"Dutch lawmakers and lawyers say they are questioning the increasing use of unmanned aircraft by police to track criminals and locate marijuana plantations.
The drones have been used for at least 132 days in at least 40 areas since 2009, DutchNews.nl reported Monday.
The city of Harlingen borrowed two drones from the defense ministry in 2012 after a rash of burglaries.
"I understand they can be useful, but they need to have a basis in law," said parliamentarian Gerard Schouw after asking the defense ministry to explain the implications the drones may have on privacy.
"How closely can innocent citizens be filmed," he queried. "No one has a clue what they are filming."
Use of the drones is illegal under Dutch law and may violate European privacy laws, said attorney Vincent Bohre of the Privacy First Foundation.
Amsterdam city officials said earlier this year they had grounded their two drones because of technical problems."
Source: UPI.com (United Press International, USA), 18 March 2013.
"Son yıllarda Hollanda polisinin yasadışı faaliyetlerle mücadele konusunda daha fazla oranda insansız uçaklardan kullandığı belirtildi.
AD gazetesinin yer alan bir haberde, "drones" adı verilen insansız uçakların özellikle insan ve uyuşturucu ticareti veya yasadışı suç örgütlerinin araştırıldığı belirtildi. Son dönemlerde bu uçakalrın daha sık kullanıldığı belirtilen haberde 2009'dan bu yana en az 132 kez kullanıldığı belirtildi.
Altyapı ve Çevre Bakanlığı, Güvenlik ve Adalet Bakanlığı ve İçişleri Bakanlığı verilerine göre Hollanda üzerinde en az 40 noktada adı geçen uçakların uçtuğu ve son dönemlerde bu sayıda artma olduğu belirtiliyor.
Gizlilik Birincilik Vakfı (De stichting Privacy First), polis tarafından kullanılan bu uygulamanın, haber verilmeden yapıldığını bundan dolayı da yasadışı olduğunu belirtiyor.
Öte yandan D66 milletvekili Gerard Schouw'da Mecliste bu konu hakkında açıklama isteyeceğini belirtirken "bu tür kontroller yasal ve kontrol edilebilir şekilde olmalı. Şuanda hiç bir şey bilmiyoruz"dedi.
Polis geçtiğimiz yıl Aralık ve bu yıl Şubat ayında Savunma Bakanlığına ait olan Drones uçaklarını Harlingen'deki hırsızlık olaylarını çözmek için kulandığını belirtmişti."
Bron: SonHaber.nl, 18 March 2013
On 22 October 2012 our next networking drink around a topical issue will take place at the Privacy First office in the former building of de Volkskrant newspaper in Amsterdam. As a follow-up to the recent lecture by the Head of the Dutch General Intelligence and Security Service (AIVD) Rob Bertholee, we have invited Wil van Gemert to further expand on the theme of cyber security. Mr. Van Gemert is Director Cyber Security of the NCTV, the National Coordinator for Security and Counterterrorism and he will prepare a lecture at the interface of security and privacy in cyberspace. What exactly is cyber security and what are the current challenges and problems in this area? What role does the government fulfil with regard to developments in cyber security? And what is the best way to strike a balance between privacy and security? Investigative journalist Brenno de Winter will moderate the discussion. During the lecture there will be plenty of opportunity for questions and discussion with the audience. Afterwards we will go for a drink in café-restaurant Canvas where DJ Wong and DJ Broky B will take care of the music.
Date: Monday 22 October 2012, starting time 19.30h. The doors will be opened at 19.00h.
Location: Wibautstraat 150, 1091 GR Amsterdam. The lecture and discussion will be held at ground level (Big Room), afterwards the informal party will take place at the 7th floor (Canvas). An itinerary can be found here.
Update 6 November 2012: click HERE for our account of the night.
The Dutch Ministry of Justice wants to track all motorists. The Privacy First Foundation is preparing for legal action.
Under a new, far-reaching legislative proposal, the Dutch Minister of Security and Justice Ivo Opstelten aims to enhance criminal investigation by introducing a four week storage period of the number plates of all cars through camera surveillance and Automatic Number Plate Recognition (ANPR). Current rules dictate that these data have to be deleted within 24 hours. In 2010, the previous Dutch Minister of Justice (Hirsch Ballin) planned to make a similar proposal with a storage period of 10 days. However, the Dutch House of Representatives then declared this topic to be controversial. In his current proposal, Opstelten takes things a few steps further. Early 2010 the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) ruled that police forces were not adhering to Dutch privacy rules by storing number plates for a greater period than was legally allowed. According to the CBP, all number plates that are not suspect (so-called ‘no hits’) are to be removed from relevant databases immediately. Opstelten’s plan to store the number plates of unsuspected citizens for four weeks directly flies in the face of this.
The Privacy First Foundation considers Opstelten’s legislative proposal to be a threat to society. ‘‘Under this measure every citizen becomes a potential suspect. You ought to trust the government, but it’s that very government that distrusts its own citizens’’, Privacy First chairman Bas Filippini declares. In a healthy democratic constitutional State the government should leave innocent citizens alone. Under this legislative proposal the government crosses that fundamental line. Collectively monitoring all motorists for criminal investigation and prosecution purposes is completely disproportionate and therefore unlawful.
In case Dutch Parliament adopts this legislative proposal, Privacy First will summon the Netherlands and have the legislative Act in question declared null and void on account of being in violation with the right to privacy. If needed, Privacy First and individual co-plaintiffs will be prepared to litigate all the way up to the European Court of Human Rights in
The Privacy First Foundation regularly organises networking drinks combined with informational sessions for our volunteers, donors and experts from our network of journalists, scientists, jurists and people working in ICT. Since July 2011, these events are organised about every three months and take place at the Privacy First office in the former building of de Volkskrant newspaper in
A common goal: freedom in an open democratic society
The night starts with a short introduction by Privacy First chairman Bas Filippini. In Filippini’s view, Privacy First and the AIVD actually pursue the same objective, namely freedom in an open democratic society, albeit from different perspectives. Rob Bertholee affirms this and says that tonight, contrary to what some may think, he doesn't really consider himself to be in the lion’s den. After a long career in the army, Bertholee has been the Head of the AIVD for nine months now. One of his first impressions of the AIVD was one of a professional organisation with people who are driven by their ideals, he says. Both the AIVD and the MIVD (military intelligence) have to deal with risks and threats to national security and the democratic legal order, in other words, with threats to our way of life and the guarantees for our freedoms thereof. As a result of internationalisation and new technologies, threats and risks increase in number and have a greater impact and reach. An example is the internet that, apart from its positive aspects, has a downside to it as well.
Security is not a fundamental right
The AIVD has two main tasks: intelligence and security. Formally however, security is not a fundamental right, Bertholee rightly remarks. In its case-law, the European Court of Human Rights has indicated that States are obliged to take all reasonable measures against life-threatening situations, he says. Subsequently, the Council of Europe has endorsed this in its Guidelines on human rights and the fight against terrorism. Whereas Privacy First focuses on the protection of the individual, the AIVD concentrates on the protection of the community of individuals. In between there’s a trade-off: in order to protect the community, sometimes it is necessary to infringe the rights of the individual. Bertholee then mentions a couple of tasks of the AIVD which do not infringe the right to privacy. This is the case for 1) personal security assessment and 2) protective measures for individuals, organisations and companies, for example in relation to espionage. In these two cases the law dictates that the AIVD is, by law, not allowed to deploy special intelligence powers. It is exactly the deployment of such powers that infringes people's privacy.
An important part of the AIVD is the National Communications Security Agency (Nationaal Bureau voor Verbindingsbeveiliging, NBV) which supports the Dutch central government in securing special information. The NBV evaluates security products and plays a role in their development. It is this agency where, for example, USB flash drives for the government are tested on data leakages. Then there’s the political intelligence task of the AIVD abroad, "which, admittedly, intrudes upon people's privacy, but not here in this country". Finally, there’s the task of making threat analyses for certain individuals (for example politicians), organisations or events. One task of the AIVD through which privacy in the Netherlands is put at stake concerns the assessment of ‘threats to our national security, the continuation of democratic rule of law and other, important State interests". This assessment is carried out, first of all, through open sources (media, internet, etc.), but can (subsequently) proceed by shadowing, monitoring or eavesdropping of persons or by penetrating virtual or physical spaces. In this respect Bertholee emphasizes the high degree to which employees of the AIVD are aware of 'the spirit' of the Dutch Intelligence and Security Services Act 2002 (Wet op de inlichtingen- en veiligheidsdiensten, Wiv2002). "As a citizen I felt reasonably reassured from the moment I had an understanding of what the AIVD was actually doing and what it could and was allowed to do, and also by the way the government can continue to exercise control over a service like the AIVD," says Bertholee. "You don't have to believe me, but I just wanted to share this with you," he jokes. Then he’s resolute again in saying "our tasks and powers are all clearly defined by law."
In the field of counter-terrorism, at the moment most of the AIVD’s attention goes out to (potential) Jihadists and radical 'lone wolves' like Anders Breivik. Bertholee finds it worrisome that such lone wolves are hard to track down, even though relevant information is sometimes available, for example at healthcare institutions or the police. A difficult dilemma is, on the one hand, the question whether or not certain events could have been prevented by correlating information on national and international levels and, on the other, which risks society is willing to take in order to preserve people's privacy, Bertholee explains. However, he can well imagine that citizens worry about the correlation and international exchange of data and that this is bringing about a 'Big Brother' experience. As a citizen, Bertholee himself is worried about this too. Where is the right balance between protecting the individual and protecting the community? Every special power of the AIVD is anchored in the Wiv2002. The most simple special power is talking to people (Article 17 Wiv2002). For every single special power in the Wiv2002 the following requirements apply: 1) necessity, 2), proportionality and 3) subsidiarity. Therefore, special powers may only be deployed in case open sources (internet etc.) prove to be insufficient. The AIVD is to continually ask itself: is it strictly necessary? And are we very certain that there are no lighter measures at our disposal? The enforcement of those very powers is verifiable afterwards. Apart from opening letters (this falls under the Dutch Postal Act) there is no investigative magistrate involved. However, for the use of every special intelligence power the approval by the Minister of the Interior and Kingdom Relations or by the Head of the AIVD on behalf of the Minister is required. Moreover, every new employee of the AIVD gets a basic education through which he or she is being taught, among other things, about the Wiv2002. In this context, Bertholee relates an interesting anecdote: once in a while the AIVD invites a number of journalists, members of Parliament or jurists to discuss a case. It turns out that those not working for the AIVD are more inclined to allow the use of special powers than the AIVD employees themselves. As an answer to a question from the audience, Bertholee says that he himself gave an explanation about the Wiv2002 to Interior Minister Liesbeth Spies, just one and a half hours after she was sworn in by Queen Beatrix. "We have no rules of our own, we abide to what is written in the law," Bertholee says. He goes on telling about the process that sees the deployment of a special power: it starts with an employee who wants to use a special power for an AIVD investigation. The employee is to account for his request in writing and an AIVD operational lawyer looks into it. The request is then sent to a supervisor, after which it is forwarded to Bertholee. Finally, the request ends up at the desk of the Interior Minister. This happens case by case, always taking the prerequisites of the Wiv2002 into consideration. No form of pressure is allowed in the event the AIVD makes a request for information to citizens. The same goes for requesting information to journalists: it is entirely up to them to cooperate or not. "If a journalist is not willing to cooperate, then that’s a pity for the AIVD and that’s where things end", Bertholee explains. However, some (parts of) conversations are being registered in a memo since everything needs to be verifiable for the AIVD.
Bertholee tells about the way the AIVD is monitored by various bodies that each play their own role. First of all there’s the Dutch Parliamentary Commission for Intelligence and Security Services ('Commissie Stiekem') which consists of all the leaders of Parliamentary parties. Then there’s the (public) Parliamentary Commission for the Interior. The legality of the execution of tasks by the AIVD is scrutinised by the Dutch Review Committee on the Intelligence and Security Services (Commissie van Toezicht betreffende de Inlichtingen- en Veiligheidsdiensten, CTIVD); this is an independent supervisory body which consists mainly of legal experts. According to Bertholee, in recent years the CTIVD assessments on the AIVD have largely been positive. Furthermore, the Netherlands Court of Audit (Algemene Rekenkamer) examines the (secret) budget of the AIVD. Both the CTIVD as well as the Court of Audit have access to everything within the AIVD.
Revision of the Wiv2002
With regard to a possible revision of the Wiv2002, Bertholee remarks that the legal space currently offered is sufficient for the AIVD and that he doesn’t need more powers. However, he does think it is "particular" that the Wiv2002 is in some aspects related to the Dutch Postal Act and to the Telecom Act, which makes it necessary for the AIVD to get the permission of an investigative judge to open a letter, while that same permission is not required for intercepting or opening an email. Hence the legislation is technology-dependent and "something needs to be done about that", Bertholee states. Besides, the CTIVD has proposed to change the legislation with regard to SIGINT (Signals Intelligence). Furthermore, Parliament may evaluate the Wiv2002 in the near future. It seems there are two thorny issues at the moment: a possible ban on using journalists as informants and more control over the effectiveness of the AIVD. The difficult thing is that the effectiveness of an organisation like the AIVD is hard to measure; this is related to the nature of the work and the type of threats that are being averted. Bertholee: "I accept that life has certain risks. The question, however, is what society wants. How many casualties per year do you find acceptable?"
No Big Brother
Confronted with a question from the audience about new, predictive technologies and the effect that these can have on social behaviour, Bertholee makes clear "not to be in favour of Big Brother. There are limits to what you can and what you cannot do. This is also related to the risks that you are willing to take as a society." Bertholee responds to another question from the audience saying that a special power may only be used as long as it's necessary. When the necessity (i.e. the reason or threat) ceases to exist, the authority to use a special power ceases to exist as well. The CTIVD keeps an eye on that. Five years after a special power has been used, a duty of notification towards the citizen involved applies, unless this could reveal relevant sources or a current operational method. However, this duty to notify has so far never been used. In fact, Bertholee wonders whether such a notification could actually be experienced as an assault on one’s private life in case there was nothing going on with the person concerned.
The Wiv2002 remains applicable to the international exchange of intelligence between the AIVD and foreign secret services, Bertholee explains. Furthermore, an international code of conduct applies. The exchange of intelligence is examined from case to case and from country to country. In the event of exchange, what is allowed to happen with the intelligence in question is being indicated. Internationally this is being adhered to pretty well, according to Bertholee. However, in some cases, or rather, with some countries the exchange of intelligence could become a dilemma...
Drawing the line where violence starts
One question relates to the degree to which activists figure in AIVD files. Bertholee explains that, in principle, the AIVD conducts no investigations into activists. "We don’t care what someone thinks. We do not represent the moral high ground of the Netherlands. It is only when violence comes into play - or calls for violence, clear intentions towards violence, radicalisation - that we feel involved."
During the discussion with the audience Bertholee emphasizes that it’s not the aim of the AIVD to collect as much data as possible. The aim is rather to collect the right information in order to be able to fend off threats. It is not the AIVD, but the industry that is the driving force behind the development of information technology that, unfortunately, is also used in less democratic countries. In response to a question Bertholee admits that there is a risk that a service like the AIVD could 'drown' in an abundance of data. Biometrics are one such development of new technology. This makes it more difficult to assume a new identity, both for people with bad intentions as well as for officers of the AIVD itself. Furthermore, the privatisation of intelligence is risky, especially due to the lack of legislative checks and balances.
Bertholee finishes his speech by emphasizing once more that the AIVD 1) doesn’t keep records of everyone, 2) doesn’t wiretap everyone, 3) shoots nobody, 4) doesn’t arrest anyone, 5) doesn’t force cars into the kerb, 6) doesn’t torture anyone, 7) doesn’t hack into every computer, 8) has no enforcement powers, 9) doesn’t put pressure on people and 10) doesn’t recruit journalists. Then Privacy First chairman Filippini rounds off the night and invites everyone present for drinks with music.
Postscript Privacy First: as international peace and security often benefit from dialogue between 'opponents', the same goes in our country for a good relationship between the government and civil rights organisations like Privacy First. In that sense we consider this night to have been very valuable and we hope that the AIVD deems this event to be worth repeating in the future!
Update 27 September 2012: as a result of Bertholee's speech, a second article appeared in Dutch newspaper Telegraaf.
The Privacy First Foundation organises networking drinks on a regular basis, inviting a prominent speaker around a topical issue. In September this year we organised a night with the Head of the AIVD, the Dutch Intelligence and Security Service. On 22 October we invited a speaker from the cyber security scene, namely Wil van Gemert, Director of Cyber Security at the NCTV, the National Coordinator for Counterterrorism and Security, part of the Dutch Ministry of Security and Justice. Investigative journalist Brenno de Winter was asked to moderate the discussion. Click HERE for the invitation to our network (in Dutch). Would you also like to receive our invitations from now on? Email us! Below is a translated summary of Mr. Van Gemert's speech and the discussion with the audience that followed:
Introduction by Privacy First
Chairman Bas Filippini gives a short introduction on the work of the Privacy First Foundation and introduces Wil van Gemert as well as Brenno de Winter. Filippini recalls that the Dutch government increasingly expects citizens to do everything digitally. In particular the elderly as well as people with fundamental objections are put in difficulty by this development. Meanwhile the government attains ever more powers of surveillance in the digital private domain of citizens. A current development in this regard is the plan of Dutch Security and Justice Minister Ivo Opstelten to be able to hack into computers of citizens. Privacy First is firmly opposed to this plan because, among other things, it would violate the right to confidentiality of email. The Dutch government should safeguard the privacy of its citizens. In that sense Privacy First and the Dutch government share the same goal, albeit from different perspectives. However, Opstelten’s hacking plans threaten to break down people's privacy and (through this) democracy as a whole. Filippini then gives the floor to Wil van Gemert.
Trends in cyber security
Mr. Van Gemert thanks Privacy First for the invitation and kicks off by showing a funny commercial advertisement about linguistic confusion; click HERE. Like in the video, in cyber security it is all about trust, knowledge and awareness. Finding the right balance between tasks and responsibilities is equally important. In his lecture Van Gemert consecutively pays attention to current trends in cyber security, tasks of the government, cooperation between the public and the private sphere, the Netherlands Cyber Security Assessment (Cyber Security Beeld Nederland) and 'security versus privacy?': is this a contradiction or rather a matter of complementarity? And what are the present-day challenges? When it comes to cyber security, it all revolves around confidentiality, reliability, integrity and continuity of data in the digital information society. The first worldwide trend that Van Gemert identifies is 'Big Data': the enormous amount of data that is stored continuously and which increases on a daily basis. How can we handle this in good way? A second trend is hyperconnectivity: the number of digital (internet) connections increases exponentially. This is how an 'Internet of Things' comes to life. The Netherlands has the one but highest internet density in the world, which gives our country a special position in this regard. A third trend is the disappearance of borders, both in time and distance as well as in terms of work and the private sphere. These trends require changes both in the way companies do business as well as the role of the government in guaranteeing a secure society. These trends also have an influence on people, on consumers, for example through the new possibilities offered by mobile telephony. Big Data can be used to make highly personalised commercial offers in real time, say, a travel insurance when you're at Schiphol airport. However, when Van Gemert asks how many in the audience find this a good idea, not a single hand is raised. Van Gemert doesn't think it's a good idea himself either: it harms your privacy, it makes you feel you're being followed. Relatively many youths seem to be just fine with it though.
The influence of social media
An important aspect of cyber security is mobility: companies want to be able to reach their clients everywhere they go and employees are increasingly less bound to a workplace at the employer's office. For companies, political parties and the government too, social media become ever more important to know what goes on in the market or in society. An interesting case is the recent incident with an airplane from Vueling Airlines with which radio contact was lost and for which for some time the possibility of a hijacking was accounted for. Since 2001 such an airplane (a 'renegade', PF) is escorted by F16s by procedure. Imagine, however, that all passengers inside the airplane communicate through Twitter that things are fine, then how do you deal with that as a government? These are questions that are pondered over within the government at the moment. Another aspect concerns the role of the government: from a monopoly to a more independent role since for most part the cyber infrastructure is in the hands of companies. Then there's the authority issue: social media have an influence on the degree to which government campaigns are successful with the general public. A recent example is the government campaign for vaccinations against cervical cancer. A further aspect is that cyber security is community driven: the community makes itself the owner of a certain problem, as was the case for example with the Dorifel virus. This community consists of researchers, relevant companies, hackers etc. and can sometimes offer clarity on certain issues, unlike with classical investigation methods whereby the directions are with the government. However, the digital IQ of most companies is still low, so it is a challenge for the government to increase the digital IQ of companies, says Van Gemert.
Lack of a security concept in cyberspace
The Netherlands is a country characterised by seas and dykes: if the water seeps through, we build a dyke around it. This classical way of crisis containment is almost impossible in cyberspace. Companies often are not aware of where their data are situated precisely, how they are interconnected and which effects occur when a failure manifests itself somewhere. Apart from the human factor, platforms, applications and infrastructures all have problems of their own. Due to the interaction between these four levels, a security problem often becomes very extensive. In the physical world we are familiar with a safety concept; think of the safety regulations on a construction site. But is there such a security concept in cyberspace? And which roles do the government, the private sector and citizens play in this? At the moment this is insufficiently clear. On the highway certain safety standards and traffic rules are in force. But each citizen can also buy a computer and go onto the digital highway unprotected.
Since one and a half years the Netherlands has a National Cyber Security Strategy. Part of this has been the installation of a Cyber Security Council: an independent advisory body for the government. In the National Cyber Security Strategy it has been agreed that the Netherlands makes an annual Cyber Security Assessment of threats and actors. Furthermore, from the beginning of 2012 there is an operational management within the NCTV, which consists of two parts: 1) the National Cyber Security Centre, NCSC (which acts as a centre of excellence, among other things) and 2) a range of policies (which support, among other things, the answering of parliamentary questions and questions from the private sector). The starting point here are public-private partnerships; in this way new coalitions with new forms of participation between the government and trade and industry as well as with NGOs come to life. Both the government as well as private parties and experts take part in the Cyber Security Council and in the NCSC. One topic that is being dealt with together is cloud computing. Moreover, since recently the NCSC has an ICT Response Board; within this public-private partnership people from the government and the industry can be summoned up for advice and assistance in the event of incidents or crisis situations. Then there are ISACs, Information Sharing and Analytical Committees, in different areas, for example for the vital infrastructure with regard to energy, water, finances, etc. This too is a public-private partnership.
Threats in cyberspace
Cyber security has been a hot topic of late and negative incidents sometimes result in positive initiatives. There has been an unanimous request by the House of Representatives to set up a security breaches notification centre. In this context Van Gemert tells the following: "The Diginotar affair has made clear that the following question is of relevance: what can the government do in the event of a crisis? How can the government force a company that plays a key role to cooperate in order to prevent social breakdown and damage to society? Are such possibilities at our disposal in the first place? Our conclusion from July this year was affirmative, in case we can declare a state of emergency in relation to a cyber incident." Furthermore, Van Gemert stresses that we should not just invest in the detection of data leakages, but also in the right response to this. Hereby the role of the government concentrates on coordination, communication and consultation. In July this year the second Cyber Security Assessment of threats, targets and actors was released. The main threat comes from foreign governments (espionage) and cyber criminality. Contrary to what most people believe, so far cyber terrorism poses a smaller threat. In addition, cooperation between 'hacktivists' and foreign State actors (i.e. intelligence services) could be worrisome.
On the relationship between privacy and security, Van Gemert remarks that as far as he is concerned "there is no privacy without security. If you do not organise security, in the end there will no be privacy. You really do need to take measures to make sure your privacy is protected. Privacy and security have a mutual interest in each other. So in that area, information protection and related agreements are necessary. Also in order to protect privacy, on a daily basis the NCSC brings out advice on vulnerabilities which could be harmful for companies and citizens. Our website www.waarschuwingsdienst.nl is focussed on making citizens more aware and to mobilise them against threats. However, we are not a supervisory body, we cannot enforce anything. We can merely give out advice and propose best practices. Between 12 and 22 November 2012 the government will pay attention to 'awareness' through its campaign Alert Online in cooperation with 10 partners. This campaign is aimed at citizens as well as companies."
Finally, Van Gemert underlined the importance of fundamental digital rights and self-reliance of citizens through knowledge and awareness. Van Gemert brings forward three subjects for discussion with the audience: 1) How do security and freedom relate to each other conceptually? 2) What is the role of Privacy First? Is it always to be an opposing force or can it also be an ally? 3) What is the role within cyberspace of our law-enforcement and supervisory organs, for instance the police? What is their role when it comes to individual emergency aid and law-enforcement in cyberspace?
Discussion with the audience
Even though Van Gemert is not responsible for the cybercrime department, he is nevertheless prepared to say one or two things about it on behalf of the Ministry of Security and Justice. Answering a question from the audience about the possible international consequences which an intervention in cyberspace from the Netherlands may have, Van Gemert points out that the concept of virtuality requires a different approach compared to a territorial approach when it's not clear where a particular server is situated. He hereby makes a comparison with the development of maritime law in international waters. The country in which the damage occurs should form a point of reference in terms of jurisdiction. However, in this regard there are no unequivocal answers; the national and international rules on these matters are not yet clear. Brenno de Winter emphasises that Dutch hacking activities in foreign countries could well set a dangerous international precedent. What if a country like Iran ascribes those same powers to itself? This is a concern that is shared with others among the audience.
Another question from the audience relates to the public-private partnership as is the case with Diginotar. Israeli wiretapping systems in the Netherlands are being referred to as well. Does the Netherlands not make itself enormously vulnerable with this? Van Gemert replies that this has indeed become a prominent question since the Diginotar affair. However, he is not willing to go into the topic of wiretapping systems since he's not involved in this policywise. Then it's being mentioned from the audience that, within public-private partnerships in the area of cyber security, Dutch NGOs are structurally being kept out. De Winter too remarks that the NCSC is seen by many as an unreachable fortress where you're not being heard. Van Gemert responds to this saying the NCSC certainly does look for contact with pressure groups. Here too the question is which side do these pressure groups pick: do they take on an opposing or a supporting role? "I'm convinced that we should look for new forms of cooperation between the government, the industry and trade, the citizenry and with pressure groups, which make sure our society becomes more secure. Looking out for those contacts is the reason that I'm standing here," Van Gemert says.
Another question from the audience is about the detection of hack attempts. To what extend is this being delegated by the government to industry? Van Gemert reacts saying that the government does the detection work itself on the basis of the exchange of digital traffic data (not on the basis of content) as far as it concerns the vital (government) infrastructure; companies take care of such detection efforts themselves. Someone in the audience remarks that in this respect the government could take up the role of bringing together relevant knowledge and experience in each individual business sector. Another comment from the audience concerns the lack of international rules that was presupposed earlier: why does the Netherlands not conform itself to the already existing Budapest Convention on Cybercrime and why are the legal possibilities under this Convention not being adequately used? Other observations deal with the cooperation between Dutch municipalities, the banks and the telecom sector. Someone asks how big a threat cyber warfare really is and how the Netherlands prepares itself for it. Van Gemert here refers to cyber as the 'fifth battlefield' apart from the four domains of land, sea, air and space. This is an actual development: by now there are about 20 countries which have the capacity for this type of warfare. There are a lot of financial cuts in the Netherlands, but money is actually being invested on cyber matters by the Ministry of Defence. Cyber war entails a new question of attribution: which country inflicts the damage and how is one to react to it? During the discussion the US Patriot Act is mentioned as well as the risks of storing data in 'the cloud'. "Think carefully about what you put in the cloud," Van Gemert advises. Then comes the question to what extent the government considers the protection of personal data vital for our infrastructure and to what degree the government is keeping an eye on the risks of identity fraud and identity theft through the coupling of personal data to citizen service numbers. Does the government endorse the Scientific Council for Government Policy report called iGovernment? Is declaring a cyber state of emergency equivalent to a disaster or warfare situation in which all regular legislation can be nullified with all the privacy risks it entails?
Someone mentions that the police power to hack into computers of citizens could imply that computer data of individuals could be changed without it being noticed and could then be used against those same individuals. Van Gemert replies that personal data is fundamental and critical data that is to be protected properly. Not just companies but citizens themselves ought to be better aware of this. As far as a state of emergency is concerned, Van Gemert remarks that this was not even proclaimed during the Dutch flood of 1953. In terms of cyberspace there is no need for new, complementary legislation for a state of emergency. Current legislation for a state of emergency can only be applied in extreme situations.
Another point of discussion is the fact that for years the Dutch government has been dependent on Microsoft: why is this situation (with the associated privacy risks) lasting ever longer? On request Van Gemert clarifies his earlier remarks on a cyber state of emergency: such a situation cannot be proclaimed on the basis of a single incident, but only when we're dealing with large-scale societal breakdown. Then it is being asked from the audience to what degree the government has the responsibility of not making legislation and policies which can be copied and abused by other countries, like the way companies are not allowed to deliver certain dual use equipment to certain countries. Van Gemert tells that for some goods there are indeed UN sanctions lists: the Dutch General Intelligence and Security Service (AIVD) verifies this. A free internet abroad is mainly supported by the Dutch Ministry of Foreign Affairs. Generally speaking, a democratic society always needs to abide to a moral guideline. Then the discussion about possible government powers to hack computers in foreign countries comes to life again among the audience. In this context, does the permission of an examining magistrate offer sufficient protection against abuse? Someone else in the audience remarks that, nowadays in the area of phone-tapping, the examining magistrate has become some sort of rubber-stamping device. Someone remarks that Van Gemert's distinction of five domains of warfare is put too simply. In international law, traditionally there are only three domains of warfare: land, sea and air. Since the 1970's, in space the principle of 'peaceful use of outer space' applies. So why not introduce a similar new principle of 'peaceful use of cyberspace?'
In reaction to a question about guaranteeing privacy, Van Gemert replies that he attaches importance to clarity over what is and what isn't allowed. Through investigative powers sometimes one's innocence can also be proved. The challenge is finding the balance between cyber security and privacy, Van Gemert says. Then someone in the audience points to the dangers of the coupling of personal data and function creep. Our democratic constitutional State is no invariable matter of fact. Does the government take this into account? Van Gemert iterates that the challenge is in finding the right balance. Calls for new legislation by parliament after an incident are not always adhered to by the government, for instance when it concerns anti-terrorism legislation and emergency legislation. Then someone in the audience states that for a raid a search warrant is required, which is verifiable for the citizen. This verifiability is absent when hacking into a computer. Van Gemert responds by saying that such verifiability is equally missing when it comes to phone tapping or police observation, especially when it's a case that's not brought to court. In this respect, De Winter remarks that neither the existing compulsory notification is complied to by the government. From the audience it is added that through all registration measures the presumption of innocence of citizens is put under pressure. This changes society and makes people start to comply with an 'all-seeing government'. As a response, Van Gemert underlines once more that 'privacy and security cannot do without each other'. In his view these sorts of discussions are important to get more clarity and to be able to make steps forward. Finally, Van Gemert stresses the importance of a security concept in cyber space with sufficient attention to privacy.
De Winter gives the final word to the Privacy First Foundation. Chairman Bas Filippini thanks Van Gemert for his open attitude toward the opposition. In the view of Privacy First, discussions such as these are fundamental. In recent years there has been too little dialogue with the privacy movement; the government has grown bigger while participation by citizens has decreased. Privacy First is happy to accept the invitation to become part of the coalition. "We will be a necessary irritant, but you have to be able to deal with that", Filippini concludes.
The Amsterdam police are considering the introduction of mobile X-ray body scanners on the streets, local television station AT5 reported today. If the police will indeed introduce such "nude scanners", Privacy First will not hesitate to sue both the Amsterdam police and the responsible Amsterdam Mayor Van der Laan for breach of 1) human dignity, 2) the presumption of innocence, 3) privacy, 4) freedom of movement, 5) physical integrity and 6) the health of all Amsterdam residents. Any introduction of mobile X-ray scanners will actively jeopardize the privacy as well as the health of innocent citizens.
Privacy First hereby makes an urgent appeal for political measures: this Thursday the subject of preventive searches is on the agenda of the Amsterdam city council. It is primarily up to the council to blow the whistle and prohibit the introduction of nude scanners by the Amsterdam police. If the council fails in this, Privacy First reserves the right to take all necessary measures to prevent the introduction of nude scanners.
Update 7.00pm: reaction of Privacy First on FunX Radio (in Dutch).
Update June 29, 2012: the introduction of mobile body scanners is put on hold during further investigations by Amsterdam Mayor Van der Laan. The subject will not be on the agenda of the Amsterdam city council again until early 2013. The political debate on preventive searches (including the possible introduction of body scanners) which took place yesterday in the Amsterdam city council Committee for General Affairs can be viewed online HERE (starting at 233m40s).
In almost all of the lawsuits that are pending against the new Dutch Passport Act, there is one important subject that has so far been little exposed: the use of sensitive personal data by secret services. In this case it’s about biometrics: digital facial scans and fingerprints that end up in all sorts of databases through people's passports and ID cards. At the moment those databases are still only in the hands of municipalities and the passport manufacturer in Haarlem (Morpho, previously called Sagem), in the future they will undoubtedly end up elsewhere too, eventually worldwide. In that sense every Dutchman is a potential globetrotter: in the long term your fingerprints and facial scan may be available even in the farthest corners of the world. Not only in the databases of ‘allies’, but also in the databases of countries with which those ‘allies’ have in turn concluded (possibly secret) exchange agreements. And this is all but transparent. Neither is it publicly known what secret services are willing to use our biometrics for. A Privacy First employee who was eager to examine this for the Dutch Scientific Council for Government Policy (Wetenschappelijke Raad voor het Regeringsbeleid, WRR) soon encountered a wall of research restrictions. So for the time being all we can do is guess... Possible intelligence purposes of biometrics are: 1) identification of suspects unwilling to talk and ‘interesting’ persons in public space, 2) recognition of emotions and lie detection, 3) the use or recognition of doubles, 4) espionage, etc. The first purpose (identification) is being facilitated by the Radio-frequency identification (RFID)-aspect of the biometric chip in your passport or ID card. It’s precisely because of this that the chip can be read from a distance.
Back to the main subject: the use of sensitive personal data by secret services. Today this is as easy as pie: many people unashamedly put half of their private lives on the internet, for instance on Facebook. And if the information can’t be found on the internet, it can be traced in databases of companies and the government. In the way you in your student days perhaps once turned on the TV with a pool cue without leaving your lazy armchair, secret services can nowadays conjure up your whole life including your fingerprints merely at the press of a button. But is this actually allowed? And in this respect, does it make any difference if your fingerprints are stored are stored 1) by the municipality, 2) in a central database or 3) by a passport manufacturer? ‘‘Yes, that’s allowed’’ and ‘‘no, it doesn’t matter where they’re stored’’, the Dutch State consistently implied until mid-2011 through the State attorney:
‘‘Fingerprints will also have to be supplied to the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and the Military Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst, MIVD). The provision of information to these services is regulated in Article 17 of the Intelligence and Security Services Act (Wet op de Inlichtingen- en Veiligheidsdiensten, WIVD). This already applied prior to the coming into force of parts of the modified Passport Act and it will be no different now that it’s been modified. The mention in Article 4b, paragraph 2(d) Passport Act (‘state security’) was merely motivated by transparency reasons.’’
(Source: Statement of Defence in the Passport lawsuit by Privacy First dated 28 July 2010, para. 2.17; repeated word for word in, among other things, the statements of defence of the State in the Passport lawsuits by Van Luijk dated 29 October 2010 & 10 June 2011 (paras. 3.17 & 5.8 respectively) and Deutekom dated 23 November 2010, para. 4.17.)
So there the State claims that basically nothing would change with the introduction of the Passport Act since the AIVD would already have had the opportunity to make a request for your fingerprints. Meanwhile however, the development of a central biometric database has been put on hold which means your fingerprints are stored ‘only’ relatively shortly by the municipality and the manufacturer. From a legal point of view this is what the discussion now revolves around. For instance on 27 October 2011 before a single judge at the district court of Amsterdam:
Judge: ‘‘Yes, I just wondered, madam [State attorney], you’re saying that Mr’s fear that intelligence and security agencies have access to his personal data - his fingerprints and facial scan -, is taken actually away by Article 65 [Passport Act].’’
State attorney: ‘‘Article 65 only applies to fingerprints.’’
Judge: ‘‘Mr [X] has pointed at Articles 17 to 34 of the Intelligence and Security Services Act. How do you see that?’’
State attorney: ‘‘I can very briefly say something about how you should see this in relation to each other. (...) The point is, quite a few things have of course been said about this in the legal history of this case. So when does the possibility of access arise: once you have a central administration with a biometric search function. There are all sorts of regulations but it’s not as if the AIVD could come up with a fingerprint and say to the municipality ‘show us who this fingerprint belongs to’. But that possibility, it isn’t there. There is simply no biometric search function. In that area the only possibility of what municipalities can do in providing fingerprints, is making a print of it, which comes down to: a sheet of paper with dots. That is the rendering on paper of those fingerprints. Provided the AIVD has complied to the regulations under which they can make a request for information on the basis of the WIVD, it could provide a name to the municipality where the person concerned is registered and could then make a request for personal data. For as far as such a request would concern fingerprints, it wouldn’t thus be any more than a printed page with those dots. So it can never happen, and this is the important point, that the AIVD would come up with fingerprints and say: ‘who are these fingerprints from?’’’
Attorney: ‘‘This is not what my client fears. My clients fears that the AIVD says: ‘we want to see the fingerprints of Mr [X]’.’’
State attorney: ‘‘If the AIVD would like to have the fingerprints of Mr [X], then it wouldn’t need the travel documents registration. They’re on these items over here, so to speak, on this cup...’’
Attorney: ‘‘Well I don’t see anyone of the AIVD taking fingerprints of my client, and it’s not just about him, it’s about him saying: ‘I find it to be in conflict with my conscience to cooperate because in that way the fingerprints of all Dutch citizens could be requested for by the AIVD.’ Not just his, but everyone’s.’’
Judge: ‘‘With the legislation that is in place now, would it be practically possible for the AIVD to step up to the municipality of Amsterdam and say: ‘we would like to have the fingerprints of Mr [X]?’’’
State attorney: ‘‘Eeehm, well [inaudible], Article 65 second paragraph [Passport Act] dictates that fingerprints may only be requested for the application and issuance of a passport. As far as the AIVD would be allowed to make a request for those data on the basis of its own legislation, they wouldn’t be able to obtain anything more than those printed dots because the municipality can’t offer anything different than that.’’
Interruption from the audience: ‘‘They can through [passport manufacturer] Morpho.’’
Judge: ‘‘You are not a party in this lawsuit. I have to ask you not to take part in the litigation.’’
So merely a ‘print with dots’, according to the State attorney. Demanding fingerprints at the passport manufacturer unfortunately was not discussed during the court session. Subsequently the case was redirected within the district court of Amsterdam to a court session with three judges. On 25 January 2012 this point of discussion was again briefly discussed:
Judge 3: ‘‘And what if the information is in the hands of the manufacturer?’’
State attorney: ‘‘Eeeeeeeehm... On what basis would the manufacturer be allowed to provide those data?’’
Judge 3: ‘‘That’s what I’m asking you.’’
To this question no clear answer was given by the State attorney, just a vague reference to Article 65, paragraph 2 of the Passport Act. Then a painful silence followed... and the judges didn’t ask any further questions.
Judge 3: ‘‘And Mr [attorney of X], what’s your take on this point?’’
Attorney: ‘‘I have a different view! [laughter from the audience]
The attorney of X subsequently extensively refers to the relevant legal history of the Passport Act and the provisions of the WIVD 2002.
State attorney: ‘‘Even if the AIVD would be able to make a request for fingerprints on the basis of Article 17 WIVD, then they would never get anything more than a printed page with those dots. (...) They would get a printed page with the fingerprints, which is a printed page with dots.’’ A little later, after having been verbally informed by a civil servant of the Dutch Ministry of the Interior: ‘‘I’ve said something wrong. I said you get a printed page with dots, but now I understand you get a printed page with an image.’’
Hence, after a dozen court sessions about the Dutch Passport Act, the official clarification by the Dutch State on the use of fingerprints by secret services goes as follows: ‘‘a print with an image, from the municipality’’. The question thus remains whether digital requests can also be made to 1) the municipality and 2) the passport manufacturer, and if so, what exactly happens with it. The same goes for facial scans. The upcoming court session in the Passport Act saga will be on Monday, 2 April 2012 (11.00 am) at the Dutch Council of State (Raad van State). It will then be up the Council to clarify this case after all and invite expert witnesses in case necessary.
Update 10 February 2012: As a result of the above article, written questions have been asked by Member of European Parliament Sophie in ‘t Veld to both passport manufacturer Morpho as well as to the European Commission. At the same time Member of the Dutch House of Representatives Gerard Schouw has asked similar Parliamentary questions to the Dutch Minister of the Interior Liesbeth Spies.
This week Big Brother suffered a well deserved defeat in the Dutch city of Groningen: an experiment with 'listening cameras' in the Groningen inner city has turned out to be a complete failure. The aim of the experiment was to be able to detect ‘deviant behavior’. However, this happens to be technically infeasible: the microphones mounted onto the cameras cannot even distinguish a fight from a scooter passing by. Mayor Peter Rehwinkel has therefore decided to get rid of the microphones.
The decision by the mayor fits into a current European trend: on behest of the European Parliament the flow of money to the European Big Brother-project INDECT has recently been called to a halt. This project too was intended for detecting ‘deviant behavior’. With it the police expected to be able to predict and prevent crimes, much like in the
We will now need to wait for the development of new software to detect deviant Big Brother behavior of policy makers. Privacy First will keep you posted...! ;)
Rotterdam-Rijnmond police chief Frank Paauw is of the opinion that the DNA of all Dutch citizens should be compulsorily stored in a national database for the investigation of crime. He declared this in an interview in the paper of the regional political party Leefbaar Rotterdam ('Livable Rotterdam'). While according to police chief Paauw privacy is ‘‘a great asset’’, he thinks that massive storage of DNA can make the ‘‘world more secure’’.
In the paper of Leefbaar Rotterdam Paauw cites the 19th century French criminologist Alexandre Lacassagne who said that ‘‘every society gets the crime it deserves’’. For the Privacy First Foundation this includes privacy crime and we are eager to point to a more relevant quote by Benjamin Franklin: ‘‘Those who surrender freedom for security will not have, nor do they deserve, either one.’’
Compulsory storage of the DNA of all Dutch citizens in a national database constitutes a collective human rights violation beforehand. The sheer disproportionate character of it already signifies a gross violation of the right to privacy and physical integrity of every Dutch citizen. Apart from the total lack of knowledge and respect for human rights that police chief Paauw expresses with his statements, this is also proof of an obsolete vision on society in which security and privacy have for years formed a false contradiction. Privacy is security: the personal security of the individual against a government that no longer trusts its own citizens and wishes to treat every Dutch citizen as a potential suspect. Privacy First wants to halt this development and move forward with a positive vision on society in which trust and freedom are basic values.
Update: Police chief Paauw gets no support for his plan whatsoever, neither from politics, nor from the Dutch Ministry of Security and Justice. Dutch Minister Opstelten calls it ''disproportionate" and "beyond the pale''.