Dutch dragnet surveillance bill leaked: an analysis

Another attack on privacy but also of the freedom of political organization.
The citizens that are most spied on are the active citizens.

byTon Siedsma via Bits of Freedom

At the end of April, an updated draft for the Dutch dragnet surveillance bill was leaked. It turns out that minister of the Interior Ronald Plasterk persists on granting the secret services the power to carry out bulk interception of innocent citizens’ communications.

How did we get here?
Ever since the law was announced in 2013, one of the main concerns of the debate has been how the dragnet will function and how extensive it will actually be. It led to a squabble between Plasterk and members of parliament. The latter weren’t keen on the idea of a dragnet, so Plasterk decided to rename it. Bulk interception became “purpose-oriented” interception. It sounded different, true, but we were afraid the meaning had been left unchanged.

Squabbles be squabbles
The bill remained vague. Based on the draft that was released for public consultation in September 2015, a dragnet could definitely be in our future. The explanatory memorandum didn’t do much towards clearing things up. We weren’t alone in voicing harsh criticism about what was being proposed. After all, the government has to be clear about their plans and the extent of their reach.

The dragnet rears its head…
After months of radio silence, on April 20th the Netherlands Broadcasting Foundation NOS disclosed a number of examples of how the dragnet will be implemented. The examples came a confidential document that been presented by the government to providers for consideration. They demonstrate that Plasterk plans to interpret the law a lot broader than he said he would. For instance, the law would allow the interception of all communications that run through KPN-hotspots in a single city up to a year. Or all communications that make use of a particular chat app, flowing between a particular city and country, or between two cities. Imagine the chat app is WhatsApp, the city is Rotterdam and the country is France. Keep in mind that an authorization can be exercised for up to a year, that it can be renewed, and that multiple authorizations can exist side by side. The number of innocent citizens whose communication will be intercepted, is overwhelming. The law will allow it, and the cases that were revealed testify to Plasterk planning on utilizing the law to its full extent.

…and escapes through the meshes of the law
The Dutch newspaper the Volkskrant leaked the bill for the new Intelligence and Security Services Act last week (find it here). And as we feared: the dragnet is still in place. So what was done with the tidal wave of critique? As the government reminds us: “The main points of criticism concerned the following three issues: large dragnet, collaboration with foreign secret services, and proper oversight.” These issues needed addressing.

The dragnet
As far as the bulk-, or “purpose-oriented”, or “investigation-assignment-aimed” interception is concerned, nothing much has changed… except the addition of the word “investigation-assignment-aimed” to describe the nature of the interception.

Although no definition of the word is given, the memorandum clearly shows that “investigation-assignment-aimed” can be interpreted just as creatively as “bulk” or “purpose-oriented”. The memorandum hardly, if at all, goes into the type of situations we should be thinking of. It’s not ruled out that the power could for instance be used to identify “absconders”, but that’s about as concrete as it gets. It’s deplorable that concrete cases are presented to providers for purposes of cost analysis, but those same examples are not offered up to the Council of State for a proper assessment of the compatibility of such a law – and the manner in which it will be implemented – with existing (European) law and the constitution. What the explanatory memorandum does make abominably clear, however, is that any restrictions imposed on the dragnet will have to come from an oversight body after the law has been applied, not from the government when the law is being created.

Third party hacking
The government still wants intelligence- and security services to be able to hack via a third party. This means that the services are allowed to hack into the devices of innocent citizens in order to get to a target. This, obviously, is totally unforeseeable for the citizen and it leaves the citizen at great risk.

Neither the voiced criticism nor the results of the Privacy Impact Assessment (PIA), which was commissioned by the government, “have lead to the proposed power to be reconsidered”. Third party hacking supposedly is “essential for an effective implementation of the hacking powers”. Yes, clauses have been added about the assessment and limitation of the damages to a third party, but this doesn’t resolve the main issue: the damages to a third party resulting from being hacked by the government’s services.

The government acknowledges the fact that, by hacking, it will exploit software vulnerabilities that can affect a large number of people (a vulnerability in an Android-phone not only affects a suspect, but everyone with the same phone), but concludes that national security outweighs individual safety. Of course it is possible, but not mandatory, to report the vulnerabilities to “those responsible”. Possible, not mandatory.

Oversight
Oversight will be improved. In the explanatory memorandum the government states that heightened oversight is needed to match the increased powers. Hoever, it also rightfully states that oversight had to be improved on because the way it was initially set up conflicted with (European) law. The depiction of the situation as presented by the government in the bill and in her press release, is, shamefully, a misrepresentation.

Then for the oversight itself. The idea is that for a number of powers, the minister has to request permission from an independent commission consisting of (former) judges. The commission’s decision will be binding. However: if in a hurry, permission can be requested after the facts, or while an investigation is in progress. If permission is denied, the hitherto gathered information will have to be destroyed.

What’s striking is that a number of authorities will not have to be sanctioned by the oversight committee, most remarkably the seizing of traffic data. Whereas the Dutch government and European and Dutch judges have stated that the seizure of such records constitutes an infringement substantial enough for a judge to have to rule on it, in the case of this bill the power does not require approval by the independent oversight committee. Especially in light of previous (European) rulings, this is an untenable situation.

The commission will consist of a chair and at least two replacements. That doesn’t mean, however, that decisions will always be made by three people; one person will suffice. For protected professions there will be judicial review. Exercising interception powers in cases concerning journalistic sources will be subject to even more scrutiny: in these cases the period for which a power is allowed to be exercised is limited.

Exchange with foreign services
Nothing has been done with the criticism of the consultation nor with the critical results of the PIA concerning the lack of rules surrounding the exchange of data with foreign services. The law imposes no restrictions on the data that is to be transferred. The explanatory memorandum does state that information about, or data from, Dutch citizens can be filtered out. However, the government asserts that this is not mandatory and sometimes even undesirable.