Discussion Prompt: The Dutch Temporary Cyber Act: Necessary measure or disproportionate expansion of power? See all contributions to this question.
What was meant as a repair law for Dutch intelligence and security services has turned into a prolonged, overcomplicated parliamentary process, coloured by institutional interests. The process lost touch with what this is all about: improving the effectiveness of the services and also of the oversight bodies.
Shortly after the Snowden revelations of 2013 the Dutch government proposed a new bill for its (two) intelligence and security services. This rather technical bill had been in preparation for some time, but it got broad public attention and became a topic of hot debate. Especially the new online data collection powers became controversial and were (narrowly) voted down in a national advisory referendum in March 2018. The government subsequently introduced additional safeguards, requiring for instance that online data collection should be “focused”. The result came into force in May 2018, under the name Wiv 2017. Translated into English: Intelligence and Security Services Act 2017.
This Wiv 2017 constructs intelligence oversight, via two independent bodies, abbreviated as TIB and CTIVD. The TIB operates ex ante and gives (quick) judgements about authorisations already granted by the responsible ministers. The TIB does not have investigation powers, but it can ask for clarifications; its judgements are binding. The CTIVD operates ex durante and ex post and has extensive investigative powers. It reports publicly via its reports (possibly with a confidential annex, for parliament), but its judgements are not binding (under Wiv 2017).
Now, after five years of Wiv 2017 one can see that having two separate oversight committees, with temporally separated tasks, creates its own institutional (and personal) dynamics. There is little communication and transfer between the two oversight bodies. Ideally, for a sensitive intelligence operation a fast ex ante check is followed by more intensive ex durante and ex post oversight, of the same operation, where the two oversight regimes strengthen each other. What we see in practice is that the two oversight bodies defend their own turf and try to make themselves as big and broad as possible. The fact that the TIB has binding judgements has been instrumental in its own self-aggrandisation, leading to micromanagement.
One of the main goals of the Wiv 2017 law was to provide clarity about the conditions and safeguards for access of intelligence and security agencies to online communication (via cables). It took almost five years before the TIB first approved such an access operation. Whatever you think about such online access, if it takes so many years to get agreement between the intelligence and security services and the TIB, the law is not functioning.
During the past five years two independent evaluation and audit committees have concluded that the law is too restrictive, that oversight is too heavy handed, and that this has serious negative operational effects, especially in the digital domain. The two intelligence directors themselves have warned that national security is jeopardised. These signals set a process in motion towards a temporary “repair” law that is currently debated in parliament in the Netherlands.
An essential point of this repair law is that ex ante oversight is reduced, but ex durante and ex post oversight is strengthened. Under the new law the CTIVD gets binding power in the same areas where it existed for the TIB. The public discussion about this new law is distorted by institutional interests and pettiness: the TIB makes dramatic claims that it can no longer fulfil its essential role as protector of the democratic order, so that fundamental human rights are at stake. The compensation via the shift of oversight to the CTIVD is often missing in the debate. The CTIVD, as institutional winner, remains silent in these discussions. Somewhat remarkable, the intelligence and security services also remain silent and do not point out that it is their legal task to protect national security and the democratic order, and not the task of the oversight organisations. The frame sticks that they are enemies of the state, and of the population.
Underlying all this is a fundamental point about the proper organisation of intelligence oversight in the digital domain. The unpredictable character of that domain makes it difficult to predict what will be encountered and how risks should be kept under control. This justifies a shift in oversight, away from ex ante micromanagement, towards robust ex durante and ex post oversight. For members of parliament the topic of intelligence regulation is difficult, because the Wiv 2017 is highly complex and so little is publicly known about the operational practice. There is a reflex to compensate this parliamentary unease with extensive regulation and not to trust professionals in the field, both in intelligence and in oversight. The emotional tone of the debate does not contribute to a sensible outcome, but results in an increasingly complex and inflexible set of rules – benefitting no-one.