Discussion Prompt: The Dutch Temporary Cyber Act: Necessary measure or disproportionate expansion of power? See all contributions to this question.
The Dutch government wants to automatically and administratively gain permission to target victims of hackers.
The Dutch government is proposing adding a lex specialis to its existing intelligence and security services act. This addition significantly changes the scope of many powers and also extends who they can be applied to.
A draft of an English summary of this proposed law can be found here. A far longer summary in Dutch is here.
On this page I’d like to go over just one specific element of this new law: automatic extension of warrants to hacking victims (‘non-targets’). Under the new law, the criteria for targeting non-targets actually become more lenient than for targeting actual targets. I would also hope to hear from experts on what the ECtHR might imply for this automatic extension and the newly proposed oversight. At the very end of this article you will find the original text of the articles, and my best stab at a translation.
Current situation
The Dutch law (‘Wet op de inlichtingen – en veiligheidsdiensten 2017‘) has articles on special powers like targeted interception, bulk interception and hacking. In addition, there is a list of interests the services have to protect, and a list of intelligence they should be gathering. Crucially, the powers and the interests are not tied to each other directly.
This means that the law makes it possible to perform targeted operations on organizations or people that are not themselves targets. One of the two oversight bodies (CTIVD, ex-post) has written in 2017 that such ‘non-target’ activities have to meet an elevated standard.
Translated, this states (in two places):
“When hacking non-targets, a heightened proportionality test applies: there must be compelling operational interests that outweigh the importance of protecting fundamental rights and the interests of the non-target.”
“The use of special powers against a non-target is a serious measure that must be used very sparingly. An elevated proportionality test must be met. In order for the use to be proportional, the services must demonstrate that the interest in infringing upon the privacy of the non-target is so great that this infringement is justified. The privacy of the non-target is given extra weight, because as mentioned, the target does not itself provide a reason for investigation by the services. She or he is only a means to the actual target. To maintain balances, the interest that the services have in using special measures against the non-target must be greater than usual. If this is not the case, the scales are not balanced, and the application is not proportional and therefore not lawful. Situations where there are one or more concrete indications of a direct threat to national security can be considered as compelling operational interests.“
Currently, the independent ex-ante regulator (TIB) reviews the lawfulness of hacking and interception requests/warrants. The conclusion of this review is binding. This mode of operation corresponds to the ECHR/ECtHR standard for independent authorization (Convention 108+ Article 11(3)).
New situation: automatic extension
In the new situation, hacking, targeted interception and data access operations get an automatic extension beyond the actual target of the warrant. If a warrant is requested to intercept the communications of a specific hacking organization, the warrant now also extends to victims of this hacking group. Or, more concretely, if your computer gets hacked by group X and there was a warrant to intercept the traffic of group X, the Dutch services now gain automatic approval to also intercept your communications or hack you.
In the law is it worded that any automated works ‘taken into use’ by the original targeted organization are also automatically in scope of the warrant.
Enlarging the warrant in this way is an administrative addition which involves no further approval process, not internally, nor externally. This in contrast to the original warrant which had to go past internal review, the head of service and the minister.
The ex-post regulator (CTIVD), however, does get notified of such an administrative addition. The CTIVD can optionally launch an investigation to find if it agreed with this addition. If it disagrees, it can inform the minister and the Dutch parliament, and demand that the operation be halted. The services can also appeal this demand with one of the many Dutch supreme courts, and this court (the Council of State) can stay the order if so requested. This is a complicated procedure which is very different than ex-ante authorization.
Some initial analysis
There is a tension in these new powers. A warrant on ‘organization X’ may now administratively also be enlarged to target internet subscriptions or devices from entirely unrelated people. This creates the fiction that organization X now extends to random other people.
In addition, whereas previously there was an elevated standard for applying powers to non-targets, there is now actually a vastly reduced standard compared to actual targets. The ex-ante regulator TIB will need to be convinced that it is proportional to target organization X. However, any non-targets now no longer benefit from an elevated standard. The non-targets in fact benefit from no standards at all anymore.
It appears that Dutch legislators are laboring under the assumption that they can apply powers to the non-target, but are actually targeting organization X alone. The warrants however directly impact all communications or the entire device, and not just the parts used by organization X.
Implications for Article 8 ECHR
I would be very interested in hearing thoughts from experts on how Article 8 ECHR bears on all this. Specifically, is the administrative addition of non-targets, with only the possibility of a binding but very heavy handed review afterwards, in line with recent jurisprudence? And perhaps this might differ for the three specific powers, targeted interception, hacking and requesting a copy of all stored customer data. This last article can be used to retrieve the contents from any servers or computers.
Original text
Dutch laws come with a large ‘explanatory memorandum’, which while not actually part of the law, is taken very seriously by courts, to the point that any understanding of the law must involve reading this memorandum. The memorandum can significantly alter the interpretation of a law.
Article 5, sixth member:
“In aanvulling op het bepaalde in artikel 45, achtste lid, van de Wiv 2017, omvat de verleende toestemming tevens de bevoegdheid om, voor de duur van de verleende toestemming, binnen te dringen in een ander geautomatiseerd werk dat door de desbetreffende persoon of organisatie in gebruik is voor zover dat in de plaats treedt van of een aanvulling is op het geautomatiseerde werk waar oorspronkelijk de toestemming voor is verleend“
Or:
“In addition to article 45, eighth member of the Wiv 2017, the permission granted also contains authorization for, during the validity of the warrant, to also enter automated works of the person or organization targeted by the warrant, in so far as this new automated work is in addition to or replacement of an automated work the original authorization applied to.“
An ‘automated work’ in this specific Dutch law has an extremely broad interpretation and includes such things as phones, computers, servers, websites, databases and mailboxes.