Dutch dragnet surveillance bill leaked @ 04 May 2016
By Ton Siedsma and Evelyn Austin, EDRi member Bits of Freedom, The Netherlands
On 29 April, the final text for the Dutch dragnet surveillance bill was leaked. It turns out that Minister of the Dutch Interior Ronald Plasterk is still bent on granting the secret services the power to carry out bulk interception of innocent citizens’ communications.

How did we get here? Ever since the law was announced in 2013, one of the main concerns of the debate have been how the dragnet will function, and how extensive it will actually be. Based on the draft that was released for public consultation in September 2015, dragnet surveillance could definitely be in our future.

The explanatory memorandum didn’€™t do much towards clearing things up.

The Dutch EDRi member Bits of Freedom wasn’€™t alone in voicing harsh criticism about what was being proposed.

The dragnet rears its head...

After months of silence, on 20 April, the Netherlands Broadcasting Foundation NOS disclosed a number of examples of how the dragnet will be implemented. The examples taken from a confidential document presented to providers for consideration demonstrate that Plasterk plans to interpret the law in a far broader manner than he said he would. The number of citizens whose communication will be intercepted is overwhelming.

...and escapes through the meshes of the law 

On 29 April, the Dutch newspaper Volkskrant leaked the bill for the new Intelligence and Security Services Act. Conclusion: the dragnet is still in place. So what was done with the tidal wave of criticism? As the Dutch government reminds us: “The main points of criticism concerned the following three issues: large dragnet, collaboration with foreign secret services, and proper oversight.”€ These issues needed addressing. But apparently not that much.

The dragnet
As far as “€œbulk”€ or “purpose-oriented” interception is concerned, not much has changed, except the addition of the word “investigation-assignment-oriented” to describe the nature of the interception.

Although no definition of this word is given, the memorandum clearly shows that “investigation-assignment-oriented” can be interpreted just as creatively as “bulk”€ or “purpose-oriented”. The memorandum hardly, if at all, goes into the type of situations that might be envisaged. It’s not ruled out that the power could for instance be used to identify “prison escapees’€, but that’€™s about as concrete as it gets.

It’s deplorable that concrete cases are presented to providers for cost analysis purposes, but are not offered to the Council of State for a proper assessment of the compatibility of such a law–and the manner in which it will be implemented–with European law and the Dutch constitution. What the explanatory memorandum does make very clear, however, is that any limits imposed on the dragnet will have to come from an oversight body after applying the law, not from the government when creating it.

Third party hacking
The government still wants intelligence and security services to be able to hack via a third party. This means that the services are allowed to hack into the device of an innocent citizen in order to hack a target.

This, obviously, is totally unforeseeable for the citizen, and creates major security risks for them.

Neither the loud criticism nor the results of the Privacy Impact Assessment (PIA), which was commissioned by the government, have led to the proposed power to be reconsidered. Third party hacking is “essential for an effective implementation of the hacking powers’€. Yes, clauses have been added to the draft offered for consultation about the assessment and limitation of the damages to a third party, but this doesn’€™t resolve the main issue: the damages to a third party resulting from being hacked by the government’€™s services.

The government acknowledges the fact that, by hacking, vulnerabilities in software will be exploited that can affect a large number of people (for example a vulnerability in an Android-phone will not only affect a suspect, but everyone with the same phone), but concludes that national security outweighs personal security. Of course there is room, but not an obligation, to report the vulnerabilities to “those responsible”. Not an obligation; a possibility.

Oversight
Oversight will be improved. In the explanatory memorandum, the government states that heightened oversight is needed to match the increased power, but it also states that oversight had to be improved due to its conflicts with European law. The depiction of the situation as presented by the government in the bill and in its press release, is, shamefully, inaccurate.

As regards oversight, the minister has to request permission from an independent committee consisting of (former) judges. The committee’s decision will be binding. However: if in a hurry, permission can be requested afterwards, or while an investigation is in progress. If permission is denied, the hitherto gathered information will have to be destroyed.

What’s striking is that a number of authorities will not have to be sanctioned by the oversight committee, most remarkably the seizing of traffic data. Whereas the Dutch government and European and Dutch courts have said that the seizure of such records constitutes an infringement substantial enough for a judge to have to rule on it, in the case of this bill the power does not require approval by the independent oversight committee. Especially in light of previous European rulings, this is an untenable situation.

For protected professions, there will be judicial review. Exercising interception powers in cases concerning journalistic sources will be subject to more scrutiny: in these cases the period for which a power is allowed to be exercised is limited.

Exchange with foreign services
Nothing has been done regarding the criticism in the responses to the consultation and in the PIA with regard to the lack of rules surrounding the exchange of data with foreign services. The law imposes no restrictions on the data that is to be transferred. The explanatory memorandum does state that information about, or data from, Dutch citizens can be filtered out. However, the government asserts that this is not an obligation, and sometimes even undesirable.

Dutch dragnet surveillance bill leaked: our analysis (04.05.2016) https://bof.nl/2016/05/04/dutch-dragnet-surveillance-bill-leaked/