Discussion Prompt: The Dutch Temporary Cyber Act: Necessary measure or disproportionate expansion of power? See all contributions to this question.
Dutch intelligence regulation is getting more and more complicated, with three different bills all impacting and cross-referencing each other. Sufficient and accurate information about scale and impact of newly proposed surveillance powers is withheld.
In order to understand what is happening in the latest intelligence regulation reform in the Netherlands, it is important to take a step back and consider the trajectory of previous reforms.
Just about 5 years ago the law regulating the intelligence and security agencies was reformed. This law did not have an easy landing in Dutch public opinion, as the negative vote of the Dutch citizens in a nationally organised referendum shows. The biggest concerns were newly introduced bulk capabilities that grant the agencies access to large amounts of citizen-data. Because the referendum was non-binding, the law is still valid, but some safeguards were implemented to address these concerns: For example, the “as-targeted-as-possible-criterion” was added to the general provisions on how the services have to deal with collected data. And the ex ante authorisation committee Toetsingscommissie Inzet Bevoegdheden (TIB), that has to give prior approval to apply special capabilities was introduced.
Now, we are looking at a Temporary Act which removes exactly these safeguards and proposes the untargeted cable interception capability citizens feared.
Obfuscation by design: a policy maze is being built
It’s always hard to discuss what capabilities the intelligence agencies need, as their work is secret. But, exactly because of this, clarity and foreseeability of Acts regulating their work is very important for democratic control. It is not for nothing the ECtHR, amongst others, takes it into account in their quality of law test.
The legislative scrutiny process of these new rules fall below the standards. First of all, the Act contains radical system changes (e.g. it introduces a whole new instance of higher appeal) while being a Temporary Act. This temporary construction allows for framing that diminishes the impact of the Act. So it has been called an “experimental Act” as it is “just temporary”. As well as for claims about his high urgency: “we cannot wait for the structural reform to take these measures.” Second, the bill started out in a speed-procedure, hurrying advisory institutions and leaving less time for critical legislative scrutiny. A status that silently left the stage now the proposal is already 1.5 years old and the urgency-claim is no longer valid. Third, this Temporary Act is written during a process of structural reform of the current Intelligence and Security Services Act and directly after making this bill public, an amendment to it was announced. This results in three bills with intelligence regulation reforms with different scopes and measures, while all three bills cross-reference and impact each other.
This policy maze leaves policymakers in a position of having to assess the impact of proposed measures in an incomplete Act. This presupposes that they are able to disentangle the mighty labyrinth of cross-references and additional provisions to these individual bills.
Obstruction of information
A second factor complicating the impact assessment of the proposed capabilities is the lack of provided information about the scale of data access. Before, commitments were made about this in the legislative scrutiny process of the current Act, addressing mass surveillance concerns of citizens. However, these did not appear to be in line with the practice and accurate information about scale has not been given. Apart from the statement that the proposed capability for cable interception is “inherently untargeted”. But it goes even further. The TIB, who tried to provide some information on this point in their yearly report, was withheld from publishing this information by the minister, under threat of 15 years of prison time for revealing state secrets. This resulted in a redacted report and unanswered questions of politicians at a parliamentary briefing.
The proposed expansion of surveillance power
So, what are we talking about in terms of content? Again, the concerns are mainly regarding access to large amounts of citizen data.
Based on this Act, the intelligence agencies can intercept practically everything with the goal to determine to which data flows a request for the existing capability of cable interception should relate to. The criterion to intercept “as-targeted-as-possible” is declared inapplicable. The intercepted data can be stored for six months. It cannot be used for intelligence purposes, but can be shared with foreign services (for technical analysis).
Another way the agencies can get access to large amounts of citizen data is by extension of authorisations. In the current Act a stricter proportionality test applies when the agencies want to deploy the hacking capability on devices/infrastructure used by/belonging to non-targets. In the proposal the given authorisation to deploy the hacking capability on a specific device (for example belonging to a target) can be extended to all devices/infrastructure in use by that target (NB: This use is non-exclusive, meaning this can be applied to devices/infrastructure that are hacked by the target and still have legitimate users.). A proportionality test of this deployment only takes place if and when the authorisation is requested to be extended. This means that the agencies can get access to devices/infrastructure of non-targets without any external ex-ante authorisation. Which results in the curiosity that the target benefits from more protection than non-target users. These problems were addressed by Bits of Freedom in their contribution to the roundtable of experts, and formerly described by Bert Hubert in his contribution to this panel.
The breaking down of the ex ante authorisation committee
Another main concern regarding this proposal is that the role of the TIB is scaled-down. The proposal narrows-down the proportionality test performed by the authorisation committee regarding the aforementioned interception capability. Technical risks are excluded from their assessment regarding deployments of the hacking capability. The extension of the warrant to hack to non-target infrastructure only reaches their scrutiny in case of prolongation. And assessing the lawfulness of automated data analysis of data that is gathered with the current large scale cable interception capability would no longer be their task.
As ‘compensation’ the ex durante and ex post oversight committee CTIVD gets binding powers to stop the use of powers and/or order deletion of gathered data, over most of these capabilities. A one-sided higher appeal instance is introduced in which the minister can appeal to judgements of this oversight committee and get a second chance.
The crux lies in the power shift from the TIB to the CTIVD. This is presented as an equal shift from ex ante to ex durante and ex post that suits better to the ‘dynamic’ practice of cyber defence. But this presentation neglects the fact that ex ante oversight is important as well as best suited to prevent harm, damage and misuse. It might be in the operational interest to get a head start. But cutting off the non-operational perspective in the authorisation process takes away the protection of citizens and their rights against excessive surveillance. While the deployment of far-reaching capabilities might be in the operational interest, in a democratic rule of law this interest should always be weighed against others.
Conclusion
The Netherlands seems to be in a continuous reform of intelligence regulation, draining resources of civil society and fatiguing critical citizens. After citizens voiced their concerns about mass surveillance by their intelligence agencies in a referendum regarding the former reform, the newly proposed Temporary Cyberact takes it a step further. However, important information about the scale of the proposed surveillance measures are withheld from public debate as well as the legal scrutiny process, hampering an informed assessment of how infringing the proposal really is. Is obfuscation an effective strategy to push for mass surveillance powers?