"Kennzeichen einreisender Autos sollen erfasst werden
DEN HAAG. Ab 1. Januar 2012 wollen die niederländischen Behörden ihre Autobahn-Grenzen mit Video-Technik überwachen. Wer dann mit dem Auto nach Holland fährt, muss damit rechnen, dass sein Kennzeichen fotografiert und eingescannt wird. Eine Maßnahme zum Schutz gegen illegale Einwanderer, heißt es beim Migrationsministerium in Den Haag offiziell. Theoretisch, so mutmaßen niederländische Datenschützer, könnten aber auch Autofahrer abgefangen werden, die einen Strafzettel nicht bezahlt haben.
15 Übergänge sollen überwacht werden
15 große Grenzübergänge nach Deutschland und Belgien sollen überwacht werden. Sechs Geländewagen werden mit mobilen Erfassungsgeräten ausgestattet. Was die Technologie wirklich kann, ist unklar. Im Innenministerium wird ausdrücklich betont, eine Speicherung von Fotos sei "erst einmal" gar nicht möglich. Bei der Stiftung Privacy First in Amsterdam sieht man das anders: "Bald ist unser Grenzschutz in der Lage, jedes Auto zu scannen", sagt Vincent Böhre. Sollten die Fahndungscomputer bei einem Fahrzeug Alarm schlagen, könne es sofort gestoppt werden.
Alfred Ellwanger, Sprecher des Grenzschutzes, bemüht sich das Thema herunterzuspielen: "Im Grunde tun die Kameras dasselbe wie die Kollegen, die an der Autobahn stehen und Autos herauswinken. Dabei hilft ihnen die Erfahrung, Treffer zu landen. Diese Erfahrung geben wir in Zukunft in den Computer, der dann für uns auswählt."
Die EU-Kommission hat ein Verfahren eingeleitet. "Die Vereinbarkeit des Systems mit den Schengen-Regeln wird sehr von der praktischen Umsetzung abhängen", sagte ein Sprecher von Innenkommissarin Cecilia Malmström."
Source: German newspaper Kölnische Rundschau 23 November 2011, World section, s. 32.
"La proposta del primo cittadino van der Laan rafforza la possibilità già prevista dalla legge di perquisire i cittadini sulla base del semplice sospetto nelle zone a rischio. Proteste dal partito liberale D66 e delle associazioni: "Superato ogni limite".
Il comune di Amsterdam vuole dotare la polizia di body scanner "portatili" che consentano di 'guardare' attraverso i vestiti dei sospetti e di individuare facilmente armi o altri oggetti non consentiti. Non si tratta di una promessa "elettorale" giustizierista di Geert Wilders ma di un annuncio del primo cittadino della capitale olandese, il sindaco laburista Eberhard van der Laan ripreso con gran clamore dalla stampa nazionale. Per il borgomastro, l'introduzione di questi sofisticati strumenti, che avrebbero in dotazione un sensore capace di "fiutare" anche droghe o esplosivi, potrebbe rappresentare un valido aiuto per implementare la politica di "stop and search" ossia la possibilità riconosciuta dalla legge olandese alla polizia, di condurre, sulla base del semplice sospetto, perquisizioni casuali in zone della città considerate a rischio.
Due anni e mezzo dopo, le parole del sindaco di Amsterdam riaprono il caso ma il partito laburista, per bocca dell'ufficio stampa, cerca di smorzare, preventivamente, le polemiche: "La discussione non è ancora iniziata ma noi pensiamo si possa trattare serenamente del tema magari individuando dei limiti a tutela della privacy: per esempio, noi diremmo no a scanner come quelli impiegati all'aeroporto di Schipol, che fotografano i contorni del corpo e consentono immagini in alta definizione". Intanto, il tema è stato all'ordine del giorno in commissione sicurezza del comune, lo scorso giovedi, ma l'aula ha deciso di riaggiornare il dibattito a gennaio 2013, probabilmente per spegnere le vigorose, benchè isolate, proteste che si sono levate proprio alla vigilia dell'inizio della campagna elettorale per le elezioni politiche di settembre. Si è fatto sentire, infatti, il partito liberale D66, piccolo ma influente movimento che per bocca del capogruppo in consiglio comunale Jan Paternotte ha fatto sapere al sindaco che non ha alcuna intenzione di prendere in considerazione la proposta: "La facoltà, per la polizia di fermare in strada chiunque, senza ragione, ed effettuare perquisizioni è già una misura estremamente invasiva e potenzialmente discriminatoria ma con il bodyscan superiamo ogni limite", ha tuonato Paternotte e ha concluso: "E' davvero necessario che la polizia di Amsterdam possa venire a conoscenza di ogni dettaglio della vita privata dei cittadini?". Dello stesso avviso l'associazione "Privacy First" che ha attaccato l'idea del borgomastro, annunciando mobilitazioni ed azioni legali per contrastare l'eventuale misura."
Read the entire article in Italian newspaper il Fatto Quotidiano HERE, or click HERE for an 'English version' in Google Translate.
"Courts are investigating the legality of a European Union regulation requiring biometric passports in Europe. Last month, the Dutch Council of State (Raad van State, the highest Dutch administrative court) asked the European Court of Justice (ECJ) to decide if the regulation requiring fingerprints in passports and travel documents violates citizens’ right to privacy. The case entered the courts when three Dutch citizens were denied passports and another citizen was denied an ID card for refusing to provide their fingerprints. The ECJ ruling will play an important role in determining the legality of including biometrics in passports and travel documents in the European Union.
The Dutch Council referred the question of legality to the ECJ, arguing that the restrictions on privacy do not outweigh the ostensible aim of fraud prevention, and questioning the RFID technique. The Council also questioned whether fingerprints could be safeguarded so that they would only be used in passports or identity cards and not in databases for other purposes (known as function creep). The four cases that prompted this challenge to the biometric passport regulation are suspended pending the ECJ’s response.
The Netherlands has mandated fingerprints in passports and ID-cards since 2009. The Dutch biometric Passport Act is the misshapen offspring of the European Regulation compelling security features and biometrics in passports. The Regulation mandates that passports include two fingerprints taken flat in interoperable formats.
The Netherlands' storage of a biometric database was suspended in 2011, following privacy concerns as well as questions over the reliability of biometric technology. The Mayor of the City of Roermond reported that 21 percent of fingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections was too high to warrant using fingerprints for verification and identification. Currently, only fingerprints stored in Radio Frequency Identification (RFID) chips embedded in ID documents are being collected.
The Amsterdam-based Privacy First Foundation (Stichting Privacy First) appreciates the critical stance on biometrics taken by the Dutch Council of State in line with the position taken by a German court: "We hope the ECJ will soon rule that the European Passport Regulation is invalid both in a formal, procedural sense (having been improperly adopted in 2004) and in a material sense (violating the human right to privacy and data protection). In the meantime, we hope the Dutch Parliament will scrap compulsory fingerprinting for Dutch ID cards as soon as possible."
A government proposal to this effect is currently before the Dutch House of Representatives.
The Dutch Council concerns echo questions raised by a German court earlier this year regarding the legality of the German biometric passports with RFID chips. The German court has questioned whether the EU regulation is compatible with the Charter of Fundamental Rights of the European Union (EU Charter) and the European Convention of Human Rights (ECHR). The German case was preempted when a German citizen, Michael Schwarz, refused to provide his fingerprints to obtain his new passport and the City of Bochum decided not to issue him one.
Mr. Schwarz argued that the regulation infringes privacy as protected under the ECHR and the EU Charter. In this case, the German court argued that the European Union has no legislative competence to enact rules on standards for security features and biometrics in passports as there is no direct relation of such rules to the protection and security of EU external frontiers.
The German court decided that the requirement of biometric data in passports is a “serious infringement” on privacy, arguing that the measure does not satisfy the proportionality test of being appropriate, necessary, or reasonable."
Read the entire article (including sources) on the website of the Electronic Frontier Foundation (EFF) HERE.
This week the Dutch House of Representatives will vote on a legislative proposal on the taking of 10 fingerprints of all foreigners (immigrants) for criminal investigation and prosecution purposes. This legislative proposal originally dates back to March 2009, the period in which all the Dutch government could come up with was privacy-intrusive legislation. The Privacy First Foundation deems this legislative proposal to be in breach of the right to privacy and the prohibition of self-incrimination. Below is the email that Privacy First sent to relevant Members of Parliament this afternoon:
Dear Members of Parliament,
Next Tuesday you will cast your vote on a legislative proposal aimed at extending the use of biometric features (fingerprints, facial scans) of immigrants. Hereby the Privacy First Foundation advises you to vote against this legislative proposal, especially in light of its disproportionate character. This disproportionality is demonstrated by the lack of relevant statistics and the relatively low fraud figures mentioned in the annotation to the legislative proposal dated 13 July 2012 by former Minister for Immigration, Integration and Asylum Gerd Leers (Christian-democratic party CDA). As with all human rights, any infringement of the right to privacy (Article 8 of the European Convention on Human Rights, ECHR) requires a concrete statistical necessity instead of vague suspicions and wishful thinking. Therefore, it is all the more worrying that under this legislative proposal the prints of as many as 10 fingers will be taken of every immigrant to ‘compensate’ for the fact that the biometric technology is inadequate to suffice with just one or two fingerprints. However, are these 10 fingerprints not actually meant to serve the interests of criminal investigation behind this legislative proposal...? In this respect, a comparison could be made with the following consideration by the Minister of Justice Benk Korthals (Dutch political party VVD), dated 10 December 2001:
‘‘In response to the question by the CDA, I am not prepared to proceed to the taking of fingerprints of all Dutch citizens in the interests of criminal investigation. This would be disproportionate, considering for example the number of print cases offered on an annual basis, in the whole of the Netherlands around 10,000. Furthermore, it is basically impracticable because prints have to be made of all ten fingers and possibly the hand palms for them to be of any use for criminal investigation. Apart from the administrative processing and control, this would require too big a drain on police resources. In the context of the new ID card, a new biometric feature such as a fingerprint will possibly be adopted. This will be about determining whether the holder of the ID card is in actual fact the very person that is mentioned on it. Perhaps just one fingerprint will be enough for that, but that is absolutely insufficient for criminal investigation.’’
In other words: under the guise of combating fraud, with this legislative proposal a centralised search register of immigrants is created, exactly in the same way that this was about to happen a few years ago with the fingerprints of all Dutch citizens. Privacy First assumes that the various reasons why this last project was reversed midway through 2011 at the insistence of your Parliament (!) are known to you and apply just as much for the current legislative proposal. In addition, this proposal has a stigmatizing effect since it causes a whole population group (immigrants) to be seen as potential suspects. This creates an inversion of the presumption of innocence and conflicts with the prohibition of self-incrimination. In that sense the legislative proposal constitutes a collective violation of both Article 6 (nemo tenetur) and Article 8 ECHR (privacy and physical integrity). With regard to the Passport Act, this has led to a Dutch and European snowball effect of lawsuits since 2009. Therefore, Privacy First hopes that the House of Representatives has the progressive insight to prevent a repetition of this history.
Update 29 January 2013: the legislative proposal (no. 33192) has unfortunately been accepted by the House of Representatives this afternoon (video; starting at 19m36s). Dutch political parties D66, SP, ChristenUnie and the Party for the Animals voted against. Read also the report by Privacy Barometer and today’s article in newspaper NRC Handelsblad. Next stop: the Senate...
Update 29 January 2013, 21:45: Left-wing party GroenLinks ('GreenLeft') has notified that it had intended to vote against and will have the voting record corrected.
Update 30 January 2013: today GroenLinks notified the House of Representatives of its vote against the legislative proposal.
Update 31 January 2013: the article in NRC Handelsblad was also published in the affiliated newspaper NRC Next. Read also today's article in newspaper Nederlands Dagblad.
Update 8 February 2013: for the current status of the legislative proposal in the Dutch Senate, click HERE.
Update 6 March 2013: today Privacy First has sent a similar version of the email above to the Commission for Immigration and Asylum of the Dutch Senate.
The Privacy First Foundation regularly organises networking drinks combined with informational sessions for our volunteers, donors and experts from our network of journalists, scientists, jurists and people working in ICT. Since July 2011, these events are organised about every three months and take place at the Privacy First office in the former building of de Volkskrant newspaper in
A common goal: freedom in an open democratic society
The night starts with a short introduction by Privacy First chairman Bas Filippini. In Filippini’s view, Privacy First and the AIVD actually pursue the same objective, namely freedom in an open democratic society, albeit from different perspectives. Rob Bertholee affirms this and says that tonight, contrary to what some may think, he doesn't really consider himself to be in the lion’s den. After a long career in the army, Bertholee has been the Head of the AIVD for nine months now. One of his first impressions of the AIVD was one of a professional organisation with people who are driven by their ideals, he says. Both the AIVD and the MIVD (military intelligence) have to deal with risks and threats to national security and the democratic legal order, in other words, with threats to our way of life and the guarantees for our freedoms thereof. As a result of internationalisation and new technologies, threats and risks increase in number and have a greater impact and reach. An example is the internet that, apart from its positive aspects, has a downside to it as well.
Security is not a fundamental right
The AIVD has two main tasks: intelligence and security. Formally however, security is not a fundamental right, Bertholee rightly remarks. In its case-law, the European Court of Human Rights has indicated that States are obliged to take all reasonable measures against life-threatening situations, he says. Subsequently, the Council of Europe has endorsed this in its Guidelines on human rights and the fight against terrorism. Whereas Privacy First focuses on the protection of the individual, the AIVD concentrates on the protection of the community of individuals. In between there’s a trade-off: in order to protect the community, sometimes it is necessary to infringe the rights of the individual. Bertholee then mentions a couple of tasks of the AIVD which do not infringe the right to privacy. This is the case for 1) personal security assessment and 2) protective measures for individuals, organisations and companies, for example in relation to espionage. In these two cases the law dictates that the AIVD is, by law, not allowed to deploy special intelligence powers. It is exactly the deployment of such powers that infringes people's privacy.
An important part of the AIVD is the National Communications Security Agency (Nationaal Bureau voor Verbindingsbeveiliging, NBV) which supports the Dutch central government in securing special information. The NBV evaluates security products and plays a role in their development. It is this agency where, for example, USB flash drives for the government are tested on data leakages. Then there’s the political intelligence task of the AIVD abroad, "which, admittedly, intrudes upon people's privacy, but not here in this country". Finally, there’s the task of making threat analyses for certain individuals (for example politicians), organisations or events. One task of the AIVD through which privacy in the Netherlands is put at stake concerns the assessment of ‘threats to our national security, the continuation of democratic rule of law and other, important State interests". This assessment is carried out, first of all, through open sources (media, internet, etc.), but can (subsequently) proceed by shadowing, monitoring or eavesdropping of persons or by penetrating virtual or physical spaces. In this respect Bertholee emphasizes the high degree to which employees of the AIVD are aware of 'the spirit' of the Dutch Intelligence and Security Services Act 2002 (Wet op de inlichtingen- en veiligheidsdiensten, Wiv2002). "As a citizen I felt reasonably reassured from the moment I had an understanding of what the AIVD was actually doing and what it could and was allowed to do, and also by the way the government can continue to exercise control over a service like the AIVD," says Bertholee. "You don't have to believe me, but I just wanted to share this with you," he jokes. Then he’s resolute again in saying "our tasks and powers are all clearly defined by law."
In the field of counter-terrorism, at the moment most of the AIVD’s attention goes out to (potential) Jihadists and radical 'lone wolves' like Anders Breivik. Bertholee finds it worrisome that such lone wolves are hard to track down, even though relevant information is sometimes available, for example at healthcare institutions or the police. A difficult dilemma is, on the one hand, the question whether or not certain events could have been prevented by correlating information on national and international levels and, on the other, which risks society is willing to take in order to preserve people's privacy, Bertholee explains. However, he can well imagine that citizens worry about the correlation and international exchange of data and that this is bringing about a 'Big Brother' experience. As a citizen, Bertholee himself is worried about this too. Where is the right balance between protecting the individual and protecting the community? Every special power of the AIVD is anchored in the Wiv2002. The most simple special power is talking to people (Article 17 Wiv2002). For every single special power in the Wiv2002 the following requirements apply: 1) necessity, 2), proportionality and 3) subsidiarity. Therefore, special powers may only be deployed in case open sources (internet etc.) prove to be insufficient. The AIVD is to continually ask itself: is it strictly necessary? And are we very certain that there are no lighter measures at our disposal? The enforcement of those very powers is verifiable afterwards. Apart from opening letters (this falls under the Dutch Postal Act) there is no investigative magistrate involved. However, for the use of every special intelligence power the approval by the Minister of the Interior and Kingdom Relations or by the Head of the AIVD on behalf of the Minister is required. Moreover, every new employee of the AIVD gets a basic education through which he or she is being taught, among other things, about the Wiv2002. In this context, Bertholee relates an interesting anecdote: once in a while the AIVD invites a number of journalists, members of Parliament or jurists to discuss a case. It turns out that those not working for the AIVD are more inclined to allow the use of special powers than the AIVD employees themselves. As an answer to a question from the audience, Bertholee says that he himself gave an explanation about the Wiv2002 to Interior Minister Liesbeth Spies, just one and a half hours after she was sworn in by Queen Beatrix. "We have no rules of our own, we abide to what is written in the law," Bertholee says. He goes on telling about the process that sees the deployment of a special power: it starts with an employee who wants to use a special power for an AIVD investigation. The employee is to account for his request in writing and an AIVD operational lawyer looks into it. The request is then sent to a supervisor, after which it is forwarded to Bertholee. Finally, the request ends up at the desk of the Interior Minister. This happens case by case, always taking the prerequisites of the Wiv2002 into consideration. No form of pressure is allowed in the event the AIVD makes a request for information to citizens. The same goes for requesting information to journalists: it is entirely up to them to cooperate or not. "If a journalist is not willing to cooperate, then that’s a pity for the AIVD and that’s where things end", Bertholee explains. However, some (parts of) conversations are being registered in a memo since everything needs to be verifiable for the AIVD.
Bertholee tells about the way the AIVD is monitored by various bodies that each play their own role. First of all there’s the Dutch Parliamentary Commission for Intelligence and Security Services ('Commissie Stiekem') which consists of all the leaders of Parliamentary parties. Then there’s the (public) Parliamentary Commission for the Interior. The legality of the execution of tasks by the AIVD is scrutinised by the Dutch Review Committee on the Intelligence and Security Services (Commissie van Toezicht betreffende de Inlichtingen- en Veiligheidsdiensten, CTIVD); this is an independent supervisory body which consists mainly of legal experts. According to Bertholee, in recent years the CTIVD assessments on the AIVD have largely been positive. Furthermore, the Netherlands Court of Audit (Algemene Rekenkamer) examines the (secret) budget of the AIVD. Both the CTIVD as well as the Court of Audit have access to everything within the AIVD.
Revision of the Wiv2002
With regard to a possible revision of the Wiv2002, Bertholee remarks that the legal space currently offered is sufficient for the AIVD and that he doesn’t need more powers. However, he does think it is "particular" that the Wiv2002 is in some aspects related to the Dutch Postal Act and to the Telecom Act, which makes it necessary for the AIVD to get the permission of an investigative judge to open a letter, while that same permission is not required for intercepting or opening an email. Hence the legislation is technology-dependent and "something needs to be done about that", Bertholee states. Besides, the CTIVD has proposed to change the legislation with regard to SIGINT (Signals Intelligence). Furthermore, Parliament may evaluate the Wiv2002 in the near future. It seems there are two thorny issues at the moment: a possible ban on using journalists as informants and more control over the effectiveness of the AIVD. The difficult thing is that the effectiveness of an organisation like the AIVD is hard to measure; this is related to the nature of the work and the type of threats that are being averted. Bertholee: "I accept that life has certain risks. The question, however, is what society wants. How many casualties per year do you find acceptable?"
No Big Brother
Confronted with a question from the audience about new, predictive technologies and the effect that these can have on social behaviour, Bertholee makes clear "not to be in favour of Big Brother. There are limits to what you can and what you cannot do. This is also related to the risks that you are willing to take as a society." Bertholee responds to another question from the audience saying that a special power may only be used as long as it's necessary. When the necessity (i.e. the reason or threat) ceases to exist, the authority to use a special power ceases to exist as well. The CTIVD keeps an eye on that. Five years after a special power has been used, a duty of notification towards the citizen involved applies, unless this could reveal relevant sources or a current operational method. However, this duty to notify has so far never been used. In fact, Bertholee wonders whether such a notification could actually be experienced as an assault on one’s private life in case there was nothing going on with the person concerned.
The Wiv2002 remains applicable to the international exchange of intelligence between the AIVD and foreign secret services, Bertholee explains. Furthermore, an international code of conduct applies. The exchange of intelligence is examined from case to case and from country to country. In the event of exchange, what is allowed to happen with the intelligence in question is being indicated. Internationally this is being adhered to pretty well, according to Bertholee. However, in some cases, or rather, with some countries the exchange of intelligence could become a dilemma...
Drawing the line where violence starts
One question relates to the degree to which activists figure in AIVD files. Bertholee explains that, in principle, the AIVD conducts no investigations into activists. "We don’t care what someone thinks. We do not represent the moral high ground of the Netherlands. It is only when violence comes into play - or calls for violence, clear intentions towards violence, radicalisation - that we feel involved."
During the discussion with the audience Bertholee emphasizes that it’s not the aim of the AIVD to collect as much data as possible. The aim is rather to collect the right information in order to be able to fend off threats. It is not the AIVD, but the industry that is the driving force behind the development of information technology that, unfortunately, is also used in less democratic countries. In response to a question Bertholee admits that there is a risk that a service like the AIVD could 'drown' in an abundance of data. Biometrics are one such development of new technology. This makes it more difficult to assume a new identity, both for people with bad intentions as well as for officers of the AIVD itself. Furthermore, the privatisation of intelligence is risky, especially due to the lack of legislative checks and balances.
Bertholee finishes his speech by emphasizing once more that the AIVD 1) doesn’t keep records of everyone, 2) doesn’t wiretap everyone, 3) shoots nobody, 4) doesn’t arrest anyone, 5) doesn’t force cars into the kerb, 6) doesn’t torture anyone, 7) doesn’t hack into every computer, 8) has no enforcement powers, 9) doesn’t put pressure on people and 10) doesn’t recruit journalists. Then Privacy First chairman Filippini rounds off the night and invites everyone present for drinks with music.
Postscript Privacy First: as international peace and security often benefit from dialogue between 'opponents', the same goes in our country for a good relationship between the government and civil rights organisations like Privacy First. In that sense we consider this night to have been very valuable and we hope that the AIVD deems this event to be worth repeating in the future!
Update 27 September 2012: as a result of Bertholee's speech, a second article appeared in Dutch newspaper Telegraaf.
The Privacy First Foundation organises networking drinks on a regular basis, inviting a prominent speaker around a topical issue. In September this year we organised a night with the Head of the AIVD, the Dutch Intelligence and Security Service. On 22 October we invited a speaker from the cyber security scene, namely Wil van Gemert, Director of Cyber Security at the NCTV, the National Coordinator for Counterterrorism and Security, part of the Dutch Ministry of Security and Justice. Investigative journalist Brenno de Winter was asked to moderate the discussion. Click HERE for the invitation to our network (in Dutch). Would you also like to receive our invitations from now on? Email us! Below is a translated summary of Mr. Van Gemert's speech and the discussion with the audience that followed:
Introduction by Privacy First
Chairman Bas Filippini gives a short introduction on the work of the Privacy First Foundation and introduces Wil van Gemert as well as Brenno de Winter. Filippini recalls that the Dutch government increasingly expects citizens to do everything digitally. In particular the elderly as well as people with fundamental objections are put in difficulty by this development. Meanwhile the government attains ever more powers of surveillance in the digital private domain of citizens. A current development in this regard is the plan of Dutch Security and Justice Minister Ivo Opstelten to be able to hack into computers of citizens. Privacy First is firmly opposed to this plan because, among other things, it would violate the right to confidentiality of email. The Dutch government should safeguard the privacy of its citizens. In that sense Privacy First and the Dutch government share the same goal, albeit from different perspectives. However, Opstelten’s hacking plans threaten to break down people's privacy and (through this) democracy as a whole. Filippini then gives the floor to Wil van Gemert.
Trends in cyber security
Mr. Van Gemert thanks Privacy First for the invitation and kicks off by showing a funny commercial advertisement about linguistic confusion; click HERE. Like in the video, in cyber security it is all about trust, knowledge and awareness. Finding the right balance between tasks and responsibilities is equally important. In his lecture Van Gemert consecutively pays attention to current trends in cyber security, tasks of the government, cooperation between the public and the private sphere, the Netherlands Cyber Security Assessment (Cyber Security Beeld Nederland) and 'security versus privacy?': is this a contradiction or rather a matter of complementarity? And what are the present-day challenges? When it comes to cyber security, it all revolves around confidentiality, reliability, integrity and continuity of data in the digital information society. The first worldwide trend that Van Gemert identifies is 'Big Data': the enormous amount of data that is stored continuously and which increases on a daily basis. How can we handle this in good way? A second trend is hyperconnectivity: the number of digital (internet) connections increases exponentially. This is how an 'Internet of Things' comes to life. The Netherlands has the one but highest internet density in the world, which gives our country a special position in this regard. A third trend is the disappearance of borders, both in time and distance as well as in terms of work and the private sphere. These trends require changes both in the way companies do business as well as the role of the government in guaranteeing a secure society. These trends also have an influence on people, on consumers, for example through the new possibilities offered by mobile telephony. Big Data can be used to make highly personalised commercial offers in real time, say, a travel insurance when you're at Schiphol airport. However, when Van Gemert asks how many in the audience find this a good idea, not a single hand is raised. Van Gemert doesn't think it's a good idea himself either: it harms your privacy, it makes you feel you're being followed. Relatively many youths seem to be just fine with it though.
The influence of social media
An important aspect of cyber security is mobility: companies want to be able to reach their clients everywhere they go and employees are increasingly less bound to a workplace at the employer's office. For companies, political parties and the government too, social media become ever more important to know what goes on in the market or in society. An interesting case is the recent incident with an airplane from Vueling Airlines with which radio contact was lost and for which for some time the possibility of a hijacking was accounted for. Since 2001 such an airplane (a 'renegade', PF) is escorted by F16s by procedure. Imagine, however, that all passengers inside the airplane communicate through Twitter that things are fine, then how do you deal with that as a government? These are questions that are pondered over within the government at the moment. Another aspect concerns the role of the government: from a monopoly to a more independent role since for most part the cyber infrastructure is in the hands of companies. Then there's the authority issue: social media have an influence on the degree to which government campaigns are successful with the general public. A recent example is the government campaign for vaccinations against cervical cancer. A further aspect is that cyber security is community driven: the community makes itself the owner of a certain problem, as was the case for example with the Dorifel virus. This community consists of researchers, relevant companies, hackers etc. and can sometimes offer clarity on certain issues, unlike with classical investigation methods whereby the directions are with the government. However, the digital IQ of most companies is still low, so it is a challenge for the government to increase the digital IQ of companies, says Van Gemert.
Lack of a security concept in cyberspace
The Netherlands is a country characterised by seas and dykes: if the water seeps through, we build a dyke around it. This classical way of crisis containment is almost impossible in cyberspace. Companies often are not aware of where their data are situated precisely, how they are interconnected and which effects occur when a failure manifests itself somewhere. Apart from the human factor, platforms, applications and infrastructures all have problems of their own. Due to the interaction between these four levels, a security problem often becomes very extensive. In the physical world we are familiar with a safety concept; think of the safety regulations on a construction site. But is there such a security concept in cyberspace? And which roles do the government, the private sector and citizens play in this? At the moment this is insufficiently clear. On the highway certain safety standards and traffic rules are in force. But each citizen can also buy a computer and go onto the digital highway unprotected.
Since one and a half years the Netherlands has a National Cyber Security Strategy. Part of this has been the installation of a Cyber Security Council: an independent advisory body for the government. In the National Cyber Security Strategy it has been agreed that the Netherlands makes an annual Cyber Security Assessment of threats and actors. Furthermore, from the beginning of 2012 there is an operational management within the NCTV, which consists of two parts: 1) the National Cyber Security Centre, NCSC (which acts as a centre of excellence, among other things) and 2) a range of policies (which support, among other things, the answering of parliamentary questions and questions from the private sector). The starting point here are public-private partnerships; in this way new coalitions with new forms of participation between the government and trade and industry as well as with NGOs come to life. Both the government as well as private parties and experts take part in the Cyber Security Council and in the NCSC. One topic that is being dealt with together is cloud computing. Moreover, since recently the NCSC has an ICT Response Board; within this public-private partnership people from the government and the industry can be summoned up for advice and assistance in the event of incidents or crisis situations. Then there are ISACs, Information Sharing and Analytical Committees, in different areas, for example for the vital infrastructure with regard to energy, water, finances, etc. This too is a public-private partnership.
Threats in cyberspace
Cyber security has been a hot topic of late and negative incidents sometimes result in positive initiatives. There has been an unanimous request by the House of Representatives to set up a security breaches notification centre. In this context Van Gemert tells the following: "The Diginotar affair has made clear that the following question is of relevance: what can the government do in the event of a crisis? How can the government force a company that plays a key role to cooperate in order to prevent social breakdown and damage to society? Are such possibilities at our disposal in the first place? Our conclusion from July this year was affirmative, in case we can declare a state of emergency in relation to a cyber incident." Furthermore, Van Gemert stresses that we should not just invest in the detection of data leakages, but also in the right response to this. Hereby the role of the government concentrates on coordination, communication and consultation. In July this year the second Cyber Security Assessment of threats, targets and actors was released. The main threat comes from foreign governments (espionage) and cyber criminality. Contrary to what most people believe, so far cyber terrorism poses a smaller threat. In addition, cooperation between 'hacktivists' and foreign State actors (i.e. intelligence services) could be worrisome.
On the relationship between privacy and security, Van Gemert remarks that as far as he is concerned "there is no privacy without security. If you do not organise security, in the end there will no be privacy. You really do need to take measures to make sure your privacy is protected. Privacy and security have a mutual interest in each other. So in that area, information protection and related agreements are necessary. Also in order to protect privacy, on a daily basis the NCSC brings out advice on vulnerabilities which could be harmful for companies and citizens. Our website www.waarschuwingsdienst.nl is focussed on making citizens more aware and to mobilise them against threats. However, we are not a supervisory body, we cannot enforce anything. We can merely give out advice and propose best practices. Between 12 and 22 November 2012 the government will pay attention to 'awareness' through its campaign Alert Online in cooperation with 10 partners. This campaign is aimed at citizens as well as companies."
Finally, Van Gemert underlined the importance of fundamental digital rights and self-reliance of citizens through knowledge and awareness. Van Gemert brings forward three subjects for discussion with the audience: 1) How do security and freedom relate to each other conceptually? 2) What is the role of Privacy First? Is it always to be an opposing force or can it also be an ally? 3) What is the role within cyberspace of our law-enforcement and supervisory organs, for instance the police? What is their role when it comes to individual emergency aid and law-enforcement in cyberspace?
Discussion with the audience
Even though Van Gemert is not responsible for the cybercrime department, he is nevertheless prepared to say one or two things about it on behalf of the Ministry of Security and Justice. Answering a question from the audience about the possible international consequences which an intervention in cyberspace from the Netherlands may have, Van Gemert points out that the concept of virtuality requires a different approach compared to a territorial approach when it's not clear where a particular server is situated. He hereby makes a comparison with the development of maritime law in international waters. The country in which the damage occurs should form a point of reference in terms of jurisdiction. However, in this regard there are no unequivocal answers; the national and international rules on these matters are not yet clear. Brenno de Winter emphasises that Dutch hacking activities in foreign countries could well set a dangerous international precedent. What if a country like Iran ascribes those same powers to itself? This is a concern that is shared with others among the audience.
Another question from the audience relates to the public-private partnership as is the case with Diginotar. Israeli wiretapping systems in the Netherlands are being referred to as well. Does the Netherlands not make itself enormously vulnerable with this? Van Gemert replies that this has indeed become a prominent question since the Diginotar affair. However, he is not willing to go into the topic of wiretapping systems since he's not involved in this policywise. Then it's being mentioned from the audience that, within public-private partnerships in the area of cyber security, Dutch NGOs are structurally being kept out. De Winter too remarks that the NCSC is seen by many as an unreachable fortress where you're not being heard. Van Gemert responds to this saying the NCSC certainly does look for contact with pressure groups. Here too the question is which side do these pressure groups pick: do they take on an opposing or a supporting role? "I'm convinced that we should look for new forms of cooperation between the government, the industry and trade, the citizenry and with pressure groups, which make sure our society becomes more secure. Looking out for those contacts is the reason that I'm standing here," Van Gemert says.
Another question from the audience is about the detection of hack attempts. To what extend is this being delegated by the government to industry? Van Gemert reacts saying that the government does the detection work itself on the basis of the exchange of digital traffic data (not on the basis of content) as far as it concerns the vital (government) infrastructure; companies take care of such detection efforts themselves. Someone in the audience remarks that in this respect the government could take up the role of bringing together relevant knowledge and experience in each individual business sector. Another comment from the audience concerns the lack of international rules that was presupposed earlier: why does the Netherlands not conform itself to the already existing Budapest Convention on Cybercrime and why are the legal possibilities under this Convention not being adequately used? Other observations deal with the cooperation between Dutch municipalities, the banks and the telecom sector. Someone asks how big a threat cyber warfare really is and how the Netherlands prepares itself for it. Van Gemert here refers to cyber as the 'fifth battlefield' apart from the four domains of land, sea, air and space. This is an actual development: by now there are about 20 countries which have the capacity for this type of warfare. There are a lot of financial cuts in the Netherlands, but money is actually being invested on cyber matters by the Ministry of Defence. Cyber war entails a new question of attribution: which country inflicts the damage and how is one to react to it? During the discussion the US Patriot Act is mentioned as well as the risks of storing data in 'the cloud'. "Think carefully about what you put in the cloud," Van Gemert advises. Then comes the question to what extent the government considers the protection of personal data vital for our infrastructure and to what degree the government is keeping an eye on the risks of identity fraud and identity theft through the coupling of personal data to citizen service numbers. Does the government endorse the Scientific Council for Government Policy report called iGovernment? Is declaring a cyber state of emergency equivalent to a disaster or warfare situation in which all regular legislation can be nullified with all the privacy risks it entails?
Someone mentions that the police power to hack into computers of citizens could imply that computer data of individuals could be changed without it being noticed and could then be used against those same individuals. Van Gemert replies that personal data is fundamental and critical data that is to be protected properly. Not just companies but citizens themselves ought to be better aware of this. As far as a state of emergency is concerned, Van Gemert remarks that this was not even proclaimed during the Dutch flood of 1953. In terms of cyberspace there is no need for new, complementary legislation for a state of emergency. Current legislation for a state of emergency can only be applied in extreme situations.
Another point of discussion is the fact that for years the Dutch government has been dependent on Microsoft: why is this situation (with the associated privacy risks) lasting ever longer? On request Van Gemert clarifies his earlier remarks on a cyber state of emergency: such a situation cannot be proclaimed on the basis of a single incident, but only when we're dealing with large-scale societal breakdown. Then it is being asked from the audience to what degree the government has the responsibility of not making legislation and policies which can be copied and abused by other countries, like the way companies are not allowed to deliver certain dual use equipment to certain countries. Van Gemert tells that for some goods there are indeed UN sanctions lists: the Dutch General Intelligence and Security Service (AIVD) verifies this. A free internet abroad is mainly supported by the Dutch Ministry of Foreign Affairs. Generally speaking, a democratic society always needs to abide to a moral guideline. Then the discussion about possible government powers to hack computers in foreign countries comes to life again among the audience. In this context, does the permission of an examining magistrate offer sufficient protection against abuse? Someone else in the audience remarks that, nowadays in the area of phone-tapping, the examining magistrate has become some sort of rubber-stamping device. Someone remarks that Van Gemert's distinction of five domains of warfare is put too simply. In international law, traditionally there are only three domains of warfare: land, sea and air. Since the 1970's, in space the principle of 'peaceful use of outer space' applies. So why not introduce a similar new principle of 'peaceful use of cyberspace?'
In reaction to a question about guaranteeing privacy, Van Gemert replies that he attaches importance to clarity over what is and what isn't allowed. Through investigative powers sometimes one's innocence can also be proved. The challenge is finding the balance between cyber security and privacy, Van Gemert says. Then someone in the audience points to the dangers of the coupling of personal data and function creep. Our democratic constitutional State is no invariable matter of fact. Does the government take this into account? Van Gemert iterates that the challenge is in finding the right balance. Calls for new legislation by parliament after an incident are not always adhered to by the government, for instance when it concerns anti-terrorism legislation and emergency legislation. Then someone in the audience states that for a raid a search warrant is required, which is verifiable for the citizen. This verifiability is absent when hacking into a computer. Van Gemert responds by saying that such verifiability is equally missing when it comes to phone tapping or police observation, especially when it's a case that's not brought to court. In this respect, De Winter remarks that neither the existing compulsory notification is complied to by the government. From the audience it is added that through all registration measures the presumption of innocence of citizens is put under pressure. This changes society and makes people start to comply with an 'all-seeing government'. As a response, Van Gemert underlines once more that 'privacy and security cannot do without each other'. In his view these sorts of discussions are important to get more clarity and to be able to make steps forward. Finally, Van Gemert stresses the importance of a security concept in cyber space with sufficient attention to privacy.
De Winter gives the final word to the Privacy First Foundation. Chairman Bas Filippini thanks Van Gemert for his open attitude toward the opposition. In the view of Privacy First, discussions such as these are fundamental. In recent years there has been too little dialogue with the privacy movement; the government has grown bigger while participation by citizens has decreased. Privacy First is happy to accept the invitation to become part of the coalition. "We will be a necessary irritant, but you have to be able to deal with that", Filippini concludes.
In the context of a public consultation, the Dutch Ministry of the Interior recently requested Privacy First to react to the current government proposal to revise Article 13 of the Dutch Constitution (right to confidentiality of postal mail, telephone and telegraph). Below are our comments on the current draft of the legislative proposal (click HERE for the original Dutch version in pdf):
Ministry of the Interior and Kingdom Relations
Deputy Director for Constitutional Affairs and Legislation
Mr. W.J. Pedroli, LL.M.
PO Box 20011
2500 EA The Hague
Amsterdam, 29 December 2012
Re: Comments by Privacy First on the revision of Article 13 of the Constitution
Dear Mr. Pedroli,
On October 16th 2012 you requested the Privacy First Foundation to react to the draft legislative proposal to revise Article 13 of our Constitution. Privacy First is grateful for your request and is happy to hereby provide you with critical comments. In the first place, Privacy First fully endorses the desire of this government to modernise the current, archaic Article 13 of the Constitution. However, Privacy First regrets the fact that the government has not seized the opportunity to also renew and reinforce other ‘fundamental rights in the digital age’.
In the view of Privacy First, the first and third paragraphs of the current draft legislative proposal to revise Article 13 of the Constitution form powerful anchors for a future-proof right to confidential communication. The first paragraph rightly upgrades the old confidentiality of postal mail, telephone and telegraph to a technology-independent (or technology-neutral) confidentiality of mail and telecommunication. The third paragraph forms a correct guarantee for the horizontal effect thereof. Moreover, Privacy First endorses the broad interpretation that is being given by the draft Explanatory Memorandum (EM) to various relevant concepts. However, the second paragraph of the draft proposal contains a systematic imbalance which, in times less democratic, could endanger the rule of law in our society. It is precisely this paragraph which most of Privacy First’s criticism is focused upon. Other points of criticism concern compulsory notification towards citizens in the event that special powers have been used by the intelligence and security services, traffic data as well as the lack of a comparative legal section in the EM.
Judicial authorisation and national security
The EM rightly states that "in light of Article 13 (...) the protection of citizens against violations by the government is paramount, especially in light of the actions by the police and intelligence services. Demanding a judicial authorisation under the Constitution provides a strong and clear constitutional guarantee." It is therefore incomprehensible that in the second paragraph of the draft legislative proposal the domain of national security is being excluded from judicial supervision. After all, where the concentration of power is supreme, judicial checks and balances should be the most potent to prevent any (future) abuses of power. In light of European history, the exception in paragraph 2 is in fact entirely irresponsible: unfortunately, even in our part of the world a democratic constitutional State is not a static matter of fact. Apart from that, the current draft proposal sends out a dangerous signal to foreign governments. Furthermore, Privacy First deems the exception in paragraph 2 unwise in view of possible technological developments in the (far) future. The same holds true in relation to the (further) expansion of the notion of ‘national security’. Also in the future, the Dutch population needs to be protected against arbitrary violations of confidentiality of communication; in this regard the current wording of paragraph 2 offers no guarantee whatsoever.
Adding an extra ‘judicial layer’ would strengthen the current system of internal and external supervision on the intelligence and security services (and hence reinforce our democratic constitutional State). In this regard, the system of judicial supervision in a country like Canada could be a source of inspiration. Such judicial control would also be in line with the case-law of the European Court of Human Rights:
“The Court has indicated, when reviewing legislation governing secret surveillance in the light of Article 8 [ECHR], that in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge.”
In light hereof, the current wording of paragraph 2 is not expedient. Privacy First thus advises a revision of this paragraph as follows:
“This right can be restricted in cases defined by law with the authorisation of a judge or, in the interest of national security, with authorisation from one or more ministers appointed by law.’’ [lining through by Privacy First]
As a possible alternative to the introduction of judicial supervision in the security domain, Privacy First advises to upgrade the existing Dutch Review Committee on the Intelligence and Security Services (CTIVD) into a more powerful, independent supervisory body, similar to the Belgian or German model with overall compulsory inspections beforehand instead of random supervisory inspections afterwards.
A second point of criticism concerns the lack of an explicit constitutional notion of compulsory notification in the event of any infringement of the confidentiality of mail and telecommunication. Compulsory notification provides legal protection to citizens and contributes to the correct enforcement of law by the government, also in the security domain. Like judicial authorisation, this offers the best guarantuees against short-term as well as long-term violations.
From Privacy First's point of view, traffic data too need to fall within the scope of Article 13 of the Constitution. These data are often related to the content of communication; this even follows from the text of the EM itself, where text messages ('SMS') and the email subject line are rightly mentioned as examples. The same goes for instance for search terms in search engines. Apart from that, it is possible to deduce the content of communication between individuals and/or companies from traffic data in conjunction with other data (possibly collected in real-time). So here too, a vigorous regime of Article 13 of the Constitution in conjunction with judicial supervision is essential.
Finally, in the current EM Privacy First misses a comparative legal paragraph in which current Article 13 of the Constitution is compared with constitutional best practices from countries with either a civil law or a common law tradition. Additionally, with a new Article 13 of the Constitution that is state-of-the-art internationally, the Netherlands could positively distinguish itself and to some degree regain its former position as a leader in human rights.
Privacy First hopes that this advice will be of use to you. We are willing to give clarifications on the above points upon request.
Privacy First Foundation
Director of Operations
 EM, at 18, 20.
 Compare EM at 11, 1st paragraph.
 ECHR 22 November 2012, Telegraaf vs. Netherlands (Appl.no. 39315/06), para. 98. Compare also ibid., paras. 98-102.
 EM, at 18.
Update 8 February 2013: see also the critical comments by the Netherlands Committee of Jurists for Human Rights (NJCM), Bits of Freedom and the newly established Netherlands Institute for Human Rights (in Dutch).
The appeal by Privacy First and 19 citizens against the Dutch government
On February 2, 2011, the Privacy First Foundation and 21 co-plaintiffs (citizens) were declared inadmissible by the district court of The Hague in our civil case against the Netherlands regarding the 2009 Dutch Passport Act. A proposal by the Dutch Minister of the Interior, Ms. Liesbeth Spies, to revise the Passport Act has been presented to the House of Representatives on 17 October this year. However, in this legislative proposal the original provision (Article 4b) concerning a centralised database remains intact for the greater part. Under this provision, biometric data of every Dutch citizen will be used for criminal investigation and prosecution purposes as well as intelligence work, disaster control and counter-terrorism. This constitutes a flagrant violation of, among other things, European privacy law. Efforts by individual citizens to challenge this through individual administrative court cases have thus far not yielded any results, since the administrative courts proved unwilling to evaluate the provision in question. Nevertheless, the Dutch Council of State (Raad van State) has recently made a preliminary reference to the European Court of Justice in
To that end we have today presented our Statement of Appeal to the Court of Appeal in The Hague. In this Statement Christiaan Alberdingk Thijm and Vita Zwaan (SOLV Attorneys) outline why Privacy First and co-plaintiffs have to be declared admissible. Subsequently, it will be possible for the Passport Act to be legally scrutinized in its entirety by the court and be measured up against higher law, including European privacy legislation. Our entire Statement of Appeal can be downloaded HERE (in Dutch). The Appeals Court of The Hague is expected to deliver its judgment before the summer.
Privacy First makes an urgent appeal to all Dutch citizens to contribute to the financing of this lawsuit. This can be done by donating on account number 18.104.22.1681 attn. Stichting Privacy First in
This afternoon the Privacy First Foundation sent the following email to the Dutch Senate:
Dear Members of the Senate,
Recently the international Amsterdam Privacy Conference 2012 took place. In his opening speech at this conference, Dutch politician Lodewijk Asscher principally addressed the current legislative proposal of regulating prostitution. Asscher voiced the expectation that the envisaged registration of prostitutes will lead to lawsuits that will end up before the European Court of Human Rights in
1. Compulsory registration of prostitutes will lead to a shift of prostitution to the illegal circuit. Thereby this legislative proposal will prove to be counterproductive, with all the risks this entails. The social (legal) status of prostitutes will become further weakened instead of strengthened.
2. Compulsory registration of prostitutes violates the right to privacy because it concerns the registration of sensitive personal information. This is prohibited under Article 16 of the Dutch Data Protection Act and is in breach of Article 8 of the European Convention on Human Rights.
3. Registration of prostitutes has a stigmatizing effect. Moreover, the security of this registration cannot possibly be guaranteed and there is also the danger of function creep. Therefore, the supposed advantages of registering do not outweigh the risks of data breaches, hacking, unauthorised and unforeseen use - now and in the future. This, in turn, also implies new risks of abuse and blackmailing.
4. Combating criminality and human trafficking ought not to happen through the risky registration of prostitutes, but rather through more effective criminal investigation, prosecution and adjudication of the culprits without putting the victims in danger. For that purpose it is up to the Minister to develop alternative, privacy-friendly instruments in consultation with relevant NGOs.
We are willing to supply further information on the above points upon request.
Privacy First Foundation
Update 30 October 2012: this afternoon the Senate heavily criticised (especially) the privacy aspects of compulsory registration of prostitutes. As a result, Minister Ivo Opstelten has decided to reconsider his approach to the issue. It now seems that compulsory registration is shelved. The discussion on other parts of the legislative proposal is postponed until further notice. Click HERE for an audio recording of the parliamentary debate (in Dutch) until its suspension (mp3, 2u53m, 119 MB).
The Privacy First Foundation has, with pleasure, just taken cognisance of 1) the announcement earlier today of a Dutch legislative proposal to abrogate fingerprints in ID cards and 2) the decision by the Dutch Council of State (Raad van State) to make a request for a preliminary ruling to the European Court of Justice in Luxembourg on the legality and interpretation of the European Passport Regulation in four administrative cases of individual Dutch citizens. The Privacy First Foundation hereby makes an appeal to Dutch Parliament to adopt the legislative proposal to abrogate fingerprints in ID cards as soon as possible. In anticipation of the expected adoption of this legislative proposal, taking people's fingerprints for ID cards must be halted immediately or at least become voluntary as a temporary solution. Privacy First also hopes that the European Court of Justice will swiftly deal with the preliminary reference and conclude that taking fingerprints for passports and ID cards is unlawful because it violates the right to privacy. Further comments by Privacy First will follow.
Update 18.00h: listen to the interview (in Dutch) with Privacy First on Radio 1.
Update 29 September 2012: see also our reaction in the Dutch regional press.