A new report by Dutch oversight body CTIVD shows that the Dutch secret services regularly violate the law when sharing intelligence with foreign services. For the sake of privacy and freedom of communication, it is crucial that data sharing safeguards are both tightened and more strictly enforced.

A new report issued by the Dutch intelligence oversight body CTIVD has revealed that the Dutch secret services do not necessarily act in accordance with the law when it comes to sharing (sometimes sensitive) information with the intelligence agencies of other countries. Ten instances were found in which the Dutch secret services had illegally provided unevaluated data to foreign services, disregarding what is already a fairly weak legal regime for information sharing. The services’ casual attitude towards existing legal frameworks and their reluctance to be more meaningfully regulated may set a dangerous precedent for the relationship between intelligence agencies and democratic oversight in the Netherlands.

Our secret services routinely exchange data with foreign secret services. Bits of Freedom argues that the services should always know what they are exchanging, because they are tasked with protecting us and part of that task includes not giving away risky information about us. Sadly, services’ internal guidelines to that effect are missing, while legal provisions are insufficient and often ignored. In this article, I will try to explain the problem at hand in greater detail and discuss the need for a robust solution.

A lack of internal policy

The Dutch secret services’ internal policy for sharing data with other services is porous and vague. It does not distinguish between different legal bases, the assessments against the requirements of necessity, propriety, and due care are missing, and two legal bases lack additional requirements entirely. It further does not stipulate that weighting notes, which assess the trustworthiness of any cooperating agency, need to be taken into account when deciding whether to share information. Furthermore, filtering data for Dutch characteristics or communication from lawyers or journalists remains an exception despite the fact that such highly sensitive communication is enshrined with additional protections. There are also no standard procedures as to whether foreign services are allowed to use the information provided[1] (or that they must act in accordance with international law if they do so,) or pass it on.

Non-compliance with already limited legal provisions

Aside from services’ internal policy, or lack thereof, the law provides a rough framework for the sharing of (unevaluated) data. Unevaluated data, or raw data, are data which have not been processed, filtered, or analysed based on their nature or content by the services in any form. Under the current regulation, whenever the services wish to share unevaluated data, they must obtain permission from the responsible minister. This permission is subject to a set of circumstances.[2] According to the CTIVD, however, the services not only do not pay sufficient attention to these circumstances, they are also given the leeway to do so.

Sometimes, the services even have their very own ideas about sharing unevaluated data, deeming an internal assessment of whether the information they seek to share is relevant to the receiving body a sufficient benchmark. Not only is an assessment of potential relevance significantly more abstract than the criterion of evaluation, it is also simply not how the law works, and the CTIVD therefore objects to this line of reasoning.

Additional instances in which the clearance protocol for unevaluated data have been violated include: classified data incorrectly labelled as evaluated; data incorrectly added to an existing permission without obtaining separate consent; and missing reference to the weighting notes that would have classified the other service as a risk. If the services want to share unevaluated data with a service that is known to be problematic, the risk, and what the services do to manage it, must be outlined in the permission request. Failure to provide this greatly undermines the functioning of the minister’s permission as a guarantee. After all, how can the minister properly consider a request if they are not informed of the risks involved?

Safeguards are wanting

An important stipulation when providing data to a foreign service is that that service may not pass on the data, also known as the third-party-rule. Both secret services (MIVD and AIVD) structurally fail to set this condition, though it is required by law, when providing data to foreign services. The AIVD, for instance, neglected to do so three times over the last year despite the weighing note on the receiving foreign service indicating risks that would have indeed required it.

According to the CTIVD, the agreements with other countries on which the services currently base their data sharing practices are also not satisfactory. Some are still from the 1960s or do not relate to the relevant data dispensation, others are still in draft form, or exist only with one country while the data is shared with several. Moreover, during their inquiry the CTIVD was unable to find the agreements and the services were unable to state where they were recorded.

Oversight is hindered

To make oversight possible, the services have a duty to record what they do, including what information is given to foreign services. Because records are kept at different levels, however, there is no comprehensive overview of the data shared with foreign services. Furthermore, the services are neglecting their reporting duties. Every time the secret services provide unevaluated data to foreign services, they must inform the CTIVD accordingly. They failed to do so eight times in eight months (!), alas.

How to address the problem

Bits of Freedom is deeply concerned about the provision of unevaluated data to foreign services. We find it irresponsible that our secret servces are allowed to collect data in bulk, and share it with foreign services without first having a good look at it. Against that backdrop, the CTIVD report has raised a whole range of important questions around the services’ due diligence in risk assessment and their regard for ministerial permission protocol, civil liberties protection, and oversight.

The upcoming implementation of the dragnet, which will allow for the untargeted, systematic, and large-scale interception and analysis of citizens’ online communication, likely means that even more unevaluated data will be shared with foreign countries. Bits of Freedom thinks it is absurd that secret services are allowed to do so. How can our rights be guaranteed when the services share information (also about us) without even knowing what it is exactly that they are sharing? The House of Representatives will soon discuss proposed amendments to the Dragnet Act and while the dragnet itself seems inevitable, parliament should at least take into account the following points to defend privacy and freedom of communication:

  1. The services should be obligated to show that the sharing of unevaluated data is accompanied by ensuring minimal risk for civilians and organizations, following a ‘least-intrusive-means’ doctrine for data sharing, as it were.

  2. The sharing of unevaluated data should be taken more seriously. As is the case with the services’ other special powers, the ‘Assessment Committee for the Deployment of Powers’ (TIB) should review the request of the services and the approval of the minister before the sharing of data is ultimately cleared.

  3. The services have shown that they do not always comply with the law. As a result, the CTIVD, as the body tasked with reviewing the lawfulness of the services’ activities, should be given more power. When the services violate the law they should be stopped immediately by the CTIVD. Maybe that will inspire the services to settle their affairs.

[A special thank-you to Alex Leering and Celeste Vervoort for the translation of two articles (1, 2) from the original Dutch, which served as the basis for this article.]

[1] Often, material is shared with ‘originator control’ limitations, which means foreign agencies aren’t permitted to act on the basis of intelligence without originator source approval.

[2] If data is shared within an existing cooperation (based on Article 88 of the Intelligence & Security Services Act of 2017), the permission request should include to what extent the sharing fits within the limits of the cooperation. These limits are based on the weighting notes, which entail a risk assessment of foreign services. In case a cooperation is not suitable for the sharing of unevaluated information, the services need to argue why they think there is an operational interest that outweighs these risks and how they intend to minimise them. The sharing of information should not conflict with the services’ task performance, nor should the interests of the foreign service be incompatible with those of the Dutch services. The services can share information outside of a cooperation if doing so is deemed particularly important or urgent (Article 64) or intended for the purposes of their own task performance (Article 62). In all cases, the sharing of information needs to be necessary, appropriate, and subject to the services’ duty of care.