Ministers Ollongren (Defense) and Bruins Slot (BZK) respond to the Intelligence and Security Services Regulatory Commission's investigation into the snapshot phase in the deployment of cable interception by the AIVD and MIVD. A similar letter with attachments was also sent to the Senate.
We hereby present Report No. 75 of the Intelligence and Security Services Regulatory Commission (CTIVD). The report concerns the snapshot phase in the deployment of cable interception by the AIVD and MIVD. The snapshot phase precedes the deployment of cable interception for investigative purposes (the so-called production phase). The CTIVD focused its investigation on the period from May 1, 2018 to March 31, 2021. We thank the CTIVD for its thorough investigation and report, which clearly describes the complex circumstances under which the services worked to operationalize cable interception. The investigation by the CTIVD and this report are very helpful for the services in setting up and continuing to perform cable interception responsibly. We therefore endorse the CTIVD's conclusions and adopt all its recommendations.
Cable interception is investigative assignment-based interception (OOG interception) on cable and involves bulk interception of communications, which means a certain degree of untargeted data collection. However, the interception must be related to one or more investigative tasks of the services. This specific special power was introduced in the Intelligence and Security Services Act 2017 (Wiv 2017) and is essential for recognizing hidden threats in the cyber domain, among others. Thanks to the experiences and insights gained, a clear picture of cable interception can now be provided much better than five years ago.
Snapshotting is a prerequisite for the most targeted deployment of cable interception and is defined in the report as making short integral recordings of the available data streams in order to determine the assumed intelligence value. The research period spans the phase from approaching a communications service provider to conducting these snapshots. This phase does not yet involve cable interception for intelligence purposes because the data obtained from the snapshots may not be used for substantive research. These recordings are examined only for the purpose of optimizing interception for the purpose of the intelligence process, or production.
The CTIVD concludes that the AIVD and the MIVD acted lawfully in important respects when establishing the access location (the location where the interception of the data stream physically takes place). For example, the services only requested legally permissible information with the duty to inform, and at the time of the technical operationalization of the access location there was a valid consent. The AIVD and MIVD fulfilled the targeting criterion in snapshotting. The services promptly destroyed the intercepted data and did not share it with foreign services. The CTIVD also concludes that in snapshotting the services had to pioneer technically and legally in a complex environment and therefore acted unlawfully in parts. Due to the complexity of this process, some technical, personnel and organizational measures were insufficiently implemented in the context of the statutory duty of care, which resulted in irregularities in the interception process. For example, the CTIVD concluded that special powers to support the operationalization of cable interception were deployed without permission, and work at the communications provider took place after the expiry of permission periods. Certain safeguards, such as logging and monitoring, were also inadequately observed, resulting in a very limited amount of data being accessible to the intelligence teams for a short period of time.
The interception and storage of communications inherently involves a violation of the fundamental rights of citizens. Regarding the extent of this infringement, the CTIVD concludes that during the investigation period communications were intercepted and stored by the services, that these data were searched and examined but that this was done almost exclusively from a technical perspective, with the aim of assessing the potential intelligence value of the intercepted data. The data were not used in intelligence products. Retention periods were observed by the services and data were destroyed after one year. Finally, only channels for which permission was obtained were intercepted and no data were shared with foreign intelligence and security agencies. This observation leads to the conclusion that there has been a violation of fundamental rights of citizens, but that this violation has been limited.
The CTIVD makes three recommendations, which we adopt and have for the most part already implemented. The first recommendation, which has already been implemented, concerns placing final responsibility for the entire interception chain of acquisition and (further) processing at a central and sufficiently high level, so that there is power of perseverance within both organizations. The second recommendation concerns the implementation of the legal duty of care by, among other things, setting up instruments for internal control and effective external supervision, including the availability of logging for compliance monitoring and adapting existing policy and work instructions to the emerging practice of snapshotting. Finally, the third recommendation concerns the recording in work instructions and policy of permission periods, methods of deployment and scope of the duty to provide information and the duty to cooperate. The departments, in consultation with the CTIVD, are in the process of implementing the second and third recommendations.
The AIVD and MIVD have already started improvement measures during the investigation, including the implementation of an improvement plan already drawn up. This improvement plan, which also partially addresses recommendation 2, serves to strengthen the internal control over data acquisition and data processing of both services. The plan was shared with the CTIVD in early November 2021. With these measures and by conducting chain tests, the services are doing the maximum to ensure that these and other illegalities are prevented as much as possible in the future. Concrete and important safeguards have also been put in place, for example by largely completing logging for compliance purposes, which will enable the services to maintain control over the processing of data and enable the CTIVD to carry out tighter supervision of cable interception, which will be implemented in phases over the coming period. A number of compliance requirements for the purpose of logging and monitoring cannot always be captured in system solutions; however, these will be resolved process-wise in consultation with the CTIVD. We believe it is important that the CTIVD can monitor in a manner appropriate to the dynamic application practice of cable interception. With this in mind, we have asked the CTIVD to inform us periodically of its findings.
Since the preparation of the CTIVD report, permission to deploy OOG interception has been obtained. This permission has since been deemed lawful by the TIB. In order to ensure a responsible method of application, we have asked the CTIVD to actively monitor the exercise of this authority.
Nature of OOG interception
Finally, in its report, for the purpose of amending the Wiv 2017, the CTIVD reflects on the nature of OOG interception and, in particular, cable interception. For example, the CTIVD indicates that particularly for the unprecedented threat, it is difficult to predict where relevant data are located. The CTIVD believes that in the case of cable interception, targeting should focus on the application of filters and less on the choice of channels. The CTIVD considers it important that, partly in the context of an amendment to the Wiv 2017, lessons should be learned from the knowledge and experience gained with cable interception. It concludes that past interpretations of, among other things, the targeting requirement for cable interception are at odds with the nature of the power, the means and the implementation in (technical) practice. In further debate, it should be explained more clearly than it has been to date that this power by definition involves the acquisition of data in bulk and has a high degree of non-targeting. The nature of the remedy and its intrusion should be named in the public debate and its necessity should be argued, the CTIVD said.
The CTIVD concludes that snapshotting should be provided with an explicit statutory basis. The CTIVD endorses the need for snapshotting and analysis of this data, as these activities contribute significantly to the targeting of interception for the purposes of the production phase. The CTIVD notes that in shaping the statutory basis, the targeting requirement should be applied in a manner that is consistent with the nature and purpose of snapshotting.
Mode of follow-up
In anticipation of an amendment to the Wiv 2017, the government is processing this conclusion of the CTIVD as follows. In a letter dated February 24, 2022 (34 588, no. 91), I already informed you that some bottlenecks in the cyber domain should already be addressed before completing the process of amending the Wiv 2017. Due to the increasing level of threats in the cyber domain, a temporary law is necessary to ensure the protection of our national security. After all, the Netherlands and Dutch interests are increasingly being attacked from various countries with offensive cyber programs in the cyber domain. Since late last year, work has therefore been underway on a proposal for a temporary law to enable the services to deploy existing powers more effectively in investigations targeting countries with an offensive cyber program against the Netherlands and Dutch interests. This is a separate law and not an amendment to the Wiv 2017. It will also include the snapshot issue identified by the CTIVD. Following on from the relevant motions1 by your House of Representatives, the TIB and the CTIVD will consider how the supervision of the use of powers to which the Act applies can be given shape in this bill, whereby supervision remains guaranteed. It is essential for the legitimacy of the services and confidence in their work that effective supervision is enshrined in legislation. Within the scope of this bill, a conclusive system of oversight is included, ex-ante, during and ex-post, appropriate to the dynamics of cyber operations. Naturally, the findings of the CTIVD in Report 75 will be included with the bill. In doing so, we will also address the concerns as named in the motion of Member Van der Staaij et al. adopted by your House of Representatives on February 28, 2022, requesting the government to come up with a proposal to amend the Intelligence and Security Services Act 2017 (Wiv 2017) as soon as possible.
View the Monitoring report on the deployment of cable interception by the AIVD and MIVD
