The House of Representatives is scheduled to vote on amending the intelligence law on Tuesday. This would give intelligence services more room to intercept Internet traffic. “But we are not interested in the behavior of your Netflix neighbours,” says outgoing Minister Hugo de Jonge. However there are criticisms.
Kunnen de inlichtingendiensten straks jouw WhatsApp-berichten opslaan? En zien welke websites je bezoekt? Dit soort gegevens lopen via kabels die de diensten straks veel makkelijker kunnen aftappen. Volgens de huidige wet mag dat verzamelen van data alleen “zo gericht mogelijk”.
De Wet op de inlichtingen- en veiligheidsdiensten (Wiv) is er sinds 2018. Diensten moeten volgens die wet vooraf om toestemming vragen bij een toezichtscommissie (TIB) als ze informatie via een kabel willen onderscheppen.
Maar sindsdien klagen de diensten. Het toezicht is veel te streng, vinden ze. Daardoor zou Nederland zich minder goed kunnen wapenen tegen cyberaanvallen van bijvoorbeeld China, Noord-Korea, Rusland en Iran.
Vier jaar nadat de wet was ingegaan, had er nog steeds geen onderschepping op de kabels plaatsgevonden. “Dat is nog niet gebeurd omdat de toezichthouder een aanvraag van de MIVD of AIVD steeds afwijst”, zei toenmalig minister van Defensie Henk Kamp begin 2022 bij zijn aftreden tegen NRC.
Demissionair minister Hugo de Jonge (Binnenlandse Zaken) zei deze week ook dat de totale potentie van de wet niet genoeg wordt benut.
Wat verandert er met de wetsverruiming?
- Er is minder toetsing van toezichthouders vooraf op het werk van de AIVD en MIVD. Dat toezicht verschuift naar tijdens het werk en achteraf.
- Diensten mogen internetkabels aftappen en later onderzoeken of er iets interessants tussen zit. De gegevens mogen een half jaar worden bewaard, al mogen ze niet gebruikt worden voor het inlichtingenproces.
- Kunstmatige intelligentie krijgt een grotere rol in het analyseren van grote hoeveelheden gevoelige informatie.
Questions about citizens’ privacy
Debate in the House of Representatives last week showed that most parties are largely positive about the bill. SP and FVD do not support the law. They fear that the risk is too great that the privacy of citizens, for example, journalists and lawyers, will be violated.
Bert Hubert is also crucial. He worked at the AIVD and later became a supervisor at the TIB. Until he left there in 2022 because he did not agree with plans to expand the law. “Services are allowed to store large amounts of material and search through them using algorithms,” he says. “Then I get upset, yeah.”
But strict supervision remains in place, confirms Bart Jacobs, a professor of security at Radboud University. “Services don’t know in advance exactly what traffic will travel over which cables,” he says. He added, “For this reason, they will soon be allowed to obtain more information in the exploratory phase. But they are not allowed to use everything in the intelligence operation.”
Services must explain why they want to intercept data from the cable. “To monitor the Russians, for example,” Jacobs says. “But the regulator will test this. If it turns out that the services want to search Dutch people’s apps for this purpose, it will not be allowed.”
“What TIB loses, CTIVD gains.”
It is also not the case that there is no prior testing at all. The TIB continues its prior monitoring, but is now receiving further guidance on legal standards.
“This is what went wrong when setting up Wiv in 2017,” says Roen Janssen, a doctoral candidate and lecturer in privacy law at Radboud University. “A number of standards were not explained by the legislature, causing conflicts between services and supervisors.”
According to Janssen, there is now more supervision. “Whatever the TIB loses, the CTIVD gains. In this sense, there is compensation from supervision. This is a radical change, but for the better.”
Great doubts about the evaluation by CTIVD
CTIVD Supervisor will get more manpower for this work. But it’s hard to say whether that’s enough, Jacobs believes.
“CTIVD is very powerful and can stop work in a binding manner,” he says. But how this works in practice is still unclear. Jacobs says it doesn’t have to close now. “Let’s also give these people the space to do their work.”
Furthermore, there will be binding supervision by CTIVD on specific materials. Mandatory supervision concerns searching for hacks, technical risks of hacking, adding clicks (this relates to the so-called certification of servers when attackers move to another) and supervising the automated analysis of data or data being exploited in large quantities.
Hubert says most supervisions are not binding. He also argues that it is important to now determine how CTIVD should monitor services activities. “The regulatory body does not currently have sufficient secure office space, and there is a risk that it will not be able to accommodate the growing number of researchers.”
Even AIVD is not weatherproof
Intercepted information is stored on the Services’ secure servers. “We assume it’s safe there,” says Hubert. “And the AIVD itself was not hacked.”
Things can go wrong anywhere, he says. “More than a year ago, an employee stole 102 computers from the AIVD. There were no state secrets on them, but this indicates that things could get worse. In addition, we do not know what future laws will entail. Perhaps more data will suddenly be allowed to be stored.” “It’s just a better idea if there’s not so much data stored unnecessarily.”
Avid music fanatic. Communicator. Social media expert. Award-winning bacon scholar. Alcohol fan.