballot with the voter’s electronic vote, where the voters would put these in a ballot box, and a scanner would electronically count the ballots (while still allowing manual verification afterwards). For the foreseeable future, the Netherlands will be voting using the traditional red pencil.

UPDATE 2015-06-16: it is reported that the Dutch Minister of the Interior is considering an experiment with electronic voting during regional municipal district elections in 2016 (in Dutch: “herindelingsverkiezingen”; not to be confused with the regular nation-wide municipal elections, which are scheduled for March 2018).

On September 17th 2014, the Dutch Minister of the Interior announced his intent to carry out security tests with internet-based voting services. On May 12th 2015, he further informed the parliament about this. The tests are to be carried out by the end of 2016. This particular activity is aimed at facilitating internet-based voting to Dutch voters abroad. The Netherlands is however also examining the possibility of re-introducing electronic voting inside the Netherlands,which — in the current design — will have a paper trail. The remainder of this post addresses that topic, with the aim of shedding some light on the current state of play.

In the Netherlands between 1970 and 2007, voting machines could be used during municipal elections, on a voluntary basis. Only a few municipalities chose to use pencil and paper. In 2006, a large debate took place in the Netherlands that shed light on risks associated with electronic voting (“We Don’t Trust Voting-Computers”), including issues of eavesdropping via EM emanations, issues with reliability, and issues with transparency/verifiability of the vote count. As a result, since 2009 all elections in the Netherlands are based on pencil and paper: national elections, provincial elections and municipal elections.

Two independent committees were established to investigate how it could happen that public trust in voting machines got lost, and how the electoral process should have new safeguards in the future. In 2013, as result of ongoing technological developments, yet another committee was established to re-assess safeguards in the electoral process and possibilities for the use of electronic devices.

In February 2015, the Dutch Minister of the Interior announced (in Dutch) it will examine re-introduction of electronic voting using a method that prints the voter’s choice on a piece of paper, which is then automatically scanned by a computer (for instance by a camera), but still allows manual verification.

Here is a fragment from the Minister’s letter (translated):

Security and costs

The answers that the Van Beek Committee provided to my questions confirm my view that the weighing of requirements for the vote printer and the vote counter is complex. That is especially the case for security. Specifically, the question is what risk profile the security should be based on.

In my opinion, the Van Beek Committee made a right choice by considering the paper voting process to be direction-giving for the electronic counting of (paper) ballots. By using that as a basis, errors (potentially as result of manipulation) in the vote printers and vote counters should not remain undetected. The voter can, after all, check whether the printed ballot contains the choice that he/she wanted to make. By checking the correctness of electronically counted votes, it is possible to detect incorrect counts. Of course it is a good thing that measures exist to detect errors, but if those errors come to light during the election day itself, nothing can be done to redress it. If many or all vote printer work improperly, then voting must be ceased. If it is detected that vote counters work improperly, the printed ballots can be counted manually. These are risks that, if they occur during an election day, can have significant impact on the progress of an election.

In more generally terms, there is the question, also addressed by the Van Beek Committee, whether it can be acceptable that persons and/or groups, outside the elections, can demonstrate that the vote printer of vote counter are not adequately secured. In 2006 that happened with the voting computers that were used back then. It was shown on TV how software on the voting computer could be manipulated, because no security measures had been taken to prevent that. It resulted in a debate on the reliability of the voting computers.

In my opinion, wide consensus about acceptable risks is necessary for a decision to introduce the vote printer and vote counter. Consensus must thus exist about the way in which these systems must be secured. Without wide support, the risk of the reliability of the vote printer and vote counter becomes and remains a topic of debate. That isn’t good for the trust that needs to exist in the systems.

The security level turns out to be of great impact on the costs of the vote printer and the vote counter. The Van Beek Committee provided an estimate of costs (150 to 120 million euro initial investment, then 6 to 10 million euro per election), but could not make it more precise. It has however been found that costs exist that have not been taking into account by the Committee. The Committee finds that no preciser estimates are possible at the moment, because of the large number of uncertain factors, among others because fundamental parts must first be further specified.

What’s next

I still believe that the introduction of the vote printer and vote counter can have benefits for the accessibility of voting and for the counting of ballots. On the other hand I find that the introduction of these IT systems has many complex issues, and is surrounded by uncertainties. That requires careful deliberation.

I agree with the Committee’s finding that, considering the potential benefits, it is worth the effort to take the next step by examining whether it is possible to eliminate uncertainties and reduce complexity. The assumption is that it will then be possible to make (much) more precise estimations of the costs. The Committee recommends that the Ministry of the Interior further develops the specifications for the vote printer and the vote counter. That is a useful proposal. I do think it is essential that during that development, it is constantly monitored whether there is wide support for the specifications. I intend to, as recommended by the Committee, establish a group of (external) experts that have knowledge of the relevant IT topics and of public administration. I promise the Parliament to inform you about the progress at the end of May 2015.

We currently wait for the Minister to fulfill the latter promise. Meanwhile, he did inform the parliament on May 12th 2015 (today) about his intent to examine the security and costs of internet-based voting, meant to facilitate Dutch voters located abroad. Although he did not reference the developments described above, a system suitable to allow internet-based voting to voters abroad may also be suitable to allow internet-based voting to voters located inside the Netherlands.

Related:

• 2015-03-30: Aanbieding rapport over de mogelijke gevolgen van één van de aanbevelingen van de commissie Onderzoek elektronisch stemmen in het stemlokaal (commissie Van Beek) (in Dutch)
• 2015-03-17: Elektronisch stemmen en tellen in het stemlokaal (in Dutch)

EOF

On May 19th 2015 the Dutch Minister of the Interior informed (.pdf, in Dutch) the parliament about the intent to carry out security tests of internet-based voting services, so as to examine whether internet voting can be facilitated to Dutch voters abroad. No reference is made to ongoing investigations/study into (domestic) electronic voting — although a system suitable to allow internet-based voting to voters abroad may also be suitable to voters located inside the Netherlands (depending on the costs involved in sufficiently securing the voter’s side). Here is a translation of the Minister’s letter:

Introduction

In the letter of September 17th 2014 I announced my intent to carry out a test with internet voting for voters abroad, and my intent to further inform you about this in the first half of 2015. I hereby fulfill that promise.

First, I want to memorize the background. In 2014, the cabinet found that the time has not (yet) arrived to facilitate internet voting to voters abroad. The reason for this is that this way of voting has too many risks and is too expensive. Because technology is developing, and the cabinet wants to make voting easier for voters abroad, I find it useful to monitor those developments. The test that I intend to carry out is a means to that end. The test, so I have informed you, will not take place before 2016.

The test relates to security and focuses on the following issues:

• What does internet voting require from the voter. How can the voter have sufficient trust in a voting service he/she used to vote, and what is needed to achieve optimal reliability at the side of the voter;
• How reliable are current internet voting services that are (or have been) used for elections of representative bodies.

Setup

Because it explicitly is not intended that the Ministry of the Interior will commission the development of an internet voting service for this test, the first step to take is examining whether vendors exist of internet voting services that are (or have been) used in elections, and who are willing to subject their service to the test — and if so, under what conditions. After all, they must be willing to accept the risk that the test shows that the security of the voting service(s) is not adequate.

If it would turn out that vendors exist who are prepared to participate in the test, and financial means for the test are available, then in the spring of 2016 the plan will be made for organizing and carrying out the test. The test can then take place at the end of 2016, and as mentioned before, will consist of a simulated election that will take a few days. During the simulation, the security tests will take place.

For the second aspect of the test, being what internet voting requires from the voter, two actions are foreseen. An exploration of the technical possibilities to reduce the risk at the side of the voter, and a survey among Dutch citizens who may vote from abroad to determine what level of security those voters believe are necessary to vote via the internet. Both actions will also take place at the end of 2016.

I promise to inform you in December 2015 about the results of the first step that is now taken, to examine whether vendors exist of internet voting services that are (or have been) used in elections who are willing to subject their voting service to the test.

EOF

The paper Cyber Security of Industrial Control Systems (.pdf, March 2015) by Eric Luiijf and Bert Jan te Paske, published as part of the Global Conference on CyberSpace (GCCS) 2015 that takes place later this month in The Hague, contains a nice explanation of how ICS relates to our daily lives. Quoting from page 10:

Good Morning with ICS

What ICS controlled functions did you use this morning before you arrived at your desk? None? Then, we ask you to re-trace your steps.

Your alarm clock awoke you. You turned on the bedside light. The required extra Watts were generated, transported and distributed under ICS control. While you took a shower, ICS adjusted the drinking water production process and maintained the pressure in the pipelines to your home. Heating of your home and cooking breakfast required the production, transport and distribution of gas. All these processes are controlled by ICS. The cup of milk you used required automatic milking, strict temperature control of the intermediate storage tanks, and processing and packaging at the milk factory, all under ICS control. You either took the train (ICS-controlled signalling, points, power and traction), or road transport (ICS-controlled traffic lights, safety systems in tunnels and traffic control of lanes). Arriving at the office, you passed the ICS-operated barrier to the parking lot and the ICS-controlled security barrier or doors to enter the premises. The air conditioning, fire protection and evacuation systems of your organisation are all operated by ICS 24/7, as well as the elevator you took to your office at the top floor. The (critical) large coffee/tea/chocolate/soup machine has embedded ICS and is connected to the Internet …

You may have noticed that we deliberately skipped at least twenty other ICS operated functions your organisation and you have encountered and used this morning. Can you name them? Surprised by how ICS embed and hide themselves in functionality that is taken for granted?

But who is taking care of the cyber security and resilience of such critical functions? Or are these ICS managed in an unconsciously insecure way?

The remainder of the paper discusses these questions.

EOF

In 2014, Facebook asked an appeals court to block bulk search warrants that directed Facebook to produce, as Facebook’s lawyers state, “virtually all records and communications for 381 Facebook accounts”. Here is an interesting paragraph from Facebook’s opening brief (.pdf, June 2014) for the appeal that shows how Facebook itself reflects on the personal data that is collected:

(…)

People use Facebook to share information about themselves, much of it personal. This information often includes:

• The person’s age, religion, location, city of birth, educational affiliations, employment, family members, children, grandchildren, partner, friends, places visited, favorite music, favorite movies, favorite television shows, favorite books, favorite quotes, things “Liked,” events to attend, affiliated Groups, fitness, sexual orientation, relationship status, political views;
• The person’s thoughts about: religion, sexual orientation, relationship status, political views, future aspirations, values, ethics, ideology, current events, fashion, friends, public figures, celebrity, lifestyle, celebrations, grief, frustrations, infidelity, social interactions, or intimate behavior;
• The person’s photographs and videos of:  him- or herself, children/family, friends, third parties, ultrasounds, medical experiences, food, lifestyle, pets/animals, travel/vacations, celebrations, music, art, humor, entertainment;
• The person’s private hardships meant to be shared only with  friends; and
• The person’s intimate diary entries, including reflections, criticisms, and stories about daily life.

(…)

EOF

UPDATE 2018-12-18: EU LIBE committee report on the proposal for a regulation of the European Parliament and of the Council on the marketing and use of explosives precursors, amending Annex XVII to Regulation (EC) No 1907/2006 and repealing Regulation (EU) No 98/2013 on the marketing and use of explosives precursors (COM(2018)0209 – C8-0151/2018 – 2018/0103(COD)).

UPDATE 2016-03-31: Rules regarding placing on the market and use of explosives precursors (Law explosives precursors) (parliamentary paper, in Dutch).

UPDATE 2015-09-22: the government published (in Dutch) the Memorandum of Understanding for this legislation. It will be discussed on November 5th in a non-public meeting of the standing committee on Security and Justice.

On April 2nd 2015, the Dutch cabinet announced (in Dutch) legislation to restrict the sale of chemicals that can be used for explosives. The announced legislation, of which the text is not yet public, implements EU regulation No. 98/2013 on the marketing and use of these so-called explosives precursor chemicals. It will be illegal to sell certain precursor chemicals to individuals who do not hold a permit. For some chemicals that have common legitimate uses, limits are set on the concentration levels that are allowed to be sold to individuals. The EU regulation sets such levels for hydrogen peroxide, nitromethane and nitric acid. Furthermore, the EU regulation prescribes that suspicious transactions (suspicious “by reason of their nature, or scale”) concerning the following substances (on their own, in mixtures, or in substances) must be reported to the government:

• Hexamine (e.g. fuel tablets for camping or modeling)
• Sulphuric acid (e.g. sink plunger, battery acid)
• Acetone (e.g. nail polish remover, solvent)
• Potassium nitrate (e.g. fertilizer, preservatives)
• Sodium nitrate (e.g. fertilizer, preservatives)
• Calcium nitrate (e.g. fertilizer, preservatives)
• Calcium ammonium nitrate (e.g. fertilizer)
• Ammonium nitrate (e.g. fertilizer)

Some related measures are already in place in the Netherlands; the new law will to some extent formalize standing practice. This standing practice also includes measures that are not explicitly part of the EU regulation; for instance, in one document (.pdf, 2014, in Dutch; mirror) the National Coordinator for Security & Counterterrorism (NCTV) also mentions “fine metal powders”, “permanganate salts” and “other chlorate, perchlorate and nitrate salts” as chemicals for which suspicious transactions may be reported on a voluntary basis.

A poster (.pdf, 2014, in Dutch; mirror) from the NCTV mentions the following example indicators for suspicious behavior:

• buyer appears nervous, avoids conversations, or is not the usual type of customer;
• buyer wants to buy unusual quantities or unusual combinations of products;
• buyer does not know how the product is normally used;
• buyer does not want to disclose what he/she will use the product for;
• buyer refuses alternative products or products with a lower concentration;
• buyer only wants to pay in cash, especially in case of larger quantities;
• buyer refuses to disclose their identity or address when asked;
• buyer wants to package or ship the product in an usual way.

Reports can be phoned in 24×7 at the Dutch phone number +31(0)88-1540000. It is suggested that reports should include as much information as possible about the customer and the transaction, such as:

• appearance: length, build, haircut and hair color, facial hair;
• notable characteristics: tattoos, piercings, scars, etc.;
• vehicle: license plate number, brand, model;
• transaction: time, products and quantities.

Furthermore, receipt, identification data and video footage (security cameras) should be kept, as well as all documents touched by the customer (for fingerprint identification).

Here is a translation of today’s announcement by the Dutch cabinet:

New restrictions on sale of explosives precursor chemicals

Without a permit, individuals can no longer purchase chemicals that can be used to make explosives. They also cannot import, possess, or use the chemicals, if they don’t have the necessary documents. Moreover, sellers and individuals in the Netherlands will be required to report suspicious transactions, disappearances and thefts of such chemicals to the government.

This is stated in a legislative proposal by the Minister of Security & Justice, adopted by the Council of Ministers. This legislative proposal implements a European regulation concerning the sale and use of precursors (chemicals) for explosives. The measure is part of the action program “Integral Approach to Jihadism” [Dutch: “actieprogramma Integrale Aanpak Jihadisme”]. The general objective of the European regulation to improve security of societies and a more effective internal market.

Self-made explosives are often used by terrorists and other criminals. The cabinet thus wants to prevent that these persons get their hands on the required chemicals. It is expected that the availability of those chemicals will strongly diminish after the law is put into effect. The law thereby provides a significant contribution to national security.

Member states of the EU currently apply different rules concerning the raw materials used in explosives. Some countries have strongly regulated the selling of chemicals and monitors it. But sometimes these chemicals are easy to obtain in other countries. Introduction of the regulation must end this undesirable situation.

Many Dutch companies have taken measures in anticipation of the legislation. They also already report suspicious behavior at the Suspicious Chemicals Transactions Reporting Centre [Dutch: “Meldpunt Verdachte Transacties Chemicaliën”], a cooperation between the National Police and the Fiscal Intelligence and Investigation Service (FIOD).

The Council of Ministers agreed to submit the proposal to the Council of State for consultation. The text of the legislative proposal and the advice from the Council of State will become public when they are submitted to the House of Representatives.

Related:

• 2018-04-19: Reducing the Threat of Improvised Explosive Device Attacks by Restricting Access to Explosive Precursor Chemicals (final report of consensus study from U.S. perspective; 214 pages, Open Access; mirror)
• 2017-11-21: Reducing the Threat of Improvised Explosive Device Attacks by Restricting Access to Explosive Precursor Chemicals (prepublication of consensus study from U.S. perspective; 190 pages, Open Access; mirror) and press release.
• 2015-03-xx: EU guidelines on the marketing and use of explosives precursors (.pdf, final version)

EOF

UPDATE 2015-04-10: today, a week earlier than announced, the Netherlands Scientific Council for Government Policy (WRR) published (.pdf, in English; mirror) WRR-Policy Brief 2, entitled “The public core of the internet: an international agenda for internet governance”.

Cover of WRR report

The Dutch Scientific Council for Government Policy (WRR) sent a report (.pdf, in Dutch) regarding internet-related foreign policy to the Dutch Minister of Foreign Affairs, Bert Koenders. The report is a call to action for the Minister to implement three recommendations:

1. “Promote the establishment and spreading of the norm that the public core of the internet — the central protocols and infrastructure that are a global public good — must be free of government interference.”
   • This considers the establishment of neutral zones that governments are not allowed to interfere in for the purpose of pursuing national interests, and argues that non-interference is in the interest of all countries.
2. “Promote that different forms of security in relation to the internet are distinguished from each other nationally and internationally and are addressed by separate actors.”
   • This considers the undesired blend of “security” in terms of CERTs that have a public health-like function for networks vs. “security” in terms of national security, the domain of intelligence services and military cyber units.
3. “Make expansion of the diplomatic field a part of the agenda for internet diplomacy.”
   • This considers the upcoming participation from countries in the East and South that have economical and political views different from those held by the current powers that be.

These recommendations are unrelated to, but not inconsistent with, the recommendations made in December 2014 by the Dutch Advisory Council on International Affairs (AIV) concerning internet freedom.

Alas, no English version is available of the new WRR report (yet?). According to the WRR website, a Policy Brief on this report will be published on April 16th 2015, during the Global Conference on Cyber Space (GCCS) 2015. The website further states:

International protection of the internet is a matter of urgency

The growth and health of our digital economies and societies are dependent on the backbone protocols and infrastructure of the internet. This backbone is now in need of protection against unwarranted interference to sustain the growth and the integrity of the internet. The internet’s backbone of key protocols and infrastructure can be considered a global public good that provides benefits to everyone in the world. Growing state interference with this backbone underlines the need to set a new agenda for internet governance that departs from the notion of a global public good.

Here is a translation of the report’s summary (~2100 words):

Summary

This report intends to contribute to creating the Dutch agenda for a foreign policy regarding internet. The core thought is that the central protocols and infrastructures of the internet must be considered a public good globally. This public core of the internet must remain free of inappropriate interventions by states and other parties who harm and undermine public trust in the internet.

States strengthen their control over the internet

Internet has become indispensable in our daily lives. It is interwoven with our social lives, consumption, work, relation to the government, and increasingly with objects that we use on a daily basis, from the smart meter to the car we drive and the drawbridge we travel across. For a long time, the administration of the internet was the exclusive domain of what is called the “technical community” in internet circles. That community laid down the foundation for the current social-economic interweaving of the physical and digital life. But the management of the foundation, with the Internet Protocol as its most prominent part, has become controversial. Because of the many interests, opportunities and vulnerabilities of the internet, many governments have gotten involved in it. The policy focus has shifted from a primarily economical view on the internet (the internet economy, telecommunications and networks) to a view determined by (national) security: the internet of cybercrime, vulnerable critical infrastructures, digital espionage and cyber attacks. Moreover, an increasing number of countries want to regulate citizens’ behavior on the internet for varying reasons: from protection copyright and addressing cybercrime to censorship and control over their own population.

The fact that national states demand their space and role on the internet, can have consequences for the crucial foundation of the internet. The internet has been made to function internationally, without regard of persons or nationalities, a basic principle that serves all users. It is mostly the deeper technological layers of the internet, consisting of protocols and standards, that enables information to find its way, and arrives in all parts of the world. When these protocols and standards do not function properly, the functioning and integrity of the entire internet is under pressure. The internet can “break” if we cannot rely on information we send to arrive at its destination, that we find the sites we are looking for, and that they are accessible. Recently, more states have started specifically using the deeper layers of the internet to serve national interests.

Considering the huge stake that is the internet, national and international interests of states must be given more weight within the governance structure. At the same time, it is necessary to be careful that the technological core — on which the growth of the internet is built — is not damaged, and to protect it against inappropriate use. The question how national interests and the governance of the internet as global public good can be balanced, must of course be answered internationally. That requires a clear standpoint from the Netherlands.

The public core of the internet

To that end, this report first argues that parts of the internet have the characteristics of a global public good. In global public goods it is about benefits for everyone in the world that can only be realized and maintained by direct action and cooperation. These benefits mostly follow from the core protocols of the internet, such as the “TCP/IP protocol suite”, various standards, the domain name system (DNS) and routing protocols. The internet as public good only functions if it ensures the core values of universality, interoperability and accessibility, and if it supports the core objectives of information security, namely confidentiality, integrity and availability. It is crucial that we — the users — can rely on the functioning of the most fundamental protocol of the internet, because the trust we have in the social-economic structure built on top of it, depends on it. Although it is inevitable that national states want to shape “the internet” to their own image, ways should be found to ensure the general functioning of this “public core” of the internet.

Two forms of internet governance

To provide insight into this tension, two forms of internet governance are distinguished in this report. In the first place, governance of the internet infrastructure. This involves the governance, organization and development of the deeper layers of the internet, that give direction to the development of the internet. The interest of the internet as collective infrastructure is paramount in this. Opposing this, is the governance that uses internet infrastructure. In this case, the internet is used as a means to control contents and behavior on the internet. That can vary from protecting copyrights and intellectual property to the censoring and surveillance of citizens by governments. Increasingly often, the infrastructure and the central protocols themselves are considered to be legitimate instruments to pursue national or economical interests. Whereas internet governance used to be primarily governance of the internet — in which administration and functioning of the internet is put first —, there now increasingly is governance via or using the internet.

Threat within the governance of the internet

The administration of the public core of the internet — the governance of the internet — resides at a number of organizations that are often together referred to as “technical community”. Although it is in principle in good hands, pressure is building from various angles. Political and economical interests, and differences of opinion — sometimes combined with new technological possibilities — challenge the collective character of the internet:

• Large economic interests — such as the protection of copyright and business models for data transport — put large pressure on politics to eliminate net neutrality, formerly a default of the internet, are in fact protect it through legislation.
  
• The administration of names and numbers of the internet (the IANA function) has become politicized. For reasons of international political legitimacy, there is large pressure to remove that administration from the immediate sphere of influence of the US: after all, it is of vital importance to nearly all countries. The Netherlands is served by an “agnostic” shaping of the IANA function, in which administrative tasks remain in the hands of the technical community, and that more political tasks allow room to accommodate the political and economical interests.
  
• The discussion about ICANN (which carries out the IANA function) is also an important test case for the Dutch and European internet diplomacy to bring the formation of international coalitions beyond “the usual suspects” of the transatlantic axis.
  
• Another challenge is the rise of national security thinking on the internet. The engineers approach of the CERTs (aimed at keeping the network “healthy”) and the international cooperation therein are hindered by actors focused on national security, such as intelligence services and military cyber units. A mixture of these views is undesirable, because the partial interest of national security opposes the collective interest of the security of the network as a whole.
  

Threats resulting from governance via the internet

States also directly target the public core of the internet, for various interests. They sometimes affect central protocols. Such practices undermine the reliability and security of the functioning the entire internet. Firstly in technical sense, but in extension of that also in economical and socio-cultural sense: if we cannot rely on the integrity, availability and confidentiality of the internet, that has consequences to the manner in which we want and can use it. The tension between political and economical interests on the one hand, and the interests of the internet as a public infrastructure on the other hands, become clear in dossiers such as:

• Legislation that should protect copyrights and uses protocols and the DNS as a means, such as the American legislative proposals SOPA and PIPA and the ACTA design treaty.
  
• Various forms of censorship and surveillance that use vital protocols and the “services” of internet intermediates such as ISPs.
  
• The online activities of intelligence & security services and military cyber units that undermine the integrity of the public core of the internet by compromising hardware, software, protocols and standards, and keeping vulnerabilities in hardware and software secret.
  
• Some forms of internet and/or data nationalism in which states seek to shield off a part of their internet.
  

On the basis of these findings, this report concludes that governments must act with serious restrain regarding policy, legislation and operational activities that affect the core protocols of the internet. This also applies to private parties that fulfill a key role considering this public core.

Towards a foreign internet policy

What contribution can the Netherlands deliver? The overarching interest of internet security firstly assumes a diplomatic approach in which the internet — explicitly and independently — is raised to a spearhead. Next to traditional spearheads such as trade, human rights and peace & security, the government should prioritize and develop a foreign internet policy. For a small, but relatively influential diplomatic actor in this field such as the Netherlands, “practice what you preach” must be the most solid basis to act as a role model. In new national legislation, the question whether the Netherlands can justify it internationally, must be an important consideration. On the area of fundamental rights and internet policy, the Netherlands should consistently get a passing grade to really claim a leader’s role.

This role entails a diplomatic effort aimed at protecting the public core of the internet. The protection of the public core of the infrastructure thus requires, in addition to political action in states, also a large restraint from those same states. To achieve that, new forms of power and dissent must be organized. The principles of mixture, separation and restraint, three classic principles of bonding power, must therefore be translated to the international context.

Recommendations

The central recommendation that the internet must explicitly be a spearhead of the foreign policy is further developed in this report into three recommendations:

• Promote the establishment and spreading of the norm that the public core of the internet — the central protocols and infrastructure that are a global public good — must be free of government interference.
  

Firstly, it is about an international norm in which the central protocols of the internet are marked as a neutral zone, in which government interference on behalf of national interests is not allowed. In five year, a much larger group of countries have the technical capabilities that are now only in the hands of a few superpowers. If meanwhile also the norm arises that national states can freely determine whether they want or don’t want to intervene in the central protocols of the internet for reasons of national interest, that has a very damaging effect on the internet as a global public good.

A number of important fora are available to the Netherlands for establishing and spreading this norm. Firstly, the EU, and via the EY also trade agreements in which such a norm could be included as a clause. Fora such as the Council of Europe, the OECD, the OSCE and the UN also provide possibilities to anchor this norm. A seed can be planted that can grow to a wider regime over time.

• Promote that different forms of security in relation to the internet are distinguished from each other nationally and internationally and are addressed by separate actors.
  

Secondly, it is about making distinction between various forms of security related to the internet. That requires a strict demarcation and a separation of duties and organizations, and mostly also a restraint of the tendency of states to make national security the dominant view of the internet. Notably the technical approach by CERTs, who have a more “public health”-like approach of the security of the network as a whole, and the approach from national security, in which national interests are put before the interest of the network, must remain separated.

• Make expansion of the diplomatic fielda part of the agenda for internet diplomacy.
  

A demographic shift is taking place on the internet: away from North and West, towards the East and South. Other voices than the European and American one will in the near future speak louder, and will contain different economical and political ideas. It therefore is important to pursue a wide diplomatic effort to convince the so-called swing states that leaving the public core alone is in the interest of all states. Also, private parties must explicit be made part of the diplomatic effort regarding internet governance. Considering the great power of internet giants such as Google and Apple, governments can no longer ignore these parties in diplomatic sense. These companies are more than possible investors or privacy violators: they are parties that need serious diplomatic attention because of their crucial role in digital life, with all the contradictions that come with diplomacy. And lastly, the expertise of NGOs and other private parties must be made productive, without creating false expectations about their role in the administration of the internet. A lot can be whole here, especially regarding thinking about the consequences of internet governance for the technical functioning of the internet as a whole.

Related:

• 2014-12-30: Dutch Advisory Council on International Affairs (AIV) advises on internet freedom
• 2015-03-20: concerning “interference”, also see Open Right Group’s submission to the UK Home Office consultation for the Draft Equipment Interference Code of Practice.

EOF

On March 31st 2015, the Supreme Court of the Netherlands upheld (in Dutch) the conviction of an employee of the Dutch General Intelligence & Security Service (AIVD) for leaking classified information to journalists working for Dutch newspaper De Telegraaf. The court ruled that the AIVD official cannot invoke rights granted by Article 10 ECHR concerning protection of journalistic sources.

Here is a translation of a report (in Dutch) by Security.nl based on the official press release (in Dutch):

Conviction of AIVD employee for leaking classified information to newspaper De Telegraaf is upheld

The Supreme Court of the Netherlands in The Hague today ruled that the conviction of an employee of the AIVD for leaking classified information to newspaper De Telegraaf is upheld. The court states that the employee cannot invoke the journalistic source protection rights. The conviction of the employee’s partner, however, must be done again in a new trial. The Supreme Court finds that the lower court insufficiently made clear to what extent he was intentionally involved in providing the classified information. The employee was sentenced to 16 months prison, her partner 8 months.

The case is about two publications in De Telegraaf in 2009; one on the AIVD’s role in informing the cabinet about the start of the war in Iraq, and one on the security of the Dalai Lama during his visit to the Netherlands. Because the AIVD suspected that information was leaked from the inside, the phone of the journalists involved was eavesdropped on by the AIVD to determine whether that suspicion was justified.

Resulting from a complaint filed by De Telegraaf and the journalists involved, the Dutch Review Committee on the Intelligence and Security Services (CTIVD) found, in hindsight, that the use of phone taps against the journalists was disproportionate. According to the judge, the AIVD should have considered the journalists’ right to protect sources more important than tracing the possible leak. As a result, the journalists were not prosecuted for violating state secrecy. The AIVD official who had  leaked the information, and her partner, were prosecuted.

Illegally obtained evidence

During the appeal, the Supreme Court stated that the evidence that the AIVD had illegally obtained by eavesdropping on the journalists could be used in the case against the AIVD employee. According to the Supreme Court, the lower court was justified in ruling that this evidence does not need to be excluded, because the journalistic right to protect sources does not apply to the employee. From the context of her employment, the employee was bound to confidentiality. The fact that the CTIVD found that the AIVD had gone too far is, according to the Supreme Court, not an extraordinary circumstance that could justify the leaking.

EOF