This is a mirror of the original about:intel post, since the about:intel server is sadly overloaded.
The Dutch government is proposing adding a lex
specialis to its existing
intelligence and security services act. This addition significantly
changes the scope of many powers and also extends who they can be
applied to.
A draft of an English summary of this proposed law can be found
here.
A far longer summary in Dutch is
here.
On this page I’d like to go over just one specific element of this new
law: automatic extension of warrants to hacking victims (’non-targets’).
Under the new law, the criteria for targeting non-targets actually
become more lenient than for targeting actual targets. I would also hope
to hear from experts on what the ECtHR might imply for this automatic
extension and the newly proposed oversight. At the very end of this
article you will find the original text of the articles, and my best
stab at a translation.
Current situation
The Dutch law (’Wet op de inlichtingen – en veiligheidsdiensten
2017’) has articles on special powers like targeted interception, bulk
interception and hacking. In addition, there is a list of interests the
services have to protect, and a list of intelligence they should be
gathering. Crucially, the powers and the interests are not tied to each
other directly.
This means that the law makes it possible to perform targeted operations
on organizations or people that are not themselves targets. One of the
two oversight bodies (CTIVD, ex-post) has written in 2017 that such
’non-target’ activities have to meet an elevated
standard.
Translated, this states (in two places):
“When hacking non-targets, a heightened proportionality test applies:
there must be compelling operational interests that outweigh the
importance of protecting fundamental rights and the interests of the
non-target.”
“The use of special powers against a non-target is a serious measure
that must be used very sparingly. An elevated proportionality test must
be met. In order for the use to be proportional, the services must
demonstrate that the interest in infringing upon the privacy of the
non-target is so great that this infringement is justified. The privacy
of the non-target is given extra weight, because as mentioned, the
target does not itself provide a reason for investigation by the
services. She or he is only a means to the actual target. To maintain
balances, the interest that the services have in using special measures
against the non-target must be greater than usual. If this is not the
case, the scales are not balanced, and the application is not
proportional and therefore not lawful. Situations where there are one or
more concrete indications of a direct threat to national security can be
considered as compelling operational interests.”
Currently, the independent ex-ante regulator
(TIB) reviews the lawfulness of hacking and
interception requests/warrants. The conclusion of this review is
binding. This mode of operation corresponds to the ECHR/ECtHR standard
for independent authorization (Convention 108+ Article
11(3)).
New situation: automatic extension
In the new situation, hacking, targeted interception and data access
operations get an automatic extension beyond the actual target of the
warrant. If a warrant is requested to intercept the communications of a
specific hacking organization, the warrant now also extends to victims
of this hacking group. Or, more concretely, if your computer gets hacked
by group X and there was a warrant to intercept the traffic of group X,
the Dutch services now gain automatic approval to also intercept your
communications or hack you.
In the law is it worded that any automated works ’taken into use’ by the
original targeted organization are also automatically in scope of the
warrant.
Enlarging the warrant in this way is an administrative addition which
involves no further approval process, not internally, nor externally.
This in contrast to the original warrant which had to go past internal
review, the head of service and the minister.
The ex-post regulator (CTIVD), however, does
get notified of such an administrative addition. The CTIVD can
optionally launch an investigation to find if it agreed with this
addition. If it disagrees, it can inform the minister and the Dutch
parliament, and demand that the operation be halted. The services can
also appeal this demand with one of the many Dutch supreme courts, and
this court (the Council of
State)
can stay the order if so requested. This is a complicated procedure
which is very different than ex-ante authorization.
Some initial analysis
There is a tension in these new powers. A warrant on ‘organization X’
may now administratively also be enlarged to target internet
subscriptions or devices from entirely unrelated people. This creates
the fiction that organization X now extends to random other people.
In addition, whereas previously there was an elevated standard for
applying powers to non-targets, there is now actually a vastly reduced
standard compared to actual targets. The ex-ante regulator TIB will need
to be convinced that it is proportional to target organization X.
However, any non-targets now no longer benefit from an elevated
standard. The non-targets in fact benefit from no standards at all
anymore.
It appears that Dutch legislators are laboring under the assumption that
they can apply powers to the non-target, but are actually targeting
organization X alone. The warrants however directly impact all
communications or the entire device, and not just the parts used by
organization X.
Implications for Article 8 ECHR
I would be very interested in hearing thoughts from experts on how
Article 8 ECHR bears on all this. Specifically, is the administrative
addition of non-targets, with only the possibility of a binding but very
heavy handed review afterwards, in line with recent jurisprudence? And
perhaps this might differ for the three specific powers, targeted
interception, hacking and requesting a copy of all stored customer data.
This last article can be used to retrieve the contents from any servers
or computers.
Original text
Dutch laws come with a large ’explanatory memorandum’, which while not
actually part of the law, is taken very seriously by courts, to the
point that any understanding of the law must involve reading this
memorandum. The memorandum can significantly alter the interpretation of
a law.
Article
5,
sixth member:
“In aanvulling op het bepaalde in artikel 45, achtste lid, van de Wiv
2017, omvat de verleende toestemming tevens de bevoegdheid om, voor de
duur van de verleende toestemming, binnen te dringen in een ander
geautomatiseerd werk dat door de desbetreffende persoon of organisatie
in gebruik is voor zover dat in de plaats treedt van of een aanvulling
is op het geautomatiseerde werk waar oorspronkelijk de toestemming
voor is verleend”
Or:
“In addition to article 45, eighth member of the Wiv 2017, the
permission granted also contains authorization for, during the validity
of the warrant, to also enter automated works of the person or
organization targeted by the warrant, in so far as this new automated
work is in addition to or replacement of an automated work the original
authorization applied to.”
An ‘automated work’ in this specific Dutch law has an extremely broad
interpretation and includes such things as phones, computers, servers,
websites, databases and mailboxes.