The Dutch intelligence services AIVD (General Intelligence and Security Service) and MIVD (Military Intelligence and Security Service) want to expand their powers with a "secret bill." Among other things, the services want more room for large-scale Internet surveillance. This reports the Volkskrant, which has seen part of the bill.
The draft proposal shows some changes that the Cabinet wants to make. Among them is talk of automated data analysis (GDA) without oversight committee review. GDA is "the automated search in bulk data for patterns and links between networks, phones and computers." It constitutes a "serious invasion of privacy," according to the Volkskrant. Now, intelligence agencies must specify in advance what data they want to process and why it is "as targeted as possible. In the draft law, the cabinet proposes to abandon this and allow broader searches.
The change in the law would also allow cable interception (the large-scale tapping of Internet traffic) for target discovery. The AIVD and MIVD would then be able to intercept and search Internet traffic on a large scale in the event of a suspected digital threat without a specific target. This would then take place outside the review committee.
In addition, the draft proposal would state that intelligence services may hack Dutch victims without prior review if they are part of a digital attack network. Earlier this month, the MIVD discovered that dozens of routers belonging to Dutch individuals and companies had been hacked by Russian state hackers. In such a case, the AIVD and MIVD would be allowed to hack those devices.
Finally, the Volkskrant reports that intelligence agencies will have the ability to "credit" devices. In a situation where a target changes devices - or a hacking group changes servers - the services will not have to ask for permission again. This still needs to be done now. However, services do still have to ask permission if they "suddenly end up with a totally different device."
The war in Ukraine seems to be a cue for intelligence agencies to indicate the need for broader powers. On the talk show Op1, MIVD director Jan Swillens seized on the discovery of a Russian digital attack network to call for a change in the law. "We cannot sufficiently guarantee the digital security of the Netherlands at the moment," Swillens said, among other things.
The intelligence services AIVD and MIVD have reportedly been dissatisfied with the 2017 intelligence law for some time. They would not be able to act quickly enough when faced with digital threats. This is partly due to the prior test by supervisory committee TIB, and the mandatory mapping of risks in hacking operations, writes the Volkskrant. Also, cable interception is hardly used, while the systems have cost a lot of money.
However, dissenting voices can also be heard. Security expert Matthijs Koot, among others, believes that "allowing bulk processing in the context of national security poses a real risk to the protection of democracy and the rights of individuals communicating in or through the Netherlands." For example, he calls the collection of private chats "a major invasion of the privacy of those involved, especially if they are not the subject of investigation."
According to the Volkskrant , a broadening of powers for intelligence agencies may be in violation of European law. Recently, the Cabinet sought legal advice on amending the Intelligence Act. That advice was sent to the House of Representatives last week. In it, the authors argue precisely for strengthening the Toetsingscommissie Inzet Bevoegdheden (TIB).
According to the report, "the development of case law shows that today the ECtHR sets stricter requirements for the establishment of a system of supervision of intelligence and security services." The opinion also states that the processing of data "should be subject to prior authorization." Thus, the plans of the draft proposal go against this opinion.
It is not yet clear when the bill will go to the House of Representatives.
