Privacy First comments on new Intelligence and Security Services Act
On 8 February next, the Lower House will debate with Minister Plasterk (Home Affairs) a bill that threatens to breach the privacy of everyone in the Netherlands: the new Intelligence and Security Services Act. In that context, Privacy First Foundation today sent a critical letter to the Lower House with our comments on the current bill. Below is the full text of our letter (click HERE for the original version in pdf):
Next week, you will debate with the Minister of the Interior a - in our view - highly totalitarian bill: the new Intelligence and Security Services Act (Wiv). Without acute urgency, this bill is currently passing through parliament under high pressure.
Numerous objections from authoritative advisory bodies such as the Council of State, the Personal Data Authority, the Intelligence and Security Services Regulatory Commission (CTIVD), the Human Rights Board, the Council for the Judiciary and even the Continental Council of Europe have so far been ignored in the process. Warnings from science and industry are structurally ignored. Although your Chamber recently organised a 'hearing' around the bill, opponents of the bill were not welcome. Privacy First therefore considers the parliamentary handling of this bill to date insufficiently critical.
We will therefore restate for you below our most fundamental objections to this bill and make crucial recommendations.
Towing authority and retention period
Under the current bill, AIVD and MIVD are given the power to conduct large-scale tapping of the internet, mass monitoring and storing the gathered data for years for possible later use or international exchange, or in other words a digital dragnet with unforeseeable dimensions, purposes, consequences and side effects. In civil service jargon, this power is called "InvestigationOperated Interception" (OOG). The Personal Data Authority rightly called this "the euphemism of the year". After all, this power will become the "all-seeing eye" of the Dutch central government. This has no place in a democratic constitutional state.
The social necessity required under international law (Art. 8 ECHR) of this power has so far been unproven. For this reason alone, Privacy First considers its introduction unlawful. Moreover, by all standards, this power is completely disproportionate and not in line with the requirement of subsidiarity (i.e. mandatory use of the lightest, most privacy-friendly means to achieve a legitimate aim).
Furthermore, such a power has not been demonstrably effective (let alone efficient) to date and may actually be counter-productive because of the huge overload of irrelevant data. It could and should therefore suffice with targeted and temporary surveillance of relevant individuals and groups, leaving the rest of society alone. Such surveillance should always as targeted as possible to be and accompanied by strict, provided for by law, concrete safeguards against abuse. Such safeguards are almost entirely lacking in the current bill. This bill should therefore be rejected.
Illegal retention period
Recently, the European Court of Justice ruled that governments are never entitled to collect and store data of innocent citizens en masse for possible later use in the security domain. The Court also based its ruling on Article 8 ECHR (the right to privacy). The storage period of 3 years in the current bill is therefore legally untenable and should be removed from the bill immediately. Failing this, Privacy First expects this storage period (as well as the mass tapping power itself) to be declared unlawful by the European Court of Human Rights.
International exchange of bulk data
Privacy First hereby reiterates its fundamental objection to international exchange of unvalued bulk data. Such exchange crosses all legal, ethical and moral boundaries, at least where it involves the data of an innocent civilian population. Privacy First therefore expects that this power will not stand up in an international or European court and hereby urges that it be removed or thoroughly curtailed and provided with additional safeguards, including a binding prior legality test on a case-by-case basis.
The Hague Court will soon rule on the issue of international exchange between secret services in the lawsuit Citizens vs Plasterk of Privacy First et al. against the Dutch State. Also, Privacy First et al. intervened as third parties in the similar UK case of Big Brother Watch v the UK at the European Court of Human Rights. Privacy First views the rulings of both courts with confidence.
The powers to request and use data are virtually unlimited in the current bill. To this end, the proposal even allows direct, automatic access to the databases of the entire public and private sector (government and industry). It will also be possible to request complete databases from all these third parties. All this for the purpose of covert linking, data mining and profiling, with which real-time an extremely detailed (even predictive) picture of groups and individuals can be created. Privacy First hereby urges your Chamber to remove or thoroughly curtail these powers and provide them with legal safeguards against abuse, including binding prior lawfulness oversight.
Hacking powers and decryption order
"Services should work in the most targeted way possible and not use decryption to undermine the digital security of large groups of users," the minister rightly wrote in the note accompanying the bill. The power to be able to hack into systems of innocent third parties (citizens and businesses) in order to create a target however, Privacy First deems too far-reaching. For this reason, such a power in the domain of police and justice has already been removed from the Computer Crime Bill III. It is hard to see why this power should nevertheless fall to the AIVD and MIVD. Privacy First considers the current (already existing) power to hack into systems and communications of individual targets adequate.
Companies have the right to set up their systems so that a decryption order cannot be complied with due to the technical impossibility of doing so, e.g. due to lack of keys. In less democratic times and regions, this right for companies can also turn into a social duty, for example to avoid becoming complicit in unlawful investigation and prosecution as a company. Moreover, in Privacy First's view, systems should be developed in such a way that hacking virtually impossible and the damage from any hack will always be as limited as possible. Privacy by design After all, it does not merely require the best encryption but also the best compartmentalisation. The above is partly to clarify recent unsubtle coverage of Privacy First's position by the Telegraph.
Privacy First hereby reiterates its concern that the unregulated power for officers to commit crimes is left untouched. In the current Wiv from 2002, there is the possibility of further standardisation through a General Administrative Order (AMvB). The Dessens Commission recommended introducing such an AMvB, but the government is making this impossible by removing the basis for the AMvB from the law. With an uncertain political future ahead, this is extremely undesirable and dangerous for the Dutch population.
Under the current bill, the notification requirement remains only for individual citizens and not (also) for organisations that are equally targets may have been. In response to earlier criticism of this by Privacy First, the Minister states the following in the explanatory memorandum to the bill: "The notification obligation fulfils a role in the context of providing legal protection to citizens against infringements of some fundamental rights specifically belonging to them. The introduction of the notification obligation that also applies to organisations is therefore (...) not envisaged." This is blatant nonsense. Indeed, the right to privacy and (in particular) the right to confidential communication also apply to legal persons and organisations as such (including foundations, associations and companies), especially in the context of this bill.
In the current bill, lawyers and journalists (rightly) get extra protection through prior review by the court in The Hague when special powers are used against them. Privacy First recommends extending this judicial protection to all groups of persons entitled to privilege, including doctors, civil-law notaries and clergy. Additional safeguards for journalistic source protection should also be provided.
In line with our earlier opinion, Privacy First is in principle positive about the new binding prior lawfulness review in the exercise of powers by the AIVD and MIVD. However, Privacy First hereby reiterates that such prior review should apply to the exercise of all special powers by the services. Moreover, all prior, ongoing and subsequent supervision should be thorough and complete; under no circumstances should superficial rubber-stamping or oversight gaps. In addition, Privacy First is positive about the introduction of a binding right of complaint for citizens and organisations, either with the national Ombudsman or with the CTIVD, with Privacy First preferring the state-law positioning of the complaints institute as a High Council of State as this strengthens and perpetuates its independence. In line with the CTIVD, Privacy First would like to see confirmation that this right to complain can also be exercised by relevant civil society organisations in the public interest (general interest action) and/or on behalf of a specific group of persons (group action), even if an individual right to complain is open to those persons. This is already standing practice with the national Ombudsman and promotes the effectiveness and efficiency of the complaints procedure. Also, Privacy First would like to see explicit confirmation that this new, quasi-judicial procedure will not lead to inadmissibility of individuals and organisations on similar legal questions in relevant proceedings before the judiciary.
Privacy First again recommends that the bill should still include a provision for active disclosure of (historical) documents of the services. The practice of "declassification and transparency" in other countries (including previously the United States) can be a source of inspiration in this regard.
Peaceful use of cyberspace
In the Minister's recent note to the bill, the Minister writes that "for Defence, cyberspace has become the fifth domain for military action (alongside land, sea, air and space)." Privacy First would like to remind you here that space is not a military domain in the legal sense; after all, this is where the international law of peaceful use of outer space. In our view, in cyberspace, a similar international regime of peaceful use should apply. As 'international legal capital' The Hague could make an excellent case for this.
Bill should be declared controversial
A bill with such a (potential) impact on our society should be well thought-out and contain the best possible safeguards against unforeseen use and future abuse. This is not the case with the current bill. Privacy First therefore advises you to improve or reject this bill, or to declare the entire bill controversial and, if desired, to still deal with it thoroughly and critically during a subsequent government term. Failing this, Privacy First reserves the right to have the current bill, once in force, reviewed by the courts and declared unlawful.
For further information or questions regarding the above, Privacy First can be reached at any time on telephone number 020-8100279 or by email: email@example.com.
Privacy First Foundation
 See ECJ 21 December 2016, Joined Cases C-203/15 & C-698/15 (Tele2 Sverige et al.), ECLI:EU:C:2016:970.
 Note following the report, Parliamentary Papers II 2016-2017, 34588, no. 18, p. 66.
 See http://www.telegraaf.nl/binnenland/27260664/__Privacywaakhond_vindt_dat_kraken_WhatsApp _mag__.html (18 December 2016).
 Explanatory memorandum to the Intelligence and Security Services Act, Parliamentary Papers II 2016-2017, 34588, no. 3, pp. 241-242.
 See CTIVD, Views on the bill for a new intelligence and security services act dated 9 November 2016, Annex II (Quality improvements), p. 6.
 Note following the report, Parliamentary Papers II 2016-2017, 34588, no. 18, p. 11.