Has the time of the “surveillance state” finally arrived in the Netherlands? This may be a legitimate question in the light of a so-called ‘dragnet bill’ which was approved by the Dutch Parliament’s Lower Chamber on February 14th. But what about the legally binding standards of European human rights? Can they stop the dragnet?
If the proposed bill also passes the Senate, it will provide broad powers to the Dutch General and Military Intelligence and Security Services (the ‘AIVD’ and the ‘MIVD’) to intercept communications and even to hack devices of unsuspected civilians. But any law which provides a restriction to or interference with the human rights of European citizens, such as the right to privacy, must live up to the standards of necessity and proportionality, as safeguarded by the European Court of Human Rights. And there are some serious doubts whether the new ‘dragnet bill' does.
The ‘OOG’ (‘EYE’) may always be watching (article 48)
An important objective of the new bill is to provide the AIVD and MIVD with the power to intercept cable-bound communications in bulk, while such power is currently limited to wireless communications.
In its earlier stages, the proposal simply provided the authority for the AIVD and MIVD to perform ‘untargeted’ interception of telecommunications and data transfers. However, as the European fundamental right to privacy quite clearly does not permit entirely untargeted monitoring and interception of telecommunications of citizens, the wording was later changed to ‘investigation order specific’ interception (in Dutch: ‘onderzoeksopdrachtgerichte’ interceptie, which has been given the acronym ‘OOG’. This still offers plenty of Orwellian associations, as ‘oog’ is the Dutch word for ‘eye’).
With the ‘OOG’ concept, it seems that the government has tried to provide the Dutch intelligence services the broadest authority for intercepting telecommunications that may still be defensible under the applicable and binding human rights. If such a defense would hold up in court, however, remains to be seen, as the powers under the ‘OOG’ system still seem broad, and the limitations vague.
It appears possible, for example, that the AIVD and/or MIVD would request the responsible Minister for approval to intercept and store (for up to three years) all communications via WhatsApp, Facebook or Signal, as such platforms may be used by terrorists. If approved by the Minister, such monitoring of an entire platform, which may be used by millions or even billions of users, may still be overly broad, and not ‘necessary in a democratic society’ as required under European human rights.
Even unsuspected persons may be hacked (article 45)
The new legislative bill also provides an expansion of the intelligence services’ authority to hack into devices. In addition to their already existing authority hack a target directly, the new bill also provides the explicit right to hack into (unsuspected) third parties, as a stepping stone to get to the actual target. By using malware or similar techniques, the services will be able to hack into the laptop of an innocent civilian just to get into the devices of a possible suspect next door. In other words, anyone could be hacked based on proximity.
Service providers can be forced to spy on their customers (article 53)
The new bill provides the power to coerce any communications service provider to cooperate in the interception of telecommunications or data transfer. The exact extent of the cooperation which may be required remains unclear. The necessity for the change is also not very clear, as the current law (art. 24) already provides the power to intelligence services to require anybody who knows how to decrypt certain communications, to cooperate in such decryption. It appears that the new bill may provide more leeway for the intelligence services to force any communications service provider to actively spy on its users.
Data may be transferred to other parties, including foreign agencies
Both already analyzed data (article 89) and collected data of which the content is yet unknown (article 64), may be transferred to foreign intelligence and security services, if the new bill becomes a reality. Particularly the transfer of unknown data poses risks, because the consequences which the information may have for citizens, cannot be assessed in advance.
The bill also allows the AIVD and MIVD to exchange data with the police, while the police and the secret services are subject to different rules and regulations. This seems to present a risk that procedural safeguards to protect citizens from unwarranted interference, may be circumvented.
Supervision may not be sufficient (article 32)
A key principle of constitutional democracy is that extensive powers should never go unchecked. While some of the powers described above may be overly broad and the limitations too vague, a positive point of the new bill is that it does provide for supervision at several levels. For many of the powers above, the head of the intelligence agency is required to request prior approval of the Minister of the Interior and Kingdom Relations. Furthermore, a new, independent review commission (‘TIB’) will verify the legitimacy of the request and approval of the powers. The supervision of the actual execution of these powers is left to the already existing Supervisory Committee for the Intelligence and Security Services (‘CTIVD’). The question remains, however, if the supervision provided by the bill will be enough.
Although it seems appropriate that at least two of the three members of the review and supervisory committees must have at least 6 years of experience as a judge, there is no requirement for any of the members to have any relevant technical knowledge to correctly assess the impact of their evaluation. Furthermore, the Dutch Personal Data Protection Authority (‘AP’) and the Council of State (‘RvS’) already identified a risk that the TIB would merely act as a ‘rubber stamp’, due to its modest manpower, its lack of investigatory powers, and the gravity of the potential consequences if an authorization would not be granted where requested.
A more thorough review after the fact could potentially address such concerns, but the CTIVD’s judgements about the legitimacy of the intelligence services’ operations, will (still) not be legally binding under the new bill.
So now what?
Even though a multitude of parties, such as the Dutch Data Protection Authority, the Council of State, the Council for the Judiciary, civil society organisations such as Bits of Freedom and EDRi, and a host of academics have expressed serious concerns about the new bill, it passed the Lower Chamber with few amendments. It appears that political expedience has (once again) triumphed over sound lawmaking.
This reminds somewhat of the telecommunications retention directive and laws, which the European Court of Justice finally overturned about 8 years after its creation. If the Senate (once again) fails to make significant improvements, it seems that it would once again be up to civil society and the courts to prevent that “a system of secret surveillance for the protection of national security may undermine or even destroy democracy under the cloak of defending it”.
If your business depends on the Internet and IT (and whose doesn't nowadays?), you may want to consider chipping in as well. After all, will it be good for business if consumers have to fear that any of their communications may be intercepted, and any of their devices may be hacked, at any time?
This blogpost was written by Joy van Aanholt and Matthijs van Bergen.