The Netherlands Government has proposed a law to enable law enforcement and intelligence agencies to not only intercept communications of a specific hacking group but also the victims of that group. For instance, if a hacking group targeted your computer and there’s a warrant against that group, Dutch services can automatically monitor your communications without additional approval. While the initial warrant requires multiple levels of authorization, this extension does not. The oversight regulator (CTIVD) is informed of such extensions and has the power to investigate and potentially halt the operation. If there’s disagreement, the matter can be escalated to the Dutch supreme court. This process differs significantly from prior authorization methods.
The Dutch law (’Wet op de inlichtingen – en veiligheidsdiensten 2017’) has articles on special powers like targeted interception, bulk interception and hacking. In addition, there is a list of interests the services have to protect, and a list of intelligence they should be gathering. Crucially, the powers and the interests are not tied to each other directly.
This means that the law makes it possible to perform targeted operations on organizations or people that are not themselves targets. One of the two oversight bodies (CTIVD, ex-post) has written in 2017 that such ’non-target’ activities have to meet an elevated standard.
As authorities increasingly rely on digital surveillance and data gathering, the line between legitimate investigation and unwarranted intrusion becomes blurred. Many fear that without stringent checks and balances, the right to privacy, a cornerstone of democratic societies, is at risk. Digital investigations can inadvertently expose intimate details of an individual’s life, from personal communications to browsing habits, even if they are not the primary target of an investigation. There are 3 surveillance powers laws that are in process of getting passed and cross-reference each other extensively. These laws lower the requirements and approvals need to do interception and other cyber activities against targets and their victims. The cross-referencing of these laws creates obfuscation around the scope, impact and scale of the newly proposed surveillance powers.
Lotte Houwing for About:Intel:
Dutch intelligence regulation is getting more and more complicated, with three different bills all impacting and cross-referencing each other. Sufficient and accurate information about scale and impact of newly proposed surveillance powers is withheld.
The legislative scrutiny process of these new rules fall below the standards. First of all, the Act contains radical system changes (e.g. it introduces a whole new instance of higher appeal) while being a Temporary Act. This temporary construction allows for framing that diminishes the impact of the Act. So it has been called an “experimental Act” as it is “just temporary”. As well as for claims about his high urgency: “we cannot wait for the structural reform to take these measures.” Second, the bill started out in a speed-procedure, hurrying advisory institutions and leaving less time for critical legislative scrutiny. A status that silently left the stage now the proposal is already 1.5 years old and the urgency-claim is no longer valid. Third, this Temporary Act is written during a process of structural reform of the current Intelligence and Security Services Act and directly after making this bill public, an amendment to it was announced. This results in three bills with intelligence regulation reforms with different scopes and measures, while all three bills cross-reference and impact each other.
In 2018, there was a non-binding referendum on the Intelligence and Security Services Act (Wiv). The majority of voters in the advisory referendum on the Intelligence and Security Services Act (Wiv) voted against the law: 49.44% voted against (3,317,496 voters), 46.53% in favor (3,122,628 voters), 4.03% blank (270,288 voters).
Jan-Jaap Oerlemans for About:Intel:
Growing cyber threats to Dutch national security reveal an urgent need to amend current powers of intelligence and security services. The proposed “Cyber Act” aims to address these challenges by granting bulk interception and hacking capabilities, and by allowing for greater flexibility in the oversight process. However, further clarification is needed on the scope of the Act.
The cyberthreat the proposed legislation aims to address should be completely clear. The Dutch General Intelligence and Security Service (AIVD) first reported about ‘digital infringements on Dutch vital ICT infrastructures’ in 2007. This message highlighting the risks of digital espionage to our national security has been reiterated in every annual report since 2013. These reports explicitly mention various victims of digital espionage, including Dutch ministries, telecom providers, universities, educational institutions, think tanks, and biotechnology companies.
As the Snowden revelations showed, surveillance programs are often created with good intent but then are frequently misused and abused by governmental agencies. The surveillance enabled by these programs and laws extend far beyond the potential threats that they are meant to cover. This raises profound questions about the erosion of privacy rights in our world going forward.
