Privacy First New Year’s column
Looking back on 2016, Privacy First perceives a renewed attack on our democratic constitutional State from within. Incident-driven politics based on the everyday humdrum prevails and the Dutch government’s frenzy efforts to control the masses is relentless, arrogant and driven by industry and political lobbying. The democratic principles of our constitutional State are being lost out of sight ever more while the reversion of legal principles has become commonplace. Every (potential) attack thus becomes an attack on our civil rights.
Current constitutional State unable to defend itself
Barely a single day has gone past in the current mediacracy and governors without any historical or cultural awareness hand us, our children and our future over to a new electronic dictatorship fenced off by 4G masts. Citizens who autonomously seek to inform themselves have become ‘populists that spread fake news’. It’s not just the government that has lost its way, but so have the mainstream media, so it seems. The model characterized by fear, hate and control adopted by many authoritarian states headed by a strong leader is increasingly seen as the way to go.
Privacy First has said it before but will reiterate: we are of the opinion that State terrorists who continuously change legislation restricting civil liberties are ultimately much more harmful to our society than a single ‘street terrorist’, however terrible and shocking an attack is for those directly involved. The galling thing is that our constitutional State cannot adequately defend itself against the erosion of democratic principles from within: among other things, there is a lack of independent review of our Constitution. Therefore we are very happy that the European Court of Justice has recently ruled all forms of trawl net technology unlawful in advance. A great verdict that has far-reaching consequences for the State terrorists among our politicians and civil servants. A clear line in the sand.
Our democratic constitutional State came into existence out of the 19th century way of thinking and will have to be reshaped through a public debate, provided this is done taking into account the basic principles of living together - a human experience that goes back thousands of years. Love, trust en freedom are fundamental pillars. Privacy First discerns a number of changes over the past 150 years to which our constitutional State has no adequate answer, if any answer at all. These changes will have to be integrated into a newly structured democratic constitutional State which will have to be partly parliamentary and partly shared. In other words: the democratic foundation is there, but will have to be adapted to the desires and developments of our time.
Towards a Shared Democracy: adjusting parliamentary democracy to our present time
Privacy First calls on (and challenges, if necessary) every Dutch citizen to participate in a broad public discussion in order to shape a democracy 3.0. After Athens (1.0) and our parliamentary democracy from the 19th century onwards (2.0), in our eyes it’s time for the concept of a Shared Democracy (3.0), which is both a disruptive way of thinking as well as a social model for which we identify seven big drivers that help adjust our current 19th century system. Privacy First notices that these seven drivers are currently undermining our model from the inside and the outside. But by thinking differently, one will find that these pillars also offer an opportunity to move towards a new form for the future: the so-called Shared Democracy.
1. Changing role of the media; towards a mediacracy
Originally, in the 19th century model, the media didn’t yet have the scale and level of outreach today’s media have. The influence of the media has become large to the extent it will have to be one of the pillars of the future Shared Democracy.
2. Changing role of citizens
The enormous financial and social emancipation, the elevated level of education and the individualization of citizens is currently leading to huge tensions in the democracy of parliamentary representation. As part of the old way of thinking, citizens are still regarded as an unassertive, inferior, necessary evil. However, citizens want to have decision-making power on numerous issues and this – supported by the newest technologies and means of communication - will have to be structurally implemented in the Shared Democracy on the basis of various structures of representation and participatory leadership based on personal responsibility, an area in which politics and the government are still falling far behind in their relationship with citizens.
3. Scientific, technological and information revolution
These revolutions create new opportunities and offer an almost real-time insight in the developments and events within society. Moreover, the internet and associated infrastructures enable completely new forms of exchange and marketplaces of ideas and decisions. This happens on a worldwide scale between like-minded people and people who hold different views. Where supply and demand are ill-aligned, new services that have a disruptive effect on old structures pop up. Think of the clear imbalance between citizens and politics. A solution for that problem can be found in completely new and invigorating systems and structures, set up with an open and free attitude, with privacy by design enshrined in legislation and with the application of advanced technology - all elements that distinguishes the Shared Democracy.
4. Unrestrained proliferation of public authorities
The house is ready to move into, but the contractor keeps coming back every day to see whether there are still tasks to be done... likewise our government exerts its influence on our daily life and on today’s economy. The unrestrained proliferation of public authorities has got to stop immediately and the government has to be brought back to normal proportions, in line with a standard that has yet to be established. By now, citizens serve the government instead of the other way around. The power of (central) public authorities is no longer commensurate with those of individual citizens. A key trait of the Shared Democracy will be the size, power and scope of the government.
5. Lifelong professional politicians
Another thing the founders of the 19th century model didn’t take into account (despite the seperation of powers) is the fact that many current (national) representatives are fulltime politicians, some of whom carry out public sector activities quite directly related to their political function. Particularly these latter ones have lost all connection to society and virtually live off taxpayers’ money without any risks. In the Shared Democracy we envisage, we advocate that representatives of citizens make clear choices and are in favour of all possible mixed forms of citizens and representatives in order to create a much larger engagement and responsibility among individual citizens when it comes to being active politically.
6. Financial sector, upscaling and mass control
The centralization and management of financial flows disconnected from the underlying value, erodes both the economy and society. The human dimension is disappearing into the background in upscaling and efficiency models dominated by financial flows. By introducing mantras such as ‘cash is criminal’, paying anonymously is being phased out while bank runs that could endanger and destabilize the system are being prevented. Here too, the web continually gets tighter around citizens and money no longer belongs to them, but to banks and the government. With a view to the future and on the basis of current and future technological possibilities, in the Shared Democracy, ownership relationships and the right to anonymous means of payment will have to be firmly embedded in law.
7. Supranational elite of individuals and companies
One of the effects of globalization is the rise of a large group of supranational companies and individuals that are disconnected from their nation-states and societies, benefitting from the rights they have but not fulfilling the duties that society equally brings along. Now that information and power are concentrated within a few very large, global conglomerates, there are many financial corporations and companies that have become larger than nation-states. The intransparent power of lobbygroups backing these conglomerates thrives under the old, authoritarian pyramid structure of centralized political representation. In the Shared Democracy, special attention will have to go out to democratic shaping and modelling on all levels, while the centralized and decentralized power structures have to be continually in balance and be measurable with the most advanced technology.
How will the Shared Democracy deal with all this? How much more freedom are we prepared to give up for the sake of (false) security? 100% security = 0% freedom. How are we going to restructure our society and democratic system in order to hold on to our principles with the seven drivers of development in mind? And on which scale are we willing to do so?
To better define these questions and look for answers, Privacy First will organize a New Year's Reception on 19 January 2017, at 7:30 pm in the Volkshotel in Amsterdam. The reception (in Dutch) will revolve around the Shared Democracy.
Privacy First encourages everyone to contribute to this new movement towards a Shared Democracy in an open and free debate on all available communication channels!
Privacy First Foundation chairman
The Privacy First Foundation organises networking drinks on a regular basis, inviting a prominent speaker around a topical issue. In September this year we organised a night with the Head of the AIVD, the Dutch Intelligence and Security Service. On 22 October we invited a speaker from the cyber security scene, namely Wil van Gemert, Director of Cyber Security at the NCTV, the National Coordinator for Counterterrorism and Security, part of the Dutch Ministry of Security and Justice. Investigative journalist Brenno de Winter was asked to moderate the discussion. Click HERE for the invitation to our network (in Dutch). Would you also like to receive our invitations from now on? Email us! Below is a translated summary of Mr. Van Gemert's speech and the discussion with the audience that followed:
Introduction by Privacy First
Chairman Bas Filippini gives a short introduction on the work of the Privacy First Foundation and introduces Wil van Gemert as well as Brenno de Winter. Filippini recalls that the Dutch government increasingly expects citizens to do everything digitally. In particular the elderly as well as people with fundamental objections are put in difficulty by this development. Meanwhile the government attains ever more powers of surveillance in the digital private domain of citizens. A current development in this regard is the plan of Dutch Security and Justice Minister Ivo Opstelten to be able to hack into computers of citizens. Privacy First is firmly opposed to this plan because, among other things, it would violate the right to confidentiality of email. The Dutch government should safeguard the privacy of its citizens. In that sense Privacy First and the Dutch government share the same goal, albeit from different perspectives. However, Opstelten’s hacking plans threaten to break down people's privacy and (through this) democracy as a whole. Filippini then gives the floor to Wil van Gemert.
Trends in cyber security
Mr. Van Gemert thanks Privacy First for the invitation and kicks off by showing a funny commercial advertisement about linguistic confusion; click HERE. Like in the video, in cyber security it is all about trust, knowledge and awareness. Finding the right balance between tasks and responsibilities is equally important. In his lecture Van Gemert consecutively pays attention to current trends in cyber security, tasks of the government, cooperation between the public and the private sphere, the Netherlands Cyber Security Assessment (Cyber Security Beeld Nederland) and 'security versus privacy?': is this a contradiction or rather a matter of complementarity? And what are the present-day challenges? When it comes to cyber security, it all revolves around confidentiality, reliability, integrity and continuity of data in the digital information society. The first worldwide trend that Van Gemert identifies is 'Big Data': the enormous amount of data that is stored continuously and which increases on a daily basis. How can we handle this in good way? A second trend is hyperconnectivity: the number of digital (internet) connections increases exponentially. This is how an 'Internet of Things' comes to life. The Netherlands has the one but highest internet density in the world, which gives our country a special position in this regard. A third trend is the disappearance of borders, both in time and distance as well as in terms of work and the private sphere. These trends require changes both in the way companies do business as well as the role of the government in guaranteeing a secure society. These trends also have an influence on people, on consumers, for example through the new possibilities offered by mobile telephony. Big Data can be used to make highly personalised commercial offers in real time, say, a travel insurance when you're at Schiphol airport. However, when Van Gemert asks how many in the audience find this a good idea, not a single hand is raised. Van Gemert doesn't think it's a good idea himself either: it harms your privacy, it makes you feel you're being followed. Relatively many youths seem to be just fine with it though.
The influence of social media
An important aspect of cyber security is mobility: companies want to be able to reach their clients everywhere they go and employees are increasingly less bound to a workplace at the employer's office. For companies, political parties and the government too, social media become ever more important to know what goes on in the market or in society. An interesting case is the recent incident with an airplane from Vueling Airlines with which radio contact was lost and for which for some time the possibility of a hijacking was accounted for. Since 2001 such an airplane (a 'renegade', PF) is escorted by F16s by procedure. Imagine, however, that all passengers inside the airplane communicate through Twitter that things are fine, then how do you deal with that as a government? These are questions that are pondered over within the government at the moment. Another aspect concerns the role of the government: from a monopoly to a more independent role since for most part the cyber infrastructure is in the hands of companies. Then there's the authority issue: social media have an influence on the degree to which government campaigns are successful with the general public. A recent example is the government campaign for vaccinations against cervical cancer. A further aspect is that cyber security is community driven: the community makes itself the owner of a certain problem, as was the case for example with the Dorifel virus. This community consists of researchers, relevant companies, hackers etc. and can sometimes offer clarity on certain issues, unlike with classical investigation methods whereby the directions are with the government. However, the digital IQ of most companies is still low, so it is a challenge for the government to increase the digital IQ of companies, says Van Gemert.
Lack of a security concept in cyberspace
The Netherlands is a country characterised by seas and dykes: if the water seeps through, we build a dyke around it. This classical way of crisis containment is almost impossible in cyberspace. Companies often are not aware of where their data are situated precisely, how they are interconnected and which effects occur when a failure manifests itself somewhere. Apart from the human factor, platforms, applications and infrastructures all have problems of their own. Due to the interaction between these four levels, a security problem often becomes very extensive. In the physical world we are familiar with a safety concept; think of the safety regulations on a construction site. But is there such a security concept in cyberspace? And which roles do the government, the private sector and citizens play in this? At the moment this is insufficiently clear. On the highway certain safety standards and traffic rules are in force. But each citizen can also buy a computer and go onto the digital highway unprotected.
Since one and a half years the Netherlands has a National Cyber Security Strategy. Part of this has been the installation of a Cyber Security Council: an independent advisory body for the government. In the National Cyber Security Strategy it has been agreed that the Netherlands makes an annual Cyber Security Assessment of threats and actors. Furthermore, from the beginning of 2012 there is an operational management within the NCTV, which consists of two parts: 1) the National Cyber Security Centre, NCSC (which acts as a centre of excellence, among other things) and 2) a range of policies (which support, among other things, the answering of parliamentary questions and questions from the private sector). The starting point here are public-private partnerships; in this way new coalitions with new forms of participation between the government and trade and industry as well as with NGOs come to life. Both the government as well as private parties and experts take part in the Cyber Security Council and in the NCSC. One topic that is being dealt with together is cloud computing. Moreover, since recently the NCSC has an ICT Response Board; within this public-private partnership people from the government and the industry can be summoned up for advice and assistance in the event of incidents or crisis situations. Then there are ISACs, Information Sharing and Analytical Committees, in different areas, for example for the vital infrastructure with regard to energy, water, finances, etc. This too is a public-private partnership.
Threats in cyberspace
Cyber security has been a hot topic of late and negative incidents sometimes result in positive initiatives. There has been an unanimous request by the House of Representatives to set up a security breaches notification centre. In this context Van Gemert tells the following: "The Diginotar affair has made clear that the following question is of relevance: what can the government do in the event of a crisis? How can the government force a company that plays a key role to cooperate in order to prevent social breakdown and damage to society? Are such possibilities at our disposal in the first place? Our conclusion from July this year was affirmative, in case we can declare a state of emergency in relation to a cyber incident." Furthermore, Van Gemert stresses that we should not just invest in the detection of data leakages, but also in the right response to this. Hereby the role of the government concentrates on coordination, communication and consultation. In July this year the second Cyber Security Assessment of threats, targets and actors was released. The main threat comes from foreign governments (espionage) and cyber criminality. Contrary to what most people believe, so far cyber terrorism poses a smaller threat. In addition, cooperation between 'hacktivists' and foreign State actors (i.e. intelligence services) could be worrisome.
On the relationship between privacy and security, Van Gemert remarks that as far as he is concerned "there is no privacy without security. If you do not organise security, in the end there will no be privacy. You really do need to take measures to make sure your privacy is protected. Privacy and security have a mutual interest in each other. So in that area, information protection and related agreements are necessary. Also in order to protect privacy, on a daily basis the NCSC brings out advice on vulnerabilities which could be harmful for companies and citizens. Our website www.waarschuwingsdienst.nl is focussed on making citizens more aware and to mobilise them against threats. However, we are not a supervisory body, we cannot enforce anything. We can merely give out advice and propose best practices. Between 12 and 22 November 2012 the government will pay attention to 'awareness' through its campaign Alert Online in cooperation with 10 partners. This campaign is aimed at citizens as well as companies."
Finally, Van Gemert underlined the importance of fundamental digital rights and self-reliance of citizens through knowledge and awareness. Van Gemert brings forward three subjects for discussion with the audience: 1) How do security and freedom relate to each other conceptually? 2) What is the role of Privacy First? Is it always to be an opposing force or can it also be an ally? 3) What is the role within cyberspace of our law-enforcement and supervisory organs, for instance the police? What is their role when it comes to individual emergency aid and law-enforcement in cyberspace?
Discussion with the audience
Even though Van Gemert is not responsible for the cybercrime department, he is nevertheless prepared to say one or two things about it on behalf of the Ministry of Security and Justice. Answering a question from the audience about the possible international consequences which an intervention in cyberspace from the Netherlands may have, Van Gemert points out that the concept of virtuality requires a different approach compared to a territorial approach when it's not clear where a particular server is situated. He hereby makes a comparison with the development of maritime law in international waters. The country in which the damage occurs should form a point of reference in terms of jurisdiction. However, in this regard there are no unequivocal answers; the national and international rules on these matters are not yet clear. Brenno de Winter emphasises that Dutch hacking activities in foreign countries could well set a dangerous international precedent. What if a country like Iran ascribes those same powers to itself? This is a concern that is shared with others among the audience.
Another question from the audience relates to the public-private partnership as is the case with Diginotar. Israeli wiretapping systems in the Netherlands are being referred to as well. Does the Netherlands not make itself enormously vulnerable with this? Van Gemert replies that this has indeed become a prominent question since the Diginotar affair. However, he is not willing to go into the topic of wiretapping systems since he's not involved in this policywise. Then it's being mentioned from the audience that, within public-private partnerships in the area of cyber security, Dutch NGOs are structurally being kept out. De Winter too remarks that the NCSC is seen by many as an unreachable fortress where you're not being heard. Van Gemert responds to this saying the NCSC certainly does look for contact with pressure groups. Here too the question is which side do these pressure groups pick: do they take on an opposing or a supporting role? "I'm convinced that we should look for new forms of cooperation between the government, the industry and trade, the citizenry and with pressure groups, which make sure our society becomes more secure. Looking out for those contacts is the reason that I'm standing here," Van Gemert says.
Another question from the audience is about the detection of hack attempts. To what extend is this being delegated by the government to industry? Van Gemert reacts saying that the government does the detection work itself on the basis of the exchange of digital traffic data (not on the basis of content) as far as it concerns the vital (government) infrastructure; companies take care of such detection efforts themselves. Someone in the audience remarks that in this respect the government could take up the role of bringing together relevant knowledge and experience in each individual business sector. Another comment from the audience concerns the lack of international rules that was presupposed earlier: why does the Netherlands not conform itself to the already existing Budapest Convention on Cybercrime and why are the legal possibilities under this Convention not being adequately used? Other observations deal with the cooperation between Dutch municipalities, the banks and the telecom sector. Someone asks how big a threat cyber warfare really is and how the Netherlands prepares itself for it. Van Gemert here refers to cyber as the 'fifth battlefield' apart from the four domains of land, sea, air and space. This is an actual development: by now there are about 20 countries which have the capacity for this type of warfare. There are a lot of financial cuts in the Netherlands, but money is actually being invested on cyber matters by the Ministry of Defence. Cyber war entails a new question of attribution: which country inflicts the damage and how is one to react to it? During the discussion the US Patriot Act is mentioned as well as the risks of storing data in 'the cloud'. "Think carefully about what you put in the cloud," Van Gemert advises. Then comes the question to what extent the government considers the protection of personal data vital for our infrastructure and to what degree the government is keeping an eye on the risks of identity fraud and identity theft through the coupling of personal data to citizen service numbers. Does the government endorse the Scientific Council for Government Policy report called iGovernment? Is declaring a cyber state of emergency equivalent to a disaster or warfare situation in which all regular legislation can be nullified with all the privacy risks it entails?
Someone mentions that the police power to hack into computers of citizens could imply that computer data of individuals could be changed without it being noticed and could then be used against those same individuals. Van Gemert replies that personal data is fundamental and critical data that is to be protected properly. Not just companies but citizens themselves ought to be better aware of this. As far as a state of emergency is concerned, Van Gemert remarks that this was not even proclaimed during the Dutch flood of 1953. In terms of cyberspace there is no need for new, complementary legislation for a state of emergency. Current legislation for a state of emergency can only be applied in extreme situations.
Another point of discussion is the fact that for years the Dutch government has been dependent on Microsoft: why is this situation (with the associated privacy risks) lasting ever longer? On request Van Gemert clarifies his earlier remarks on a cyber state of emergency: such a situation cannot be proclaimed on the basis of a single incident, but only when we're dealing with large-scale societal breakdown. Then it is being asked from the audience to what degree the government has the responsibility of not making legislation and policies which can be copied and abused by other countries, like the way companies are not allowed to deliver certain dual use equipment to certain countries. Van Gemert tells that for some goods there are indeed UN sanctions lists: the Dutch General Intelligence and Security Service (AIVD) verifies this. A free internet abroad is mainly supported by the Dutch Ministry of Foreign Affairs. Generally speaking, a democratic society always needs to abide to a moral guideline. Then the discussion about possible government powers to hack computers in foreign countries comes to life again among the audience. In this context, does the permission of an examining magistrate offer sufficient protection against abuse? Someone else in the audience remarks that, nowadays in the area of phone-tapping, the examining magistrate has become some sort of rubber-stamping device. Someone remarks that Van Gemert's distinction of five domains of warfare is put too simply. In international law, traditionally there are only three domains of warfare: land, sea and air. Since the 1970's, in space the principle of 'peaceful use of outer space' applies. So why not introduce a similar new principle of 'peaceful use of cyberspace?'
In reaction to a question about guaranteeing privacy, Van Gemert replies that he attaches importance to clarity over what is and what isn't allowed. Through investigative powers sometimes one's innocence can also be proved. The challenge is finding the balance between cyber security and privacy, Van Gemert says. Then someone in the audience points to the dangers of the coupling of personal data and function creep. Our democratic constitutional State is no invariable matter of fact. Does the government take this into account? Van Gemert iterates that the challenge is in finding the right balance. Calls for new legislation by parliament after an incident are not always adhered to by the government, for instance when it concerns anti-terrorism legislation and emergency legislation. Then someone in the audience states that for a raid a search warrant is required, which is verifiable for the citizen. This verifiability is absent when hacking into a computer. Van Gemert responds by saying that such verifiability is equally missing when it comes to phone tapping or police observation, especially when it's a case that's not brought to court. In this respect, De Winter remarks that neither the existing compulsory notification is complied to by the government. From the audience it is added that through all registration measures the presumption of innocence of citizens is put under pressure. This changes society and makes people start to comply with an 'all-seeing government'. As a response, Van Gemert underlines once more that 'privacy and security cannot do without each other'. In his view these sorts of discussions are important to get more clarity and to be able to make steps forward. Finally, Van Gemert stresses the importance of a security concept in cyber space with sufficient attention to privacy.
De Winter gives the final word to the Privacy First Foundation. Chairman Bas Filippini thanks Van Gemert for his open attitude toward the opposition. In the view of Privacy First, discussions such as these are fundamental. In recent years there has been too little dialogue with the privacy movement; the government has grown bigger while participation by citizens has decreased. Privacy First is happy to accept the invitation to become part of the coalition. "We will be a necessary irritant, but you have to be able to deal with that", Filippini concludes.
On June 11, 2012, the long-awaited National Privacy Debate took place in The Hague. Privacy First summarizes the most noteworthy aspects for you, starting with the striking plea (in Dutch) for a Privacy Delta Plan by Brenno de Winter:
"The National Privacy Debate is a unique opportunity to start something beautiful and to challenge people into engaging in open discussion. Let us seize this opportunity and work on a Delta Plan. To make the Netherlands a guiding country again. A model for the rule of law as to the protection of the citizen. That's what we are best at!"
The floor was then given to Anthony House (Google), who at the end of his keynote speech posed the following question to the audience:
“Are the principles of data protection that were developed in the 1970s still good today? Do we need to start from scratch on privacy principles?”
From the silence in the audience and some answers that followed, it could (fortunately) be inferred that the classic privacy principles still suffice today, at least to a large extent.
The event then turned to the first panel discussion, which was focused on the question of what is currently preferred most: more legislation or more self-regulation? The responses from the panel and from the audience showed a predominant preference for both options together instead of just one or the other. As in the financial sector, good laws and strict enforcement have become a bitter necessity for the ICT sector. However, such laws only represent a rapidly aging minimum level of privacy protection. It follows that it is up to the ICT sector itself to operate continuously at the highest, most privacy-friendly (i.e. customer-friendly) level. This is an important selling point which offers significant competitive advantages. In this sense, legislation and self-regulation can complement each other well.
Then there was a speech by Joost Farwerck (KPN) who stated, inter alia, that privacy now has a high priority among a broad Dutch audience: research by KPN had shown that the public attaches most value to this after good healthcare and education. Therefore, KPN has set up an internal Privacy Awareness program and an external Privacy Mission. Farwerck finally pleaded to make the National Privacy Debate a recurring event. (So did Arie van Bellen (ECP-EPN) later that day.) Privacy First is happy to join this plea.
During the second panel session (on privacy and security) some interesting parallels were drawn with security in other sectors such as the food industry and the aviation industry, both in terms of legislation and self-regulation as well as supervision and enforcement. Earlier in the day, Vincent Böhre (Privacy First) had drawn a similar parallel with past developments in the field of environmental protection. Many participants in the debate agreed that, on the one hand, the Dutch Data Protection Authority (DPA) lacks adequate resources and powers, while on the other hand its enforcement of existing privacy laws is too weak. In addition, Walter van Holst (Mitopics) rightly noted from the audience that more emphasis should be put on data minimization. Indeed, without any data no security is needed.
The floor was then given to Bart de Koning: journalist and author of the Dutch book 'Alles onder controle, de overheid houdt u in de gaten' ("Everything under control, the government is watching you"). In his speech, De Koning pointed out some positive recent developments, such as the Dutch resistance to passport fingerprinting, the new Dutch law on cookies, net neutrality and political attention to the risks of the U.S. Patriot Act. At the same time he warned about negative developments such as the Dutch proposal to provide all car number plates with RFID chips. Furthermore, the Netherlands is still champion in eavesdropping. In addition, De Koning noted that Dutch media (including Elsevier magazine) are devoting more attention to privacy than before and that citizens are increasingly keeping an eye on their government instead of vice versa. "The citizen peeks back" and this can have "a disciplining effect on the State", De Koning said. As to the future, De Koning suggested the following guidelines to the audience: 1) think before you act, 2) data minimization, 3) transparancy, 4) effectiveness, 5) sunset clauses and 6) an ongoing debate. De Koning further argued for the introduction of Dutch constitutional review (at the judiciary), a Constitutional Court and stronger oversight by the Dutch DPA. In this connection he made a comparison with Germany, where ANPR (automatic number plate recognition) is prohibited.
Then there was room for discussion with the audience, at which point Joyce Hes (Foundation for the Protection of Civil Rights) made an especially important remark: many public debates (including the periodic Privacy Cafes in Felix Meritis) are conducted with privacy advocates. Politicians and officials who are critical of privacy rarely show up at these debates. This is not good for the discussion.
Finally, Bart de Koning stated that the ethnic 'underclass' has become the main victim of systematic privacy violations, including preventive home visits. Privacy First endorses all of these points.
The topic of the third panel session was "privacy and government":
On behalf of Privacy First, Bas Filippini kicked off as follows:
"What we focus on are private choices in a free environment. Private choice means the freedom to choose, and a free environment means that we endeavor to keep society as free as possible for the average citizen in the Netherlands. This unless you are suspected of a crime: then privacy can be exchanged for security. That is our philosophy. We argue things from principles first, tested against the Constitution. Then we look at the implementation: are there sufficient checks and balances? How is policy being set and how is it applied? Only finally we look at technology. I always use the following example: "With a knife you can stab someone, but you can also make a sandwich." For many people, technology is the "holy grail" to which everything is connected, without first having taken these three steps: 1) principles , 2) policy, 3) implementation, followed by smart use of technology. Often the principles of subsidiarity and proportionality are breached, which is very unfortunate. In government, there are many people who would like to do things differently, but if they disagree with something, they are quickly seen as whistleblowers, which has a stigmatizing effect. So the Titanic keeps on sailing towards the iceberg, currently resulting in more and more profiling. By that we don't mean targeted profiling in case of a reasonable suspicion of a criminal offence, but surveillance of an entire population to see if there is "anything wrong" somewhere, based on outliers, the deviations from the median. We consider this a great danger, because everyone will become suspect. This creates a lot of self-censorship among people, officials and citizens alike."
During the remainder of the panel debate, the observations by Ronald Leenes (Tilburg University) stood out: Leenes warned about loss of confidence among citizens in their government if that government didn't take the right to privacy seriously. "The consideration whether or not an infringement of privacy is necessary in a democratic society is hardly made by the Dutch government in a number of cases", Leenes said. According to Leenes, data are being collected simply "because it's possible", there is huge confidence in technology, it is thought that more information leads to better decisions, insufficient attention is paid by the government to alternatives to reach the same goals, and there is ignorance. Leenes warned about current plans to register prostitutes in a central database. He also stressed that privacy is not only an individual right, but that it also has a social function.
Others in the panel pointed to the dangers of risk profiling. Furthermore, the fallacy "if you have nothing to hide, you have nothing to fear" was unanimously invalidated: everyone has the right to keep his or her private life simply to themselves. Moreover, a core element of freedom is precisely that you may have something to hide. It was further noted that hard work must be made to increase privacy knowledge and awareness in government. Some in the panel emphasized incompetence in government rather than intent. Bas Filippini replied that there is often an agenda behind things, namely policy from the United States and the European Union. "How do you shape your society? Do you do that on a basis of fear, hatred and control, or on a basis of trust, freedom and love?", Filippini said.
Then there was a discussion with the audience, in which Jeroen Terstegge (PrivaSense) rightly stated that one should be wary of Privacy Impact Assessments (PIAs) conducted by directly involved officials rather than an independent regulator, such as a Chief Privacy Officer. In this field there should be more self-criticism in government, aside from the Dutch DPA's external role. Another striking remark from the audience was made at the end of the panel session by Dimitri Tokmetzis (Sargasso): insurance was originally intended to spread risk, but through profiling risks are being individualized. This comes at the expense of solidarity in our society.
Thereafter Pim Takkenberg (National Police Services Agency, KLPD) held a speech on the theme of privacy and criminal investigation, in which he specifically discussed the dilemmas around dismantling a so-called botnet: a network of hijacked computer systems. According to Takkenberg, the legal framework in this context is sometimes "insufficiently specific", e.g. in case of 1) remotely "entering" (or hacking) computer systems by the police and 2) international cooperation in fighting cybercrime. Also in public-private partnerships, the police in this context are still "walking on eggshells", Takkenberg noted. In reply to a question from the audience about the effectiveness of data retention, Takkenberg said that "sometimes you have to give things some time in order to see what they yield in the long-term". This strengthens the position of Privacy First that this measure should never have been introduced. Finally, Takkenberg rightly stated that the police does not benefit from too much information gathering and that one must be very selective.
The panel discussion on privacy and criminal investigation that followed took an unexpected turn due to the comments of Jan Grijpink (Utrecht University, formerly also Ministry of Justice) on the recent complications surrounding the Dutch biometric passport. When asked which aspect of the privacy debate annoyed him, Grijpink answered as follows:
"The discussion about the biometric passport, which I find a good example of how too persistent nagging - if I may say so - on the privacy side impairs the security side. If we have now come to the point of saying "let's remove the fingerprints from the passport", then I am satisfied. Back in 2002, I would have liked to avoid putting fingerprints on the passport, because it is unnecessary to use fingerprints to verify the holder. That has just been superfluous. But the moment you put fingerprints on the passport, you must be able to check whether those fingerprints are still the correct fingerprints and whether the person who says he belongs to them is truly that person. This has led to a decision by various [Dutch] ministers who were responsible for storing four fingers in a municipal database, and if you don't have that, then the citizen is actually lawless when he carries a document with two fingers, because that document is also intended to show to others. If it is just for yourself, then so be it, but a passport is meant to hand over to an authority. When we distribute a passport, we do not even check with the same biometrics whether it's really being distributed to the person who's the official holder. Either no fingerprints, or completely correct. Both these aspects are now threatened to be destroyed through a persistent nagging to one aspect of privacy only. That's what I worry about."
This led Vincent Böhre (Privacy First) to ask Grijpink about his assessment of the risk of function creep in the storage of fingerprints in municipal databases.
Grijpink answered as follows:
"If you put the fingers on the passport only, you just lose all control for the protection of the individual. I have always made the case for storing four fingers - two on the passport and two extra - with the municipality in order to be able to check whether it is still the right person and whether anything in the document has changed. This can also exonerate yourself if you're accused of something with such a document. Whether that can lead to function creep: yes, everything can lead to function creep. But I think that if you organize it well, and I'm naturally a strong supporter of that, also because of the fact that we build large-scale infrastructures with chain-computerization to manage it well, then I think you also have to put some confidence in the government in a certain sense. I have been part of it for 40 years. In my view, some sort of a ghost is often made of the government in privacy debates. I don't recognize that. Many government officials do their work faithfully."
It is up to the reader to draw his own conclusions from this... ;)
During the panel discussion another central issue concerned the question whether or not to release figures on Dutch telephone and internet wiretaps. On behalf of Bits of Freedom Simone Halink rightly pleaded for more transparency in this respect. From the KLPD corner (and a former AIVD intelligence officer in the audience) however, it quickly became clear that there was complete unwillingness to provide any openness. This then led to a hardening of the discussion in which privacy advocates and (former) representatives of police and justice became diametrically opposed to each other. During this discussion Grijpink made the following remarks:
"I want to bring attention to an aspect as to why you should also be careful with making such hard calls for data and surveys. Especially, very clear in my file, identity fraud, then you make use of someone else's identity. When successful, it is invisible. And if the person is dead, then he won't notice anything. So that's a good example that if you start measuring, you get the wrong answer. And false conclusions and false images may even be worse for criminal investigation than if something gets known. In the case of identity fraud it is quite clear. I was asked: "How bad is the problem?" I replied: "Asking that question means that you don't understand. You must first have a situation in which you are sure to have the person who succeeded in committing identity fraud." There is only one situation that I know: the prison cells of the Justice department. Then minister Donner said: "Let's have a look." And guess what: 15% had the wrong identity. Half of those we didn't even know. And those people are in jail. In other words: figures are only really useful to some extent, and in the public debate they often go wrong."
This led Böhre to emphasize the importance of the notion that privacy is a human right, in which the question of proportionality in both individual and collective sense is fundamental. The discussion should therefore always be based on hard facts and figures. Vague assumptions about look-alike fraud are no excuse to impose biometric passports on an entire population. No negative reaction to this followed from the panel. The importance of further discussions based on facts and figures also seemed to be recognized by the audience. In that sense, the National Privacy Debate hopefully marked the end of an era of fact-free politics.
Privacy First will be happy to actively attend the next National Privacy Debate. In the meantime, the debate between all relevant stakeholders should be permanent.
A full video recording of the whole (6.5 hour) National Privacy Debate can be viewed online HERE.
More pictures of the event can be found HERE and HERE.
Postscript: the above report has also been published in the Dutch journal Privacy & Compliance 3-4/2012, p. 46-49.