Analysis: New Dutch spy bill proposes changes in approval, oversight
July 7, 2015 1 Comment
On July 2, 2015, the Dutch government released for public consultation a long-awaited bill that overhauls the Dutch Intelligence and Security Act of 2002. Known also as Wiv2002, the Act is the legal framework for the operations of the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD). The bill is a complete rewrite of the present law, and includes expansions of power, as well as changes to the approval regime and oversight. The below provides a brief overview focused on the interception and hacking powers.
The services’ special powers, such as interception and hacking, can only be used for a subset of their legal tasks. That subset includes national security,
foreign intelligence and military intelligence. The government annually determines the intelligence needs of itself and other intelligence consumers; the outcome is used to focus and prioritize strategic and operational plans and activities.
The services have and hold a specific interception power, i.e., interception of communication of a specified person, organization and/or technical characteristic (e.g. IMEI, phone number, IP address, email address). This requires approval from the minister in charge. The services also have and hold a non-specific interception power —i.e., ‘bulk’ interception— but the bill expands that power from ether-only to “any form of telecommunications or data transfer”, thus including cable networks. Furthermore, the bill no longer limits the non-specific power to communication that has a foreign source and/or foreign destination, meaning that domestic communication is in scope. Like the specific power, the non-specific power requires approval from the minister in charge. The services can retain raw bulk intercepts not just for one year, as is presently the case, but for three years. Encrypted raw intercepts can be stored indefinitely, as is presently the case; the three year retention period is triggered when bulk-intercepted encrypted data is decrypted.
Certain categories of “providers of communication services” will be required, in consultation with the services, to provide access to their networks, if so requested by the services on the basis of approval from the minister. Those categories will be determined by governmental decree. The term “provider of a communication service” is derived from the term “service provider” in the Budapest Convention on Cybercrime of 2001, and is defined so as to include public telecommunication networks, non-public telecommunications networks, hosting providers and website operators. The services have and hold the right to, under certain conditions and after approval from the Minister, compel “anyone” to decrypt data or hand over keys. The approval request for that must include an indication of the conversations, telecommunications or data transfers that are targeted.
The services have and hold a hacking power, but the bill now explicitly permits, under certain conditions including necessity, the hacking of systems of non-targets —for instance, when a target system or network cannot be compromised directly, but an opportunity exists to compromise it via a non-target. Also, a new provision is introduced that explicitly permits reconnaissance, such as mapping the infrastructure and software of (possibly) targets.
A notable change in the approval regime is that the hacking power and certain unforeseen contemporary uses of the non-specific interception power, such as metadata analysis, will require approval from the minister. A notable change on the boundary of approval regime and oversight is that new, more specific requirements apply to the contents of approval requests. Approval requests that the AIVD and MIVD send to their Minister are a primary information source for the Dutch Review Committee on the Intelligence and Security Services (CTIVD), an expert oversight committee, to assess, ex-post, the lawfulness of the exercise of special powers. Approval requests for bulk interception, for instance, must specify the relevant investigation, the purpose of interception (this must be specified ‘as specifically as possible’; a general indication does not suffice), the type of telecommunications (e.g. GSM, radio, satellite, internet; can include geographic boundaries), possibly the types of traffic that are relevant (e.g. voice, chat, file transfer), and an indication of the cable infrastructure that is targeted.
The cyber and signals intelligence (SIGINT) tasks are carried out by the Joint SIGINT Cyber Unit (JSCU), which launched in June 2014. The JSCU is tasked with the collection of data from technical sources, making it accessible and searchable, perform analysis (correlation, data mining), and delivering SIGINT and cyber capability in support of the intelligence requirements of the AIVD and MIVD (possibly on-site in military mission areas). The Defense Cyber Command (DCC), established by the Dutch Ministry of Defense, has no direct relation to the new bill, but is affected to the extent that the DCC has relations with the MIVD or JSCU as part of its own tasking and operations. Very roughly put, the DCC is the Dutch equivalent to USCYBERCOM, and the JSCU is the Dutch equivalent of the NSA.
The bill’s public consultation closes on September 1, 2015.
* Guest author Matthijs R. Koot holds a PhD from the University of Amsterdam. He is currently employed as a technical security consultant. His personal blog is here.
► Author: Matthijs Koot | Date: 7 July 2015 | Permalink: https://intelnews.org/2015/07/07/01-1730/