Dutch Government Moves To Let Intelligence Community Have More Hacking & Mass Surveillance Powers

from the the-endless-march-of-fear-based-progress dept

The Dutch government is looking to expand its surveillance powers, something which would seemingly be at odds with the current public antipathy towards mass surveillance, but of course isn’t, because governments are expanding powers even while complaining about being spied on. This would be the first major update of its surveillance authorities since 2002, something likely viewed as essential due to changes in technology and “evolving threats.”

Matthijs R. Koots has a very thorough examination of the proposed expanded authorities at his blog, which notes the expansion would come bundled with “improvements to oversight.” While there does appear to be better oversight (and better targeting) in the bill, final approval for much of this leads back to a single person: the Minister of the Interior. Legal oversight is provided by the Dutch Review Committee on the Intelligence and Security Services — roughly the equivalent to the US’s intelligence committees in the House and Senate.

The good news is that, while the bill provides for bulk interception/collections, it does require more specific targeting than the twisted definition of “relevant” the FISA Court applies to the NSA’s collections. The country’s bulk interception program would go further than simple metadata and much further than targeting telcos and major service providers. The bill would demand mandatory cooperation from “providers of communications services,” which is very broadly defined.

[“Providers of communications services”] is defined in a way that includes not only providers of public electronic communications networks and services, but also providers of closed networks, and includes telcos, access providers, hosting providers and website operators.

While the sources are broadly defined, the requests for information will (hopefully) be much more limited.

The use of this power requires approval from the Minister, and the approval request must specify the investigation, the purpose of interception — “purpose-orientation” (Dutch: “doelgerichtheid”) is introduced as a new requirement that intends to limit bulk interception to what is relevant to a “purpose” that must be specified ‘as specifically as possible’; ‘a general indication does not suffice’ —, the type of telecommunications (e.g. GSM, radio, satellite, internet; optionally including geographic boundaries), optionally the types of traffic that are relevant (e.g. voice, chat, file transfer), and in the case of cable networks, the cable infrastructure that is targeted. In other words, no blanket authorizations for non-specific interception will exist, although blanket-like authorizations may, depending on how broad a “purpose”, in the context of a specified investigation, is allowed to be in practice; the requirement, mentioned in the MoU, that the purpose be specified “as specific as possible”, leaves room for interpretation (perhaps necessarily so).

Thus endeth the good news. The broadly-defined providers would be required to “provide access” to their systems and bulk data interceptions would remain “live” for three years, rather than just one. This bulk data can also be shared with “foreign powers.” Again, this is at the discretion of the Minister, so it all depends on how much the Dutch trust their minister to be mindful of their data and communications.

Additionally, service providers would be compelled to hand over stored communications (emails, text messages) in addition to any bulk data collected. Worse, the government would be granted the power to force providers to assist in the decryption of sought data and communications.

Furthermore, the intelligence services are authorized, under certain conditions and after approval from their Minister (Art.30-6 and Art.41-2), to compel anyone (Dutch: “een ieder”) to help decrypt data in an automated work (Art.30-5 to 30-8) or help decrypt conversations, telecommunications or data transfer (Art.41-1), e.g. by handing over keys or providing decrypted data. (A similar provision is present in the current law.) Another legal option to defeat encryption is the use of the hacking power (Art.30, see below), which requires after approval from the Minister; and yet another legal option is the use of agents (who can be tasked with interception or hacking) or informants (e.g. a sysop who, as part of daily work, has access to cryptographic keys).

The government’s hacking powers would also be slightly expanded. The bill would provide authorities with the power to hack adjacent systems to find a side door/back door if the original target proves resistant to its efforts.

The technical reality shows that targets are generally security-aware, but that operational opportunities for using weaknesses in technical peripheral users, such as co-tenants of a certain server, which can lead to successful breaking into the automated work of the target.

There’s more bad news than good in the proposal. While it’s understandable that surveillance laws would need to be revisited more than a decade on from their original installation, it would have been nice to see a little more restraint deployed, rather than the assumption that an expansion of powers (without a corresponding expansion of oversight) is the only way to deal with evolving communications methods.

For what it’s worth, Dutch citizens have until September 1st to offer their input on the bill’s proposals. How much deference the government will show to dissenting opinions remains to be seen.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Dutch Government Moves To Let Intelligence Community Have More Hacking & Mass Surveillance Powers”

Subscribe: RSS Leave a comment
Anonymous Coward says:

The effect of all this surveillance is to suppress the more moderate voices that oppose the status quo. While this leads to fewer people in any form of organised opposition, it also means that they become more extreme and violent, as only the more extreme remain in the organisations. This is why tyrants are often replaced by another tyrant.

Anonymous Coward says:

It's not really surprising....

The Netherlands is a country that prizes uniformity, conformity and generally dislikes privacy. It’s pretty common for people to view houses where curtains are drawn with suspicion and there are laws on the books that make it illegal for more than three people to gather in a public place…

There won’t be any pushback against this. Sure, a few activists will speak out, but most Dutch people will be just fine with this. After all, the Netherlands already has some of highest rates of surveillance in the world (http://amsterdamherald.com/index.php/allnews-list/306-20120523-one-in-1000-dutch-phones-wiretap-interception-police-evidence-gatherin and http://history.edri.org/book/export/html/41), this is just an extension of that.

Joop says:

No surprise indeed..

Thx for the backing up. Appreciate it. The trouble with this law is, that our government has put it in place silently. However, a journalist discovered it and blew the whistle on it. When the media got all over it, our government rapidly renamed the law from “mass surveillance law” to “law on security and safety”. The bastards. And guess what: the people, at least most them, fell for it. So, i have little hope that things will change very soon. We’re living in a dictatorship here, where the government can really do whatever they want without any complaint or protest coming from the people. And they shamelessly DO whatever they want. Just plain out in the open, knowing that nobody will give a damn. Most of the dutch people are reduced to sheep, do not care about their privacy and no longer have an opinion of their own. It’s sad, really. I have gotten myself a VPN and protect my home network with a pfsense firewall and snort intrusion detection/prevention, as i DO care about my and my family’s privacy. Luckily, there’s still people out there that think the same, but we’re a minority.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...