Online Privacy

Earlier this year the Dutch Minister of Justice and Security Ivo Opstelten came up with the miserable plan to authorize the Dutch police force to hack into your computer (both at home and abroad!) and to enable the police to demand that you decrypt your encrypted files in the presence of a policeman and obediently hand them over to the State. In the context of an online consultation (in Dutch), Privacy First notified to the Minister that it has a number of principal objections against his plans:

Your Excellency,

The Privacy First Foundation hereby advises you to withdraw the legislative proposal ‘enforcement of the fight against cybercrime’ on the basis of the following eleven principal grounds:

1. In our view, this legislative proposal forms a typical building block for a police State, not for a democratic constitutional State based on freedom and trust.
2. The Netherlands has a general human rights duty to continuously fulfil the right to privacy instead of restricting it. With this legislative proposal the Netherlands violates this general duty.      
3. This legislative proposal is not strictly necessary (contrary to possibly being ‘useful’ or 'handy') in a democratic society. Therefore the legislative proposal is in breach of Article 8 of the European Convention on Human Rights.
4. Moreover, this legislative proposal violates the prohibition of self-incrimination (nemo tenetur se ipsum accusare).
5. Function creep is a universal phenomenon. This will also apply to this legislative proposal, which will form the basis for future abuse of power.
6. This legislative proposal puts the relationship of trust between the Dutch government and the Dutch people to the test. This will lead to a chilling effect in Dutch society.
7. Through this legislative proposal age-old assets such as freedom of the press and the protection of journalistic sources, whistleblowers, freedom of speech, free information gathering, freedom of communication and the right to a fair trial are put under severe pressure. This is detrimental to the dynamics within a free democratic constitutional State.
8. This legislative proposal and the accompanying technology will be imported and abused by less democratic governments abroad. Therefore the legislative proposal forms an international precedent for a worldwide Rule of the Jungle instead of the Rule of Law.
9. As of yet the legislative proposal lacks a thorough and independent Privacy Impact Assessment.
10. This legislative proposal stimulates suboptimal (i.e. crackable by the government, because otherwise illegal?) instead of optimal (‘uncrackable’) ICT security.
11. Fighting cybercrime demands multilateral cooperation and coordination instead of unilateral panic-mongering as is the case with this legislative proposal.

Yours sincerely,

The Privacy First Foundation

From the response to Parliamentary questions (in Dutch) it emerged this week that there is no specific legal basis for the secret use of drones by police in the Netherlands. According to the Dutch Minister of Security and Justice Mr. Ivo Opstelten, the current use of drones for criminal investigation purposes is based on the general task of the police as described in Article 3 of the Dutch Police Act (Politiewet). However, this vague and brief provision was never designed for this purpose. Moreover, Article 8, paragraph 2 of the European Convention on Human Rights (ECHR) dictates that every governmental infringement on people's privacy has to be explicitly laid down in national legislation which is sufficiently accessible and foreseeable and contains guarantees against abuse (among which are privacy violations and 'function creep'). However, no specific Dutch legal basis for the use of drones by police exists yet, let alone a legal basis that would be sufficiently accessible and foreseeable and that includes privacy guarantees for Dutch citizens. The violation of people's privacy by the current use of drones is therefore in breach with Article 8 ECHR and hence unlawful.

Without a specific legal basis in accordance with Article 8 paragraph 2 ECHR, every police drone constitutes an inadequate means of criminal investigation that shouldn't be used. Therefore the use of such drones should be suspended with immediate effect. In individual criminal cases, it is up to the judge to exclude information gathered with police drones from legal proceedings as it concerns unlawfully obtained evidence.

Privacy First hereby makes an urgent appeal to the Dutch House of Representatives to institute a moratorium on the further use of drones. Such a moratorium should only be lifted after a broad democratic debate has taken place and the use of drones has been properly regulated. In case the current Dutch situation will continue to be politically tolerated, Privacy First reserves the right to enforce a moratorium in court.

"Die niederländische Polizei hat seit 2009 in 132 Fällen Drohnen eingesetzt, um unterschiedliche Straftaten zu klären oder Lagebilder zu erstellen. Die Verfolgung von Fluchtautos mit Kameras und das Aufspüren von Cannabis-Plantagen mit Wärmekameras bildeten dabei die Mehrzahl der Einsätze. Dies geht aus Angaben des niederländischen Infrastruktur- und Innenministeriums hervor, das allerdings Details zu den Drohnen-Einsätzen verweigerte. Das findet der anfragende Abgeordnete Gerard Schouw von der Partei D66 untragbar: Der Drohneneinsatz müsse öffentlich kontrollierbar sein und eine rechtliche Grundlage haben.

Gegenüber dem niederländischen Programm von RTL erklärte Schouw, dass ohne genaue Auskünfte und Kontrollmöglichkeiten der Einsatz von Drohnen in einer Grauzone stattfinde. "Aus welcher Entfernung werden da unschuldige Bürger gefilmt? Niemand hat eine Ahnung, was da passiert."

Unterstützung erhielt Schouw von der niederländischen Datenschutzorganisation Privacy First. Deren Anwalt Vincent Böhre erklärte, dass die Kameraüberwachung mit Drohnen eine Überwachungstechnik ist, die nach dem niederländischen Recht nicht erlaubt sei.

Ähnlich äußerte sich der Jurist Leon Wecke von der Universität Radboud. "Wir werden überall von Kameras verfolgt. Nun sind es auch noch Drohnen, denen wir uns nicht bewusst sind." Dies sei eine Verletzung der Privatsphäre, erklärte Wecke gegenüber dem Internet-Nachrichten Nu.nl. Drohnen bedürften daher einer eigenständigen gesetzlichen Regelung, betonte Wecke. Zu den Drohneneinsätzen soll es in Arnhem, Amsterdam, Almere und Rotterdam gekommen sein. Wegen fortlaufender technischer Probleme soll die Amsterdamer Polizei ihre Drohnen inzwischen außer Dienst gestellt haben.

In Deutschland hatten zuletzt die Grünen auf einer Fachtagung über den Einsatz von Drohnen diskutiert und dabei über Polizeidrohnen ebenso wie über Militärdrohnen gesprochen. Die Videos dieser Tagung sind mittlerweile online verfügbar."

Source: Heise Online, 23 March 2013.

"The police are increasingly using unmanned aircraft in their efforts to track down criminals in the Netherlands, leading to MPs' questions about the privacy implications.

Drones - small helicopters equipped with cameras - are used to trace burglars and getaway cars as well as illegal marijuana plantations. For example, Harlingen borrowed two drones from the defence ministry last year after a spate of burglaries in the Frisian town.

Since 2009, drones have been used in at least 40 areas, the AD reported on Monday. In total, they were in the air on at least 132 different days.

Legality

D66 parliamentarian Gerard Schouw has asked the justice ministry to explain the implications of the use of drones on privacy.

'I understand they can be useful, but they need to have a basis in law,' he is quoted as saying by RTL news. 'How closely can innocent citizens be filmed. No-one has a clue what they are filming.'

Lawyer Vincent Böhre from the Privacy First foundation said the use of drones is illegal because the flights are not made public.

'It is a form of camera supervision which is not allowed under Dutch law,' he told the broadcaster. The use of drones also infringes European privacy laws, he said.

Amsterdam city council said earlier this year it had grounded its two €29,000 drones because of continuing technical problems."

Source: Expatica.com (Netherlands), 18 March 2013.

"Dutch lawmakers and lawyers say they are questioning the increasing use of unmanned aircraft by police to track criminals and locate marijuana plantations.

The drones have been used for at least 132 days in at least 40 areas since 2009, DutchNews.nl reported Monday.

The city of Harlingen borrowed two drones from the defense ministry in 2012 after a rash of burglaries.

"I understand they can be useful, but they need to have a basis in law," said parliamentarian Gerard Schouw after asking the defense ministry to explain the implications the drones may have on privacy.

"How closely can innocent citizens be filmed," he queried. "No one has a clue what they are filming."

Use of the drones is illegal under Dutch law and may violate European privacy laws, said attorney Vincent Bohre of the Privacy First Foundation.

Amsterdam city officials said earlier this year they had grounded their two drones because of technical problems."

Source: UPI.com (United Press International, USA), 18 March 2013.

"Son yıllarda Hollanda polisinin yasadışı faaliyetlerle mücadele konusunda daha fazla oranda insansız uçaklardan kullandığı belirtildi.

AD gazetesinin yer alan bir haberde, "drones" adı verilen insansız uçakların özellikle insan ve uyuşturucu ticareti veya yasadışı suç örgütlerinin araştırıldığı belirtildi. Son dönemlerde bu uçakalrın daha sık kullanıldığı belirtilen haberde 2009'dan bu yana en az 132 kez kullanıldığı belirtildi.

Altyapı ve Çevre Bakanlığı, Güvenlik ve Adalet Bakanlığı ve İçişleri Bakanlığı verilerine göre Hollanda üzerinde en az 40 noktada adı geçen uçakların uçtuğu ve son dönemlerde bu sayıda artma olduğu belirtiliyor.

Gizlilik Birincilik Vakfı (De stichting Privacy First), polis tarafından kullanılan bu uygulamanın, haber verilmeden yapıldığını bundan dolayı da yasadışı olduğunu belirtiyor.

Öte yandan D66 milletvekili Gerard Schouw'da Mecliste bu konu hakkında açıklama isteyeceğini belirtirken "bu tür kontroller yasal ve kontrol edilebilir şekilde olmalı. Şuanda hiç bir şey bilmiyoruz"dedi.

Polis geçtiğimiz yıl Aralık ve bu yıl Şubat ayında Savunma Bakanlığına ait olan Drones uçaklarını Harlingen'deki hırsızlık olaylarını çözmek için kulandığını belirtmişti."

Bron: SonHaber.nl, 18 March 2013

The Dutch Ministry of Justice wants to track all motorists. The Privacy First Foundation is preparing for legal action.

Under a new, far-reaching legislative proposal, the Dutch Minister of Security and Justice Ivo Opstelten aims to enhance criminal investigation by introducing a four week storage period of the number plates of all cars through camera surveillance and Automatic Number Plate Recognition (ANPR). Current rules dictate that these data have to be deleted within 24 hours. In 2010, the previous Dutch Minister of Justice (Hirsch Ballin) planned to make a similar proposal with a storage period of 10 days. However, the Dutch House of Representatives then declared this topic to be controversial. In his current proposal, Opstelten takes things a few steps further. Early 2010 the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) ruled that police forces were not adhering to Dutch privacy rules by storing number plates for a greater period than was legally allowed. According to the CBP, all number plates that are not suspect (so-called ‘no hits’) are to be removed from relevant databases immediately. Opstelten’s plan to store the number plates of unsuspected citizens for four weeks directly flies in the face of this.

The Privacy First Foundation considers Opstelten’s legislative proposal to be a threat to society. ‘‘Under this measure every citizen becomes a potential suspect. You ought to trust the government, but it’s that very government that distrusts its own citizens’’, Privacy First chairman Bas Filippini declares. In a healthy democratic constitutional State the government should leave innocent citizens alone. Under this legislative proposal the government crosses that fundamental line. Collectively monitoring all motorists for criminal investigation and prosecution purposes is completely disproportionate and therefore unlawful.

In case Dutch Parliament adopts this legislative proposal, Privacy First will summon the Netherlands and have the legislative Act in question declared null and void on account of being in violation with the right to privacy. If needed, Privacy First and individual co-plaintiffs will be prepared to litigate all the way up to the European Court of Human Rights in Strasbourg. As of today, every citizen who is willing to participate in this lawsuit can register with Privacy First, stating ‘ANPR Trial’.

This week the Dutch House of Representatives will vote on a legislative proposal on the taking of 10 fingerprints of all foreigners (immigrants) for criminal investigation and prosecution purposes. This legislative proposal originally dates back to March 2009, the period in which all the Dutch government could come up with was privacy-intrusive legislation. The Privacy First Foundation deems this legislative proposal to be in breach of the right to privacy and the prohibition of self-incrimination. Below is the email that Privacy First sent to relevant Members of Parliament this afternoon:

Dear Members of Parliament,

Next Tuesday you will cast your vote on a legislative proposal aimed at extending the use of biometric features (fingerprints, facial scans) of immigrants. Hereby the Privacy First Foundation advises you to vote against this legislative proposal, especially in light of its disproportionate character. This disproportionality is demonstrated by the lack of relevant statistics and the relatively low fraud figures mentioned in the annotation to the legislative proposal dated 13 July 2012 by former Minister for Immigration, Integration and Asylum Gerd Leers (Christian-democratic party CDA).[1] As with all human rights, any infringement of the right to privacy (Article 8 of the European Convention on Human Rights, ECHR) requires a concrete statistical necessity instead of vague suspicions and wishful thinking. Therefore, it is all the more worrying that under this legislative proposal the prints of as many as 10 fingers will be taken of every immigrant to ‘compensate’ for the fact that the biometric technology is inadequate to suffice with just one or two fingerprints. However, are these 10 fingerprints not actually meant to serve the interests of criminal investigation behind this legislative proposal...? In this respect, a comparison could be made with the following consideration by the Minister of Justice Benk Korthals (Dutch political party VVD), dated 10 December 2001:

‘‘In response to the question by the CDA, I am not prepared to proceed to the taking of fingerprints of all Dutch citizens in the interests of criminal investigation. This would be disproportionate, considering for example the number of print cases offered on an annual basis, in the whole of the Netherlands around 10,000. Furthermore, it is basically impracticable because prints have to be made of all ten fingers and possibly the hand palms for them to be of any use for criminal investigation. Apart from the administrative processing and control, this would require too big a drain on police resources. In the context of the new ID card, a new biometric feature such as a fingerprint will possibly be adopted. This will be about determining whether the holder of the ID card is in actual fact the very person that is mentioned on it. Perhaps just one fingerprint will be enough for that, but that is absolutely insufficient for criminal investigation.’’[2]

In other words: under the guise of combating fraud, with this legislative proposal a centralised search register of immigrants is created, exactly in the same way that this was about to happen a few years ago with the fingerprints of all Dutch citizens. Privacy First assumes that the various reasons why this last project was reversed midway through 2011 at the insistence of your Parliament (!) are known to you and apply just as much for the current legislative proposal. In addition, this proposal has a stigmatizing effect since it causes a whole population group (immigrants) to be seen as potential suspects. This creates an inversion of the presumption of innocence and conflicts with the prohibition of self-incrimination. In that sense the legislative proposal constitutes a collective violation of both Article 6 (nemo tenetur) and Article 8 ECHR (privacy and physical integrity). With regard to the Passport Act, this has led to a Dutch and European snowball effect of lawsuits since 2009. Therefore, Privacy First hopes that the House of Representatives has the progressive insight to prevent a repetition of this history.

Yours sincerely,

The Privacy First Foundation

[1] See Annotation on account of the report, Parliamentary Documents II, 2011-2012, 33192, no. 6, at 2-3, 5-6, 23, 25-27.

[2] Letter of the Minister of Justice (Benk Korthals) dated 10 december 2001, Parliamentary Documents II, 2001-2002, 19637 (Policy on refugees), no. 635, at 7.

Update 29 January 2013: the legislative proposal (no. 33192) has unfortunately been accepted by the House of Representatives this afternoon (video; starting at 19m36s). Dutch political parties D66, SP, ChristenUnie and the Party for the Animals voted against. Read also the report by Privacy Barometer and today’s article in newspaper NRC Handelsblad. Next stop: the Senate...

Update 29 January 2013, 21:45: Left-wing party GroenLinks ('GreenLeft') has notified that it had intended to vote against and will have the voting record corrected.

Update 30 January 2013: today GroenLinks notified the House of Representatives of its vote against the legislative proposal.

Update 31 January 2013: the article in NRC Handelsblad was also published in the affiliated newspaper NRC Next. Read also today's article in newspaper Nederlands Dagblad.

Update 8 February 2013: for the current status of the legislative proposal in the Dutch Senate, click HERE.

Update 6 March 2013: today Privacy First has sent a similar version of the email above to the Commission for Immigration and Asylum of the Dutch Senate.

The Privacy First Foundation regularly organises networking drinks combined with informational sessions for our volunteers, donors and experts from our network of journalists, scientists, jurists and people working in ICT. Since July 2011, these events are organised about every three months and take place at the Privacy First office in the former building of de Volkskrant newspaper in Amsterdam. Themes discussed so far have been privacy in the Netherlands (speaker: Bart de Koning), biometrics (Max Snijder) and profiling by the government (Quirine Eijkman and André Hoogstrate). There were also book presentations by Dimitri Tokmetzis (De digitale schaduw – The digital shadow) and Adriaan Bos (Advocaat van de waarheid – Advocate of the truth). On Thursday night 13 September this year, we had a real scoop: a lecture about the Dutch General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and the right to privacy by no one other than the Head of the AIVD himself, Mr. Rob Bertholee. (Click HERE for the invitations to our network (in Dutch). Would you also like to receive our invitations from now on? Email us!) The following morning, the essence of Bertholee’s lecture appeared on the AIVD website: click HERE (in Dutch). An article in Dutch newspaper Telegraaf about the event was published today. Below is a translated summary of Bertholee's speech and the discussion with the audience that followed (taking over two hours in total).

A common goal: freedom in an open democratic society

The night starts with a short introduction by Privacy First chairman Bas Filippini. In Filippini’s view, Privacy First and the AIVD actually pursue the same objective, namely freedom in an open democratic society, albeit from different perspectives. Rob Bertholee affirms this and says that tonight, contrary to what some may think, he doesn't really consider himself to be in the lion’s den. After a long career in the army, Bertholee has been the Head of the AIVD for nine months now. One of his first impressions of the AIVD was one of a professional organisation with people who are driven by their ideals, he says. Both the AIVD and the MIVD (military intelligence) have to deal with risks and threats to national security and the democratic legal order, in other words, with threats to our way of life and the guarantees for our freedoms thereof. As a result of internationalisation and new technologies, threats and risks increase in number and have a greater impact and reach. An example is the internet that, apart from its positive aspects, has a downside to it as well. 

Security is not a fundamental right

The AIVD has two main tasks: intelligence and security. Formally however, security is not a fundamental right, Bertholee rightly remarks. In its case-law, the European Court of Human Rights has indicated that States are obliged to take all reasonable measures against life-threatening situations, he says. Subsequently, the Council of Europe has endorsed this in its Guidelines on human rights and the fight against terrorism. Whereas Privacy First focuses on the protection of the individual, the AIVD concentrates on the protection of the community of individuals. In between there’s a trade-off: in order to protect the community, sometimes it is necessary to infringe the rights of the individual. Bertholee then mentions a couple of tasks of the AIVD which do not infringe the right to privacy. This is the case for 1) personal security assessment and 2) protective measures for individuals, organisations and companies, for example in relation to espionage. In these two cases the law dictates that the AIVD is, by law, not allowed to deploy special intelligence powers. It is exactly the deployment of such powers that infringes people's privacy.

An important part of the AIVD is the National Communications Security Agency (Nationaal Bureau voor Verbindingsbeveiliging, NBV) which supports the Dutch central government in securing special information. The NBV evaluates security products and plays a role in their development. It is this agency where, for example, USB flash drives for the government are tested on data leakages. Then there’s the political intelligence task of the AIVD abroad, "which, admittedly, intrudes upon people's privacy, but not here in this country". Finally, there’s the task of making threat analyses for certain individuals (for example politicians), organisations or events. One task of the AIVD through which privacy in the Netherlands is put at stake concerns the assessment of ‘threats to our national security, the continuation of democratic rule of law and other, important State interests". This assessment is carried out, first of all, through open sources (media, internet, etc.), but can (subsequently) proceed by shadowing, monitoring or eavesdropping of persons or by penetrating virtual or physical spaces. In this respect Bertholee emphasizes the high degree to which employees of the AIVD are aware of 'the spirit' of the Dutch Intelligence and Security Services Act 2002 (Wet op de inlichtingen- en veiligheidsdiensten, Wiv2002). "As a citizen I felt reasonably reassured from the moment I had an understanding of what the AIVD was actually doing and what it could and was allowed to do, and also by the way the government can continue to exercise control over a service like the AIVD," says Bertholee. "You don't have to believe me, but I just wanted to share this with you," he jokes. Then he’s resolute again in saying "our tasks and powers are all clearly defined by law."

Legal framework

In the field of counter-terrorism, at the moment most of the AIVD’s attention goes out to (potential) Jihadists and radical 'lone wolves' like Anders Breivik. Bertholee finds it worrisome that such lone wolves are hard to track down, even though relevant information is sometimes available, for example at healthcare institutions or the police. A difficult dilemma is, on the one hand, the question whether or not certain events could have been prevented by correlating information on national and international levels and, on the other, which risks society is willing to take in order to preserve people's privacy, Bertholee explains. However, he can well imagine that citizens worry about the correlation and international exchange of data and that this is bringing about a 'Big Brother' experience. As a citizen, Bertholee himself is worried about this too. Where is the right balance between protecting the individual and protecting the community? Every special power of the AIVD is anchored in the Wiv2002. The most simple special power is talking to people (Article 17 Wiv2002). For every single special power in the Wiv2002 the following requirements apply: 1) necessity, 2), proportionality and 3) subsidiarity. Therefore, special powers may only be deployed in case open sources (internet etc.) prove to be insufficient. The AIVD is to continually ask itself: is it strictly necessary? And are we very certain that there are no lighter measures at our disposal? The enforcement of those very powers is verifiable afterwards. Apart from opening letters (this falls under the Dutch Postal Act) there is no investigative magistrate involved. However, for the use of every special intelligence power the approval by the Minister of the Interior and Kingdom Relations or by the Head of the AIVD on behalf of the Minister is required. Moreover, every new employee of the AIVD gets a basic education through which he or she is being taught, among other things, about the Wiv2002. In this context, Bertholee relates an interesting anecdote: once in a while the AIVD invites a number of journalists, members of Parliament or jurists to discuss a case. It turns out that those not working for the AIVD are more inclined to allow the use of special powers than the AIVD employees themselves. As an answer to a question from the audience, Bertholee says that he himself gave an explanation about the Wiv2002 to Interior Minister Liesbeth Spies, just one and a half hours after she was sworn in by Queen Beatrix. "We have no rules of our own, we abide to what is written in the law," Bertholee says. He goes on telling about the process that sees the deployment of a special power: it starts with an employee who wants to use a special power for an AIVD investigation. The employee is to account for his request in writing and an AIVD operational lawyer looks into it. The request is then sent to a supervisor, after which it is forwarded to Bertholee. Finally, the request ends up at the desk of the Interior Minister. This happens case by case, always taking the prerequisites of the Wiv2002 into consideration. No form of pressure is allowed in the event the AIVD makes a request for information to citizens. The same goes for requesting information to journalists: it is entirely up to them to cooperate or not. "If a journalist is not willing to cooperate, then that’s a pity for the AIVD and that’s where things end", Bertholee explains. However, some (parts of) conversations are being registered in a memo since everything needs to be verifiable for the AIVD.

Supervisory mechanisms

Bertholee tells about the way the AIVD is monitored by various bodies that each play their own role. First of all there’s the Dutch Parliamentary Commission for Intelligence and Security Services ('Commissie Stiekem') which consists of all the leaders of Parliamentary parties. Then there’s the (public) Parliamentary Commission for the Interior. The legality of the execution of tasks by the AIVD is scrutinised by the Dutch Review Committee on the Intelligence and Security Services (Commissie van Toezicht betreffende de Inlichtingen- en Veiligheidsdiensten, CTIVD); this is an independent supervisory body which consists mainly of legal experts. According to Bertholee, in recent years the CTIVD assessments on the AIVD have largely been positive. Furthermore, the Netherlands Court of Audit (Algemene Rekenkamer) examines the (secret) budget of the AIVD. Both the CTIVD as well as the Court of Audit have access to everything within the AIVD.

Revision of the Wiv2002

With regard to a possible revision of the Wiv2002, Bertholee remarks that the legal space currently offered is sufficient for the AIVD and that he doesn’t need more powers. However, he does think it is "particular" that the Wiv2002 is in some aspects related to the Dutch Postal Act and to the Telecom Act, which makes it necessary for the AIVD to get the permission of an investigative judge to open a letter, while that same permission is not required for intercepting or opening an email. Hence the legislation is technology-dependent and "something needs to be done about that", Bertholee states. Besides, the CTIVD has proposed to change the legislation with regard to SIGINT (Signals Intelligence). Furthermore, Parliament may evaluate the Wiv2002 in the near future. It seems there are two thorny issues at the moment: a possible ban on using journalists as informants and more control over the effectiveness of the AIVD. The difficult thing is that the effectiveness of an organisation like the AIVD is hard to measure; this is related to the nature of the work and the type of threats that are being averted. Bertholee: "I accept that life has certain risks. The question, however, is what society wants. How many casualties per year do you find acceptable?"

No Big Brother

Confronted with a question from the audience about new, predictive technologies and the effect that these can have on social behaviour, Bertholee makes clear "not to be in favour of Big Brother. There are limits to what you can and what you cannot do. This is also related to the risks that you are willing to take as a society." Bertholee responds to another question from the audience saying that a special power may only be used as long as it's necessary. When the necessity (i.e. the reason or threat) ceases to exist, the authority to use a special power ceases to exist as well. The CTIVD keeps an eye on that. Five years after a special power has been used, a duty of notification towards the citizen involved applies, unless this could reveal relevant sources or a current operational method. However, this duty to notify has so far never been used. In fact, Bertholee wonders whether such a notification could actually be experienced as an assault on one’s private life in case there was nothing going on with the person concerned.

International exchange

The Wiv2002 remains applicable to the international exchange of intelligence between the AIVD and foreign secret services, Bertholee explains. Furthermore, an international code of conduct applies. The exchange of intelligence is examined from case to case and from country to country. In the event of exchange, what is allowed to happen with the intelligence in question is being indicated. Internationally this is being adhered to pretty well, according to Bertholee. However, in some cases, or rather, with some countries the exchange of intelligence could become a dilemma...

Drawing the line where violence starts

One question relates to the degree to which activists figure in AIVD files. Bertholee explains that, in principle, the AIVD conducts no investigations into activists. "We don’t care what someone thinks. We do not represent the moral high ground of the Netherlands. It is only when violence comes into play - or calls for violence, clear intentions towards violence, radicalisation - that we feel involved."

Current risks

During the discussion with the audience Bertholee emphasizes that it’s not the aim of the AIVD to collect as much data as possible. The aim is rather to collect the right information in order to be able to fend off threats. It is not the AIVD, but the industry that is the driving force behind the development of information technology that, unfortunately, is also used in less democratic countries. In response to a question Bertholee admits that there is a risk that a service like the AIVD could 'drown' in an abundance of data. Biometrics are one such development of new technology. This makes it more difficult to assume a new identity, both for people with bad intentions as well as for officers of the AIVD itself. Furthermore, the privatisation of intelligence is risky, especially due to the lack of legislative checks and balances.

Finally

Bertholee finishes his speech by emphasizing once more that the AIVD 1) doesn’t keep records of everyone, 2) doesn’t wiretap everyone, 3) shoots nobody, 4) doesn’t arrest anyone, 5) doesn’t force cars into the kerb, 6) doesn’t torture anyone, 7) doesn’t hack into every computer, 8) has no enforcement powers, 9) doesn’t put pressure on people and 10) doesn’t recruit journalists. Then Privacy First chairman Filippini rounds off the night and invites everyone present for drinks with music.

Postscript Privacy First: as international peace and security often benefit from dialogue between 'opponents', the same goes in our country for a good relationship between the government and civil rights organisations like Privacy First. In that sense we consider this night to have been very valuable and we hope that the AIVD deems this event to be worth repeating in the future!

Update 27 September 2012: as a result of Bertholee's speech, a second article appeared in Dutch newspaper Telegraaf.

The Privacy First Foundation organises networking drinks on a regular basis, inviting a prominent speaker around a topical issue. In September this year we organised a night with the Head of the AIVD, the Dutch Intelligence and Security Service. On 22 October we invited a speaker from the cyber security scene, namely Wil van Gemert, Director of Cyber Security at the NCTV, the National Coordinator for Counterterrorism and Security, part of the Dutch Ministry of Security and Justice. Investigative journalist Brenno de Winter was asked to moderate the discussion. Click HERE for the invitation to our network (in Dutch). Would you also like to receive our invitations from now on? Email us! Below is a translated summary of Mr. Van Gemert's speech and the discussion with the audience that followed:

Introduction by Privacy First

Chairman Bas Filippini gives a short introduction on the work of the Privacy First Foundation and introduces Wil van Gemert as well as Brenno de Winter. Filippini recalls that the Dutch government increasingly expects citizens to do everything digitally. In particular the elderly as well as people with fundamental objections are put in difficulty by this development. Meanwhile the government attains ever more powers of surveillance in the digital private domain of citizens. A current development in this regard is the plan of Dutch Security and Justice Minister Ivo Opstelten to be able to hack into computers of citizens. Privacy First is firmly opposed to this plan because, among other things, it would violate the right to confidentiality of email. The Dutch government should safeguard the privacy of its citizens. In that sense Privacy First and the Dutch government share the same goal, albeit from different perspectives. However, Opstelten’s hacking plans threaten to break down people's privacy and (through this) democracy as a whole. Filippini then gives the floor to Wil van Gemert.        

Trends in cyber security

Mr. Van Gemert thanks Privacy First for the invitation and kicks off by showing a funny commercial advertisement about linguistic confusion; click HERE. Like in the video, in cyber security it is all about trust, knowledge and awareness. Finding the right balance between tasks and responsibilities is equally important. In his lecture Van Gemert consecutively pays attention to current trends in cyber security, tasks of the government, cooperation between the public and the private sphere, the Netherlands Cyber Security Assessment (Cyber Security Beeld Nederland) and 'security versus privacy?': is this a contradiction or rather a matter of complementarity? And what are the present-day challenges? When it comes to cyber security, it all revolves around confidentiality, reliability, integrity and continuity of data in the digital information society. The first worldwide trend that Van Gemert identifies is 'Big Data': the enormous amount of data that is stored continuously and which increases on a daily basis. How can we handle this in good way? A second trend is hyperconnectivity: the number of digital (internet) connections increases exponentially. This is how an 'Internet of Things' comes to life. The Netherlands has the one but highest internet density in the world, which gives our country a special position in this regard. A third trend is the disappearance of borders, both in time and distance as well as in terms of work and the private sphere. These trends require changes both in the way companies do business as well as the role of the government in guaranteeing a secure society. These trends also have an influence on people, on consumers, for example through the new possibilities offered by mobile telephony. Big Data can be used to make highly personalised commercial offers in real time, say, a travel insurance when you're at Schiphol airport. However, when Van Gemert asks how many in the audience find this a good idea, not a single hand is raised. Van Gemert doesn't think it's a good idea himself either: it harms your privacy, it makes you feel you're being followed. Relatively many youths seem to be just fine with it though.

The influence of social media

An important aspect of cyber security is mobility: companies want to be able to reach their clients everywhere they go and employees are increasingly less bound to a workplace at the employer's office. For companies, political parties and the government too, social media become ever more important to know what goes on in the market or in society. An interesting case is the recent incident with an airplane from Vueling Airlines with which radio contact was lost and for which for some time the possibility of a hijacking was accounted for. Since 2001 such an airplane (a 'renegade', PF) is escorted by F16s by procedure. Imagine, however, that all passengers inside the airplane communicate through Twitter that things are fine, then how do you deal with that as a government? These are questions that are pondered over within the government at the moment. Another aspect concerns the role of the government: from a monopoly to a more independent role since for most part the cyber infrastructure is in the hands of companies. Then there's the authority issue: social media have an influence on the degree to which government campaigns are successful with the general public. A recent example is the government campaign for vaccinations against cervical cancer. A further aspect is that cyber security is community driven: the community makes itself the owner of a certain problem, as was the case for example with the Dorifel virus. This community consists of researchers, relevant companies, hackers etc. and can sometimes offer clarity on certain issues, unlike with classical investigation methods whereby the directions are with the government. However, the digital IQ of most companies is still low, so it is a challenge for the government to increase the digital IQ of companies, says Van Gemert.

Lack of a security concept in cyberspace

The Netherlands is a country characterised by seas and dykes: if the water seeps through, we build a dyke around it. This classical way of crisis containment is almost impossible in cyberspace. Companies often are not aware of where their data are situated precisely, how they are interconnected and which effects occur when a failure manifests itself somewhere. Apart from the human factor, platforms, applications and infrastructures all have problems of their own. Due to the interaction between these four levels, a security problem often becomes very extensive. In the physical world we are familiar with a safety concept; think of the safety regulations on a construction site. But is there such a security concept in cyberspace? And which roles do the government, the private sector and citizens play in this? At the moment this is insufficiently clear. On the highway certain safety standards and traffic rules are in force. But each citizen can also buy a computer and go onto the digital highway unprotected.

Public-private partnerships

Since one and a half years the Netherlands has a National Cyber Security Strategy. Part of this has been the installation of a Cyber Security Council: an independent advisory body for the government. In the National Cyber Security Strategy it has been agreed that the Netherlands makes an annual Cyber Security Assessment of threats and actors. Furthermore, from the beginning of 2012 there is an operational management within the NCTV, which consists of two parts: 1) the National Cyber Security Centre, NCSC (which acts as a centre of excellence, among other things) and 2) a range of policies (which support, among other things, the answering of parliamentary questions and questions from the private sector). The starting point here are public-private partnerships; in this way new coalitions with new forms of participation between the government and trade and industry as well as with NGOs come to life. Both the government as well as private parties and experts take part in the Cyber Security Council and in the NCSC. One topic that is being dealt with together is cloud computing. Moreover, since recently the NCSC has an ICT Response Board; within this public-private partnership people from the government and the industry can be summoned up for advice and assistance in the event of incidents or crisis situations. Then there are ISACs, Information Sharing and Analytical Committees, in different areas, for example for the vital infrastructure with regard to energy, water, finances, etc. This too is a public-private partnership.

Threats in cyberspace

Cyber security has been a hot topic of late and negative incidents sometimes result in positive initiatives. There has been an unanimous request by the House of Representatives to set up a security breaches notification centre. In this context Van Gemert tells the following: "The Diginotar affair has made clear that the following question is of relevance: what can the government do in the event of a crisis? How can the government force a company that plays a key role to cooperate in order to prevent social breakdown and damage to society? Are such possibilities at our disposal in the first place? Our conclusion from July this year was affirmative, in case we can declare a state of emergency in relation to a cyber incident." Furthermore, Van Gemert stresses that we should not just invest in the detection of data leakages, but also in the right response to this. Hereby the role of the government concentrates on coordination, communication and consultation. In July this year the second Cyber Security Assessment of threats, targets and actors was released. The main threat comes from foreign governments (espionage) and cyber criminality. Contrary to what most people believe, so far cyber terrorism poses a smaller threat. In addition, cooperation between 'hacktivists' and foreign State actors (i.e. intelligence services) could be worrisome.

Privacy & security

On the relationship between privacy and security, Van Gemert remarks that as far as he is concerned "there is no privacy without security. If you do not organise security, in the end there will no be privacy. You really do need to take measures to make sure your privacy is protected. Privacy and security have a mutual interest in each other. So in that area, information protection and related agreements are necessary. Also in order to protect privacy, on a daily basis the NCSC brings out advice on vulnerabilities which could be harmful for companies and citizens. Our website www.waarschuwingsdienst.nl is focussed on making citizens more aware and to mobilise them against threats. However, we are not a supervisory body, we cannot enforce anything. We can merely give out advice and propose best practices. Between 12 and 22 November 2012 the government will pay attention to 'awareness' through its campaign Alert Online in cooperation with 10 partners. This campaign is aimed at citizens as well as companies."

Finally, Van Gemert underlined the importance of fundamental digital rights and self-reliance of citizens through knowledge and awareness. Van Gemert brings forward three subjects for discussion with the audience: 1) How do security and freedom relate to each other conceptually? 2) What is the role of Privacy First? Is it always to be an opposing force or can it also be an ally? 3) What is the role within cyberspace of our law-enforcement and supervisory organs, for instance the police? What is their role when it comes to individual emergency aid and law-enforcement in cyberspace?

Discussion with the audience

Even though Van Gemert is not responsible for the cybercrime department, he is nevertheless prepared to say one or two things about it on behalf of the Ministry of Security and Justice. Answering a question from the audience about the possible international consequences which an intervention in cyberspace from the Netherlands may have, Van Gemert points out that the concept of virtuality requires a different approach compared to a territorial approach when it's not clear where a particular server is situated. He hereby makes a comparison with the development of maritime law in international waters. The country in which the damage occurs should form a point of reference in terms of jurisdiction. However, in this regard there are no unequivocal answers; the national and international rules on these matters are not yet clear. Brenno de Winter emphasises that Dutch hacking activities in foreign countries could well set a dangerous international precedent. What if a country like Iran ascribes those same powers to itself? This is a concern that is shared with others among the audience.

Another question from the audience relates to the public-private partnership as is the case with Diginotar. Israeli wiretapping systems in the Netherlands are being referred to as well. Does the Netherlands not make itself enormously vulnerable with this? Van Gemert replies that this has indeed become a prominent question since the Diginotar affair. However, he is not willing to go into the topic of wiretapping systems since he's not involved in this policywise. Then it's being mentioned from the audience that, within public-private partnerships in the area of cyber security, Dutch NGOs are structurally being kept out. De Winter too remarks that the NCSC is seen by many as an unreachable fortress where you're not being heard. Van Gemert responds to this saying the NCSC certainly does look for contact with pressure groups. Here too the question is which side do these pressure groups pick: do they take on an opposing or a supporting role? "I'm convinced that we should look for new forms of cooperation between the government, the industry and trade, the citizenry and with pressure groups, which make sure our society becomes more secure. Looking out for those contacts is the reason that I'm standing here," Van Gemert says.

Another question from the audience is about the detection of hack attempts. To what extend is this being delegated by the government to industry? Van Gemert reacts saying that the government does the detection work itself on the basis of the exchange of digital traffic data (not on the basis of content) as far as it concerns the vital (government) infrastructure; companies take care of such detection efforts themselves. Someone in the audience remarks that in this respect the government could take up the role of bringing together relevant knowledge and experience in each individual business sector. Another comment from the audience concerns the lack of international rules that was presupposed earlier: why does the Netherlands not conform itself to the already existing Budapest Convention on Cybercrime and why are the legal possibilities under this Convention not being adequately used? Other observations deal with the cooperation between Dutch municipalities, the banks and the telecom sector. Someone asks how big a threat cyber warfare really is and how the Netherlands prepares itself for it. Van Gemert here refers to cyber as the 'fifth battlefield' apart from the four domains of land, sea, air and space. This is an actual development: by now there are about 20 countries which have the capacity for this type of warfare. There are a lot of financial cuts in the Netherlands, but money is actually being invested on cyber matters by the Ministry of Defence. Cyber war entails a new question of attribution: which country inflicts the damage and how is one to react to it? During the discussion the US Patriot Act is mentioned as well as the risks of storing data in 'the cloud'. "Think carefully about what you put in the cloud," Van Gemert advises. Then comes the question to what extent the government considers the protection of personal data vital for our infrastructure and to what degree the government is keeping an eye on the risks of identity fraud and identity theft through the coupling of personal data to citizen service numbers. Does the government endorse the Scientific Council for Government Policy report called iGovernment? Is declaring a cyber state of emergency equivalent to a disaster or warfare situation in which all regular legislation can be nullified with all the privacy risks it entails?

Someone mentions that the police power to hack into computers of citizens could imply that computer data of individuals could be changed without it being noticed and could then be used against those same individuals. Van Gemert replies that personal data is fundamental and critical data that is to be protected properly. Not just companies but citizens themselves ought to be better aware of this. As far as a state of emergency is concerned, Van Gemert remarks that this was not even proclaimed during the Dutch flood of 1953. In terms of cyberspace there is no need for new, complementary legislation for a state of emergency. Current legislation for a state of emergency can only be applied in extreme situations.

Another point of discussion is the fact that for years the Dutch government has been dependent on Microsoft: why is this situation (with the associated privacy risks) lasting ever longer? On request Van Gemert clarifies his earlier remarks on a cyber state of emergency: such a situation cannot be proclaimed on the basis of a single incident, but only when we're dealing with large-scale societal breakdown. Then it is being asked from the audience to what degree the government has the responsibility of not making legislation and policies which can be copied and abused by other countries, like the way companies are not allowed to deliver certain dual use equipment to certain countries. Van Gemert tells that for some goods there are indeed UN sanctions lists: the Dutch General Intelligence and Security Service (AIVD) verifies this. A free internet abroad is mainly supported by the Dutch Ministry of Foreign Affairs. Generally speaking, a democratic society always needs to abide to a moral guideline. Then the discussion about possible government powers to hack computers in foreign countries comes to life again among the audience. In this context, does the permission of an examining magistrate offer sufficient protection against abuse? Someone else in the audience remarks that, nowadays in the area of phone-tapping, the examining magistrate has become some sort of rubber-stamping device. Someone remarks that Van Gemert's distinction of five domains of warfare is put too simply. In international law, traditionally there are only three domains of warfare: land, sea and air. Since the 1970's, in space the principle of 'peaceful use of outer space' applies. So why not introduce a similar new principle of 'peaceful use of cyberspace?'

In reaction to a question about guaranteeing privacy, Van Gemert replies that he attaches importance to clarity over what is and what isn't allowed. Through investigative powers sometimes one's innocence can also be proved. The challenge is finding the balance between cyber security and privacy, Van Gemert says. Then someone in the audience points to the dangers of the coupling of personal data and function creep. Our democratic constitutional State is no invariable matter of fact. Does the government take this into account? Van Gemert iterates that the challenge is in finding the right balance. Calls for new legislation by parliament after an incident are not always adhered to by the government, for instance when it concerns anti-terrorism legislation and emergency legislation. Then someone in the audience states that for a raid a search warrant is required, which is verifiable for the citizen. This verifiability is absent when hacking into a computer. Van Gemert responds by saying that such verifiability is equally missing when it comes to phone tapping or police observation, especially when it's a case that's not brought to court. In this respect, De Winter remarks that neither the existing compulsory notification is complied to by the government. From the audience it is added that through all registration measures the presumption of innocence of citizens is put under pressure. This changes society and makes people start to comply with an 'all-seeing government'. As a response, Van Gemert underlines once more that 'privacy and security cannot do without each other'. In his view these sorts of discussions are important to get more clarity and to be able to make steps forward. Finally, Van Gemert stresses the importance of a security concept in cyber space with sufficient attention to privacy.

Finally

De Winter gives the final word to the Privacy First Foundation. Chairman Bas Filippini thanks Van Gemert for his open attitude toward the opposition. In the view of Privacy First, discussions such as these are fundamental. In recent years there has been too little dialogue with the privacy movement; the government has grown bigger while participation by citizens has decreased. Privacy First is happy to accept the invitation to become part of the coalition. "We will be a necessary irritant, but you have to be able to deal with that", Filippini concludes.