Various media, 12 July 2017: Organisations go to court in fight against wiretapping law

Despite widespread public criticism, the Senate this week agreed to the infamous revision of the Intelligence and Security Services Act. As previously reported by Privacy First announced will now follow a large-scale lawsuit to have various privacy-infringing parts of this law declared unlawful. Here are some of the news stories today:

"Back in March, several organisations announced they would file a lawsuit over the law if the Senate passed it. Among others, Privacy First and the Dutch Associations of Journalists and Criminal Lawyers are joining the case.

The coalition believes the interception law violates the European Convention on Human Rights and that a judge will therefore declare it invalid." (source: NU.co.uk)

"Twelve organisations are planning to go to court to stop the interception law. "We are confident that the Dutch judges will put on the brakes and say: this law goes too far," said human rights lawyer Jelle Klaas, who leads the coalition.

Last night, the Senate passed a law allowing the secret services to intercept the internet on a large scale. The data collected, such as emails, apps and websites visited, may be kept for three years, even if they are not relevant to the investigation. (...) The organisations want the court to stop the law because it infringes too much on the privacy of Dutch citizens.

The law is first submitted to the Dutch court. The latter may test the law against the European Convention on Human Rights. (...) The case may still go all the way to the European Court and may therefore take a long time." (source: RTL News)

"The law allows the secret services to intercept information on a much larger scale. There was little resistance from politicians, but in society there is a lot of criticism of the law. (...) "We find it a worrying proposal," said chairman of the Dutch Association of Criminal Defence Lawyers (NVSA) Jeroen Soeteman. "The new law violates European law, citizens' rights are violated as a result." Zoeteman stresses that the NVSA's move is special, "we do not interfere ourselves so easily in these kinds of cases." (source: NOS)

"The so-called interception law, which was approved by the Senate last night, seriously endangers the privacy of citizens. So says interest group Privacy First, which, together with 12 other privacy clubs, is preparing a lawsuit against the state. "The data and communications of very many innocent citizens will thus end up in the AIVD's dragnet."

The Interception Act, which comes into force on 1 January 2018, gives intelligence agencies wider access to information transmitted over cable and the internet, including mobile traffic, email and social media. The law should provide greater protection against terrorism and cyber attacks, among other things, but is disastrous for the privacy of innocent citizens, argues Vincent Böhre, director and lawyer of Privacy First.

Privacy First, together with the Dutch Association of Journalists, the Dutch Association of Criminal Lawyers and the Platform for the Protection of Civil Rights, among others, is preparing a lawsuit against the state. "We want to have the law partially set aside," said Böhre, who has quite a few objections to the new regulations.

'Every Dutchman becomes a BN'er with this wiretap law'

Among other things, the clubs want the AIVD's so-called 'dragnet power' to be scrapped. The service was already allowed to specifically hack a suspect, but now it is also allowed to monitor an area where a thought sits or his or her family. "You could call it a massive internet tap," says Böhre. "A large part of the internet is tapped, bringing the data and communications of a lot of innocent citizens into the AIVD's dragnet." (...) Furthermore, the limits of the tapping power are vague, Böhre believes. ,,The only rule mentioned in the law is that tapping must be as targeted as possible. This could mean all sorts of things. It could specifically involve a suspect, but also a large group of potential offenders, or anyone in contact with them. But in emergency situations, you could also tap the whole country. So as far as we are concerned, it is far too broad. Because of this bill, every Dutchman becomes a BN."

Exchange of data with allies

Böhre also points to the possibility of exchanging citizens' data with allies of the Netherlands. "Through this new law, it is possible that your data can be shared uncontrolled with America or with England or Australia. That chance is very high. And who knows what happens with it afterwards." Without prior review, Böhre stresses.

Forcing companies to decrypt data

The law gives the AIVD the power to force companies to decrypt data. "This could make systems like WhatsApp or your own e-mail as leaky as a basket," Böhre warns. ''If companies do not cooperate, they risk prison sentences of two years. Moreover, everything has to be kept secret. In short, most companies will cooperate and you as a citizen will never find out anything about it."

Three-year retention period

The three-year retention period is also one of the issues the interest clubs will challenge in the lawsuit. "That is far too long," says Böhre. "As far as we are concerned, the retention period goes completely off the table and only the data that is useful and necessary for an investigation is retained. The rest should then be destroyed immediately." He refers to European Court case law, which previously ruled that retaining telecom data for a year is too long. "And then the data of lots of innocent citizens are kept for three years? That's obviously not acceptable."

Access to databases

Under the new law, the AIVD will have access to government and corporate databases, provided a company agrees. "That too will be done in secret and without the consent of the new oversight committee," Böhre argues. "Then it remains to be seen what all the AIVD will have access to." (Source: Algemeen Dagblad)  

"The coalition against the law is led by PILP (Public Interest Litigation Project), the project through which the Dutch Lawyers Committee for Human Rights is exploring the possibility of strategic human rights litigation in the Netherlands. According to human rights lawyer Jelle Klaas of PILP, many parties have already joined. 'We started with 12, 13, but it is still growing.' Among them are tech companies, the Dutch Association of Journalists (NVJ) and privacy organisations Bits of Freedom and Privacy First.

Klaas is hopeful that the courts will put a stop to the so-called interception law, which is formally due to come into force on 1 January next year. 'The Senate has failed to guarantee our human rights, so it is now up to the courts. Privacy is also a human right.'

Economic damage

There have been protests against the law from various quarters for some time. The NVJ (Dutch Association of Journalists), for instance, fears erosion of source protection, according to secretary Thomas Bruning: 'That threatens to become an empty shell.' Privacy organisation Bits of Freedom calls it an 'indigestible result'. 'If we do not draw the line at large-scale collection of the online behaviour of large groups of unsuspicious people, where do we draw the line?' wonders David Korteweg of Bits of Freedom.

There has also been criticism from the business community. Alex Bik of business internet provider BIT says he is considering legal action. In the past, he already joined PILP in the case against the telecom retention obligation. 'I am not only afraid of violation of the privacy of innocent citizens, but also of the economic consequences,' said Bik. 'Right now, the Netherlands is still a very attractive place for internet services, but I can imagine that companies will say: we'll move our stuff somewhere else when this interception law arrives.' Bik emphasises that the law is, after all, about all possible types of internet traffic. Not just e-mail or telephone, but also communication via cloud services or games, for example.

Safety

Finally, there is a fundamental security problem, says Bik. 'The law also allows the services to hack into computers or phones. Not only of suspects, but also of people close to suspects. In doing so, they will use leaks that are not yet widely known. You only have to look at the WannaCry outbreak to see how dangerous that is.' WannaCry exploited software vulnerabilities in Windows that were initially known to the NSA, but not yet to Microsoft." (Source: Volkskrant)

"The most painful part of the law is the 'dragnet,'" says Vincent Böhre, director of Privacy First. Böhre denounces the idea that the AIVD and MIVD get access to information on a large number of citizens, in the search for data on suspects. (...) By law, the AIVD may monitor a neighbourhood, for example, if the organisation thinks a suspect lives in that neighbourhood. According to Böhre, this means that hundreds or even thousands of households could be targeted. 'In doing so, the state violates not only the right to privacy, but a whole range of civil rights such as the right to confidential communication, and the right to gather information.'

'Law fits better in military dictatorship'

Together with the Dutch Association of Journalists, the Dutch Association of Criminal Lawyers and the Civil Rights Protection Platform, Privacy First plans to file a case against the state. This will be done by 1 January 2018, when the law takes effect. It is possible that the organisations will even start a lawsuit earlier: through civil proceedings, the advocates want to suspend the entry into force of the law.

The new law gives the AIVD the power to tap the cable. This gives the security services access to internet data, phone calls and other data. 'In doing so, the state violates the right to a private life,' Böhre said. 'A democracy involves open government and secrecy of one's private life. Then decide to become a military dictatorship, I would say. That's where such laws fit in, not in a democracy.'

'State strikes out'

Incidentally, Böhre says he is not against introducing the [whole] law. 'We want to take the sharpest edges off this law. Get the law adapted.' For example, the security services should move away from mass surveillance, and apply targeted surveillance in terror investigations, for example. 'We propose surveillance on a more circumscribed scale. Surveillance should focus more on individuals, not whole groups.'

And the time-honoured argument that privacy should come before security? 'As far as we are concerned, security and privacy go hand in hand, and should also be in balance. Now the government is striking out, and the balance is totally off.' (source: Elsevier)

Listen below to a Interview with Privacy First and PILP (NJCM) about the lawsuit on Radio 1 (NOS Along the Line):

{mp3}Radio1_NOS_12juli2017{/mp3}

EenVandaag also covered the court case today, click HERE or watch the excerpt below.