ABC against the Sleep Act
Below are Privacy First's main objections to the new Intelligence and Security Services Act (Wiv2017 or 'Sleep Act'), in alphabetical order:
A. A Drain
The power of 'research command-based interception' - popularly known as dragnet - makes it possible for the intelligence and security services (secret services) to tap the internet traffic of large groups of people at the same time. For example, a tap can be placed on a particular municipality, a district, neighbourhood or street if a secret service 'target' lives there. In the process, the communications of innocent citizens are collected through a digital dragnet. Privacy First believes that the data of innocent citizens does not belong to the intelligence services. Moreover, the effectiveness of the intelligence services is decreasing due to the excessive amount of data collected.
Data gathered with the dragnet may be shared with foreign countries un-evaluated under the new Intelligence and Security Services Act (Sleepwet). This means that Dutch intelligence services can share unseen and unselected data (of innocent citizens) with foreign secret services. The use of this data can then no longer be supervised by the Dutch services.
Un-evaluated data collected through the dragnet may be kept for three years. This unevaluated data may also be shared unseen with foreign countries. Data that the intelligence and security services have found relevant may be kept as long as it is still relevant.
The opinion of the independent regulator CTIVD (Intelligence and Security Services Regulatory Commission), which tests in retrospect whether the powers have been deployed lawfully, is not binding. The minister can disregard the findings and recommendations and possibly continue to deploy powers unlawfully.
The new law may cause people to behave (unconsciously) differently than they would behave in a free environment. This may adversely affect the exercise of fundamental rights other than the right to privacy, such as freedom of expression or freedom of association, assembly and demonstration.
The new law allows direct, automatic access to databases throughout the private and public sectors. It allows intelligence agencies to directly access all kinds of sensitive databases at companies, government agencies and other organisations, either through informants or agents (infiltrators) at those organisations or through secret agreements.
The new law requires encrypted data at companies, governments or individuals (e.g. communication data) to be decrypted at the request of the secret service. Refusal to comply with a decryption order is punishable by 2 years' imprisonment.
With the introduction of the law, the intelligence and security services will have their own DNA database. They are allowed to collect the DNA of so-called 'targets' (targets) and 'non-targets' (innocent citizens). To collect this DNA, the intelligence and security services may, among other things, gain access to a private place, such as an office or home. De Groene Amsterdammer has written a very extensive piece on the "DNA Collection Service", this is here to read.
E. European Convention on Human Rights (ECHR)
The right to privacy is a human right: it is protected by Article 8 of the ECHR. Privacy First believes that the new Sleep Act violates the right to privacy. Privacy First therefore has a (draft) subpoena ready to take the State to court as soon as the Sleep Act enters into force. The court can then review and (partially) set aside the Sleep Act for violation of art. 8 ECHR.
F. Fake news by Dutch government
According to our Home Affairs Minister Ollongren, it is not necessary for the government to post neutral information on its website rijksoverheid.nl about the Sleeping Act referendum. As a result, the government is not providing objective information to voters.
G. Automated works
As explained under "hacking powers" and "Internet of Things", the Sleep Act will allow all devices to be hacked by the secret services.
H. Hacking power
Under the new law, the intelligence agencies will have the ability to conduct a target hacking through innocent third parties. This means that by hacking a third party (aunt, sister, friend, girlfriend, spouse, grandfather, colleague, neighbour, work, government, company, etc.), the intelligence service gains access to information about the service's target. This means that the devices of innocent citizens can be hacked by the services. These citizens will never be informed of this (there is no notification requirement for this).
I. I have nothing to hide
Everyone has the right to a private life. The data of innocent citizens therefore does not belong with the intelligence and security services. This data including medical information, personal conversations, private emails, business emails, news reports, hobbies, interests and internet search results should therefore be well protected. Besides, you may have 'nothing' to hide, but other citizens such as medical professionals, lawyers, activists, whistleblowers and journalists do.
Internet of Things
More and more devices are connected to the internet. All these devices can be tapped or hacked under the Sleep Act. Think of a car, camera, microphone, printer but possibly even a pacemaker. After all, the Sleep Act does not exclude this possibility.
Journalists' communications can be intercepted with the new law, including through the use of the dragnet. The secret services can then learn of this information. This poses a threat to press freedom and journalistic source secrecy. Only afterwards will the services remove the information not necessary for the investigation as soon as possible.
K. Cable-based interception
It is wrongly speculated that the intelligence and security services are currently not allowed to tap on cable and only over the airwaves. Under the current law, the intelligence and security services are allowed to carry out a tap on cable if it is targeted at, say, a single individual. The new law gives the intelligence and security services the power to conduct untargeted and large-scale wiretapping (dragnet).
Arjen Lubach, in his broadcasts of Sunday with Lubach made three items on the Sleep Act and why it is good to be critical of it. The videos can be viewed here: Towing law 1, Towing law 2 and Towing law 3.
M. Human Rights
Privacy is a human right. This right to privacy applies to everyone and is guaranteed by numerous international and European treaties. This right is massively violated by the Sleep Act, as the data of large groups of innocent citizens will be collected, stored and exchanged internationally by this law.
The new law cannot guarantee patients' medical privacy and doctors' medical confidentiality: the secret services may request relevant data from anyone, including doctors and hospitals, and request access to their data system (Electronic Patient Record) or hack into such systems. Moreover, this may lead to care-avoiding behaviour among patients and thus threaten public health.
N. Notification requirement
The notification requirement in the new law falls short. In principle, five years after the deployment of a power under the Sleep Act, the person concerned should be notified. However, this only applies to some of the new powers. Privacy First believes the notification obligation should apply to the deployment of all powers.
O. Innocence Presumption
The introduction of the new law reverses the principle of innocence. Because of the dragnet, potentially every citizen becomes 'suspicious', with no concrete reason to track that citizen. In addition, the chances of false positives (unjustified suspicions) in mass data collection very high.
The privacy of innocent citizens is violated by the deployment of the Sleep Act. See all other arguments for this.
Q. Quest for data
There is an appetite for data in government. Whereas countries around us are going back to a targeted approach, the Netherlands is going for Big Data. As a result, more and more hay is being collected and the pin will be harder and harder to find. More data does not immediately ensure more security.
A judicial review prior to the use of the powers is mostly lacking. As explained under "TIB", the new review board lacks the investigative powers for effective and independent oversight.
Secret agents are authorised to commit crimes under both the current and new law. However, the exact scope of this power is unknown to date. Under the current law, this power could be further regulated through a (never introduced) Order in Council (AMvB). Several years ago, the Dessens Commission recommended that this AMvB be introduced after all. In the new Dutch Sleep Act, however, the basis for this AMvB has been removed, leaving a legal vacuum.
Independent monitoring of all phases of the services' deployment of powers (before, during and after) is insufficiently guaranteed. Since the intelligence services operate covertly, citizens against whom the powers are deployed cannot object themselves. For this, the deployment of powers should be independently reviewed. The new Toetsingscommissie Inzet Bevoegdheden (TIB) only tests in advance whether the minister has rightly given permission for the deployment of a relatively heavy ('special') power under the new law. This review is subject to fewer safeguards than judicial review. In addition, the TIB has no investigative powers of its own and is completely dependent on the information given to them. Several bodies, such as the Personal Data Authority, have warned that the TIB must be prevented from being a 'stamping machine'.
The argument will often be raised by supporters of the Sleep Act that it will prevent attacks, Sunday with Lubach showed that. However, other countries have already shown that targeted operations are much more effective. Opponents of the Sleep Act agree that the current law is in need of renewal, but also demand that it be amended and improved in crucial respects.
U. Exchange of data
As described under 'Foreign', the data of innocent citizens and journalists collected through the deployment of the dragnet can be shared unseen with foreign secret services.
Privacy and security are unfairly contrasted. In a free democratic society, privacy and security go hand in hand. A good Intelligence and Security Services Act can be drafted with good privacy safeguards, where the information of innocent citizens does not reach the intelligence services.
The law gives too many powers to intelligence and security agencies and too few privacy safeguards for citizens. After the referendum, the law should go back to the drawing board, be provided with decent safeguards and reviewed on the use of powers.
The intelligence and security services have the power to exploit unknown vulnerabilities (so-called zero-days) in software. These vulnerabilities are then known to the intelligence and security agencies, but not to the creators or manufacturers of the software. The intelligence and security services do not have to report this vulnerability to the software manufacturer. This allows any malicious parties to (long-term) abuse these vulnerabilities. It also creates a black market for trade in such vulnerabilities and data breaches.
This list is not exhaustive and can be continuously added to.