Analysis: New Dutch spy bill proposes changes in approval, oversight

On July 2, 2015, the Dutch government released for public consultation a long-awaited bill that overhauls the Dutch Intelligence and Security Act of 2002. Known also as Wiv2002, the Act is the legal framework for the operations of the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD). The bill is a complete rewrite of the present law, and includes expansions of power, as well as changes to the approval regime and oversight. The below provides a brief overview focused on the interception and hacking powers.

The services’ special powers, such as interception and hacking, can only be used for a subset of their legal tasks. That subset includes national security,
foreign intelligence and military intelligence. The government annually determines the intelligence needs of itself and other intelligence consumers; the outcome is used to focus and prioritize strategic and operational plans and activities.

The services have and hold a specific interception power, i.e., interception of communication of a specified person, organization and/or technical characteristic (e.g. IMEI, phone number, IP address, email address). This requires approval from the minister in charge. The services also have and hold a non-specific interception power —i.e., ‘bulk’ interception— but the bill expands that power from ether-only to “any form of telecommunications or data transfer”, thus including cable networks. Furthermore, the bill no longer limits the non-specific power to communication that has a foreign source and/or foreign destination, meaning that domestic communication is in scope. Like the specific power, the non-specific power requires approval from the minister in charge. The services can retain raw bulk intercepts not just for one year, as is presently the case, but for three years. Encrypted raw intercepts can be stored indefinitely, as is presently the case; the three year retention period is triggered when bulk-intercepted encrypted data is decrypted.

Certain categories of “providers of communication services” will be required, in consultation with the services, to provide access to their networks, if so requested by the services on the basis of approval from the minister. Those categories will be determined by governmental decree. The term “provider of a communication service” is derived from the term “service provider” in the Budapest Convention on Cybercrime of 2001, and is defined so as to include public telecommunication networks, non-public telecommunications networks, hosting providers and website operators. The services have and hold the right to, under certain conditions and after approval from the Minister, compel “anyone” to decrypt data or hand over keys. The approval request for that must include an indication of the conversations, telecommunications or data transfers that are targeted.

Read more of this post