Cybercops in the Netherlands
In view of the transnational dimensions of the digital society, it is scarcely surprising that the law enforcement, the police and intelligence agencies in the Netherlands more or less go along with international developments. This is largely due to the intensive international discussions, in which the Netherlands plays a role. The inventory of methods available to the police and intelligence services whilst conducting investigations in the digital world has been laid down in a number of bills that have become law in recent years.
In 1985, the Minister of Justice established the Commission for Computer Criminality. The commission, led by professor H. Franken, published a report entitled “Information technology and criminal law”, which formed the basis of the Computer Criminality Act that came into force in 1993. The proposed legislation closely followed the recommendations of OESO and the Council of Europe.
The Computer Criminality Act made illegal access to computers, virus spreading, the destruction of information, unauthorised interception and falsification of bankcards illegal. The instruments for criminal proceedings were increased with the authority to intercept all exchanges of information (including fax and e-mail), and permission to search any computers present in a house that is being searched. The decryption of encrypted material was also made compulsory. This obligation does not apply to suspects but to people whom can be “reasonably assumed” to be in possession of the keys, like, for example, network managers.
In recent years several changes in legislation have been proposed, all of which were intended to adapt the Dutch criminal code to the cyberworld. To begin with, the new Telecommunications Act that came into force on 15 December 1998 extended the compulsory obligation to intercept messages for telephone companies to include Internet service providers (IPS) and other telecom providers. An Order in Council establishes which closed networks are still subject to this obligation.
The law failed to rouse much criticism. The objections of the official Dutch privacy watchdog, “de Registratiekamer” which considered the new powers too comprehensive and a threat to privacy, were brushed aside. The government reasoned that the law was only amended to bring the technical conditions necessary for interception into line with the new technological era; it did not mention its possible use.
“Nonsense”, concluded Marie-Jose Klaver of the NRC newspaper. She pointed out that the use of the so-called NN tap (intercepting messages in search of an unknown suspect) has increased dramatically. This development is contradictory to the spirit of the authorisation, whereby this tap was only supposed to be used in “extremely urgent” cases. Experience shows that track and trace authorisation issued with the emphatic instruction that it is only to be used in extreme situations has been used on a wide scale. “Investigators should only allow drug shipments in extreme cases. The result was that approximately six months turnover of soft drugs came onto the illegal market under police guidance’[1]
According to Guikje Roethof, who was then Member of Parliament for the liberal party D66, there was scarcely any parliamentary criticism of the enormous increase of powers to intercept communications made possible by the introduction of this law. After a great deal of difficulty, she finally managed to win the support of the Dutch social-democratic party PvdA for an amendment that would restrict this law. Later, however, the PvdA withdrew their support. It was soon revealed why. The Dutch security service BVD had sent an urgent letter to the permanent parliamentary commission for the intelligence services (in which the leaders of the four main parties are represented), expressing its concern about Roethof’s proposed restrictions. Under this pressure, the PvdA chairperson succumbed.[2]
Internet providers were granted temporary exemption from the mandatory installation of interception equipment, but were ordered to comply with all the regulations by August 2000.[3] The providers had not had enough time to prepare for the installation of the necessary equipment and besides, the technical, financial and judicial consequences were not entirely clear. The interception requirements laid down were a direct copy of the demands that had already been formulated in international treaties. Neither the providers nor the government knew how these demands were to be translated either practically or organisationally.
Many unresolved details appeared in the minutes of the Partial Organ for Interception (a deliberative body between the government and market parties concerned with the interception of telecommunications which falls under the control of Ministry of Transport and Waterways). A. Eisner from the organisation of Dutch Internet Providers, the NLIP, announced that “worldwide there are approximately three companies, located in America, which are producing interception equipment for the Internet. It could be another two years before adequate bugging devices are developed.”[4]
The progress of the program for operational and interception problems (oci) in which government and business cooperate, suffered delays due to changes in personnel and constant new demands from Dutch intelligence.[5] There is also dissent on the interception protocol to be used. The Judicial Tap Standard (JTS), which is currently in use, cannot cope with tapped information originating from high-speed services like ATM and XDSL. The protocol that was developed by the European Telecommunication Standardisation Institute (ETSI) and that is supposed to be applied to all European businesses still does not meet The Netherlands’ requirements. This standard is not suitable for tapping or transmitting quick Internet connections.[6] The negotiations between members of the EU on the European tapping protocol are still dragging on. Dutch companies do not relish the thought of making installations suitable for interception by the JTS, when in all likelihood a new interception protocol in need of new modifications and financial investments will be introduced within the next few years. Secretary of State De Vries of Transport and Waterways announced in February 2000 that a European protocol that all the member states can agree on is not in sight. For the time being, national regulations will continue to apply.[7]
The Black Box
The large providers have, by now almost completed their technical and organisational preparations. 95% of messages can be tapped by the installation of a number of central interception boxes. There is still no solution for the remaining five percent, which includes direct client-to-client communication for example. Providers are complaining about the disproportionate costs that will be involved in implementing such a solution. Small providers are the hardest hit.
The standard minimum for the number of lines that can be tapped simultaneously is still being negotiated. This means that small providers will also have to install relatively large interception facilities, although in practise, it is unlikely that they will ever be used.
A proposal is currently being discussed which would mean that the government would not itself specify compulsory interception facilities, but instead leave it up to businesses. The businesses would be obliged to meet every government request to intercept on pain of a fine. You could call this the business incentive approach. The advantage for the government would be that they would not have to limit themselves to one set of interception standards, when it will not be known for years what is really necessary and desirable.
The police and law enforcement are also confronted with the problem of a decentralised police organisation with many interception centres, even though the equipment and specialists needed to intercept the Internet are not always available. In the future, it is probable that 4 or 5 large interregional tapping centres will be established to deal with this problem.
The interception box will be managed by the Internet provider; only he or she will be able to turn the box on or off, acting on a court order. Large scale fishing expeditions will not yet be possible. The real danger lies in the phased introduction of interception facilities. If all providers have permanent interception enablers integrated into their system architecture, the powers to intercept can easily be extended, without having to first get around technical obstacles. Solutions have yet to be found for Internet connections via the cable and for ASDL lines. The large amounts of data communication per consumer made possible by this infrastructure still cause problems.
In the area of cryptography, a preliminary draft of a bill aiming to ban the use of encryption was introduced in March 1994. Anyone who could show that they had a legitimate reason to use cryptography was allowed to apply for a license. Concealed within the text was a clause making it compulsory to hand over the key to the authorities. The draft was withdrawn after a storm of protest from the legal world, the business community and privacy groups. For a long time afterwards, silence reigned on this subject.
In February 1998, the government gave the go ahead to cryptography in their memorandum “Legislation for the electronic highway”. “The use of cryptography will remain permissible”[8] The government’s reasons for this decision were the impossibility of controlling the availability of cryptographic products, the need of the business community for security and reliability, and the public’s need for privacy. However, the Minister of Justice continued to try to restrict the use of cryptography. The first versions of the Computer Criminality bill II included the obligation for a suspect to decode their files. After much criticism from the legal world, the Minister of Justice withdrew the proposal. The Computer Criminality bill II[9], which is now being discussed in parliament, does not oblige suspects to decode their files. There is, however, an obligation to decode for third parties, for example, telecom or Internet providers which codify data traffic themselves. The same applies to a Trusted Third party (TTP).
The business community has also exercised its authority in this area. Law enforcement and the business community hold regular discussions on the matter in the National Platform for the Control of Criminality, a joint venture between the government and the business community. The steering committee “Information Technology and Criminality” discusses regulations, the protection of information and tracking in information systems. It seems that the negotiations do not always go smoothly. “Particularly the differences of opinion on the then existing draft of the bill caused feelings to run high in the discussions between the government and the business community, especially with respect to the possibility of a command to allow for access to data information.”[10]
The obligation for a third party to cooperate with decoding messages nevertheless has far- reaching consequences. All encoded messages for which the provider has supplied the encryption can still be read. Personally encrypted communication is also no longer safe. As long as he himself is not suspect in the case, the police and law enforcement can simply approach the recipient of the encrypted message and demand that he decode the message.
Cybercops
The Computer Criminality bill II also outlines what the police are allowed to do on the Internet. Agents are allowed to surf around freely on the Internet, just like ordinary citizens, and do not have to identify themselves as being police officers. They are also allowed to download information and save it temporarily in a register.
It is a different case if investigative activities are carried out that would constitute a violation of civil rights and the individual’s privacy. In this respect, the“Special Investigative Powers Act” is important. This was drawn up by the government in response to an inquiry into a series of scandals on unauthorised police investigations in order to give what the police had been doing without authorisation a legal basis.[11] This legislation contains a number of specific regulations concerning the Internet. It allows the police to infiltrate newsgroups and to systematically gather information about people (in a newsgroup, for example). Pseudo-purchasing and service providing (front stores) on the Internet are also permitted, as are “scouting” research, or so-called pro-active investigation on the Internet. The latter concerns investigating “a group of people, in order to determine how crimes that seriously affect public order are devised and executed”. According to the bill it would be “conceivable” to subject certain sections of the Internet community to such exploratory investigation.
A 1997 memorandum from the Central Investigative Information Centre CRI reveals police attitudes towards digital research. The Internet is regarded as being a good “open source” for gaining information for so-called phenomenon investigation. Phenomenon investigation is pro-active investigation, aimed at mapping out certain developments, organisations and people, without actually investigating a specific, punishable crime Its about expanding the polices’ general knowledge (gaining of insights into new phenomena for literary studies or strategic analyses), data surveillance (the pro-active phase in which “material experts” search the Internet for information about certain themes, companies and people) and the investigative phase (using investigative powers to trace and prosecute people).
The memorandum shows that the police have problems with cryptography, and acknowledge that there are a host of complications attached to most of the proposed solutions. These solutions include introducing a ban on the use and distribution of cryptography, a licence system and the mandatory handing over of keys, and forcing suspects to de-encrypt files. The memorandum therefore states that “besides the possible legislation and regulations needed for investigative purposes, initiatives must also be taken to enable the technical unravelling of encryption techniques. Cooperation between intelligence services and the police, even on this sensitive topic, must be possible to discuss.”
On a more general note, the memorandum also argues for close cooperation with the business community and scientists. “In the course of investigation, the police and the judicial authorities must seek partners within the business community, science, the universities etc. In this way, we can obtain the information necessary to improve investigations and prosecution.”[12] The CRI and the Forensic Institute have developed specific computer expertise. The Forensic Institute is the leading expert in the Netherlands on cryptography and continues to develop its expertise. The institute has, for example, designed a program that can crack electronic agendas. This software is not only included in the briefcases of every police computer specialist, but has become an important export product of the Dutch police. The police can crack many “ordinary” security systems and cryptography, including those in Word or Excel from Windows in next to no time. The Forensic Institute works closely on cryptography with Dutch intelligence and the Military Intelligence Service.[13]
The police corps has seven interregional centres for digital expertise that helps investigations that involve information technology. The CRI has since established a special unit of “cybercops”, who actively search the Internet for criminal activities. “We search in teams for specific subjects like child pornography, drug smuggling, people smuggling, false passports, fraud or trade in stolen objects”, declared team leader Richard Vriesde.[14]
Vriesde once more emphasised that cryptography is a great problem and that the Computer Criminality bill II does not go far enough to suit the police. A suspect cannot be forced to hand his key over. “We would prefer the new law to take this matter one step further.” Vriesde also expressed his regret that the alternative, which would have given the authorities access to the keys via mandatory key recovery, was absent from the bill.
A recent study, however, revealed that the police and law enforcement actually have relatively few problems with cryptography. “Digital investigators do not often encounter methods which digitally veil or hide information.” According to police officers, in practise, encryption is not particularly important, although they expect encryption programs soon to become commonplace. The detectives say that encrypted files are relatively easy to access, either because many suspects write down their password somewhere, on a note pad beside their computer for example, or because they immediately reveal their password.[15]
Bugging
Another important memorandum is one mentioned earlier; “Legislation for the electronic highway”, in which the government reveals its vision on the consequences of the information revolution upon public order. The memorandum itself does not propose any legislation, but is meant as a sort of review body for future policy and states the government’s most important resolutions with respect to policy.
Possible authorisation for the examining magistrate to make a generalised comparison between the registers of suspects and non-suspect citizens in serious cases is currently being looked into. The government is also considering whether or not under certain circumstances to allow police to conduct datamining, i.e. to ask for all registers containing information on an unlimited group of people.
The government is furthermore considering obliging third parties to hand over information from their registers more often, without informing the person concerned. For example, telecom providers could be obliged to sell prepay cards to customers only after they had given their names and proof of identity, and to save these records. This proposal has since been dropped. In response to this, the IMSI Cather, a device that forces mobile phones to reveal their identification number, has been introduced.
The government has also announced the opening of a central information point where information on telcom customers will be stored.
The memorandum shows that in the future, the degree of anonymity, not only on the Internet but also in the entire digital world, will be an important question for the police and law enforcement. “Similar issues with a far broader dimension are looming in connection with the expected introduction of the multifunctional chip-card”. The memorandum does not mention the government’s reaction to this new development.
The memorandum repeatedly states that international agreements must be reached on maintaining public order with respect to the Internet. It cites the Crime in Cyberspace treaty currently under consideration in the Council of Europe as one of the most important treaties in this area.[16]
The Netherlands is keeping pace with its most important partners. After the failed attempts to control or regulate cryptography, and yet more failed attempts to introduce key recovery, attention has shifted to “alternatives” that will allow the police and intelligence services to circumvent the problems posed by cryptography.
The “Special Investigative Powers Act” is particularly important. This law gives the police the authority to directly bug suspects; to place microphones in their houses or elsewhere in order to record conversations directly. The government has stated explicitly that among other things, this aims to circumvent encryption. “The recording of confidential communications is particularly important in those situations where suspects use encrypted mail. Among other things, in certain circumstances, this power allows the placing of a bug in the keyboard of a computer in an office, so that confidential messages can be intercepted before they are encrypted.”[17]
The introduction to the Special Investigative Powers bill also pointed out the dangers of encryption. “Technological developments necessitate authorisation for bugging. Now and certainly in the future, these technological developments will make it possible to communicate beyond the range of the police and law enforcement. The availability of powerful cryptography is one example. The proposed authorisation can, to a certain degree, compensate for the decreasing possibilities to intercept communication.”[18]
It is not clear if this legitimises the use of TEMPEST, the interception of screens. The Special Investigative Powers Act does not mention Tempest, or the determination of screen radiation. According to Bert-Jaap Koops, a university specialist on information law, this is not permitted. Special investigative powers and methods must be formulated explicitly and precisely, and this places Tempest outside the police’s arsenal.[19] The question is whether the police would agree. A parliamentary inquiry commission (IRT-enquête) set up after a series of scandals concerning unauthorised police investigations showed that the police followed the opposite line of reasoning; if the law does not state explicitly that approval is necessary for a method, than it is not necessary to ask for sanctioning. Time will tell whether or not the Dutch police, under pressure from the IRT affair and the resulting recommendations for special investigative powers now follow another paradigm.
The Netherlands National Security Service
Obviously, the Dutch National Security Service BVD is allowed a broader range of powers and correspondingly, the possibilities to monitor their actions are much more restricted. The Intelligence and Security Services bill [WIV][20] does not only give the BVD a new name (General Intelligence and Security Service AIVD), but also new powers, many of which concern interception.
The first bill for the new WIV gave the BVD permission to intercept, record and listen to all telecommunication. The latest amendment, which will be presented to parliament this spring, adds that besides intercepting, the BVD is also authorised to “receive”, that is to intercept telecommunications directly out of the ether (as the case of GSMs for example). The BVD is no longer dependant upon the willingness of operators to plug in a line, and could for example, set up its own parallel mobile network to intercept messages. This would also prevent any providers “leaking” information about what the BVD had been getting up to. Furthermore, the authorisation to decrypt encrypted messages is being extended. The first bill gave permission to decode messages using technical facilities, but the new bill extends this to permission to decode messages using any means necessary. The explanatory note states the following: “in practise, it appears that using technical aids is not the only way in which telecommunications can be decrypted”.[21] This cryptic remark seems to refer to the unravelling of keywords by, for example, infiltrators who can look over shoulders or break into houses in search of that little piece of paper on which the keyword has been written down for safe keeping.
The AIVD will also be authorised to break into computers, or hack as it’s more commonly called. In this way, the intelligence services can steal data from a computer, or manipulate software, corrupt key words or leave a Trojan Horse behind that will give continual access which would make it unnecessary to decode encryption.
The largest step is taken in the newly added article 25a. This article grants permission to intercept international telecommunication that is not conducted via the cable lines and to go through these messages (search or scan) for information (about people, subjects or catch phrases) that might be of interest to the intelligence service. According to the explanatory notes, these kinds of
investigations aim to allow the service to find out whether there is any interesting information for them between all these messages. They nonchalantly comment that it is inevitable that the content of these messages is viewed. ‘Searching is primarily a means of exploring communication with a view to determining the nature of the communication as well as the identity of the person or the organisation making the communication can be determined. The fact that the content of the message must hereby inevitably be viewed is an inevitable part of discovering who is sending the message and whether the communication concerns an individual or an organisation, which may deserve further attention. However, the “searching” does not aim to view the entire content of the telecommunication. It can, in a way, be compared to listening to telephone conversations to find out if the connection is working.’[22]
As much international telecommunication is conducted via beam transmitters and satellites, it is clear that this article covers an equally large part of telecommunication. This boils down to an uncontrolled authorisation to eavesdrop upon and scan all forms of data communication not taking place via the cable. This could have an enormous impact upon Internet communications. Because a message sent onto the Internet chooses the quietest route and the gravitational centre of the Internet is in America, there is a large chance that e-mail sent within the Netherlands will choose an international route. This could also apply to telephones in the future. All these messages could be indiscriminately intercepted in the future.
The new powers awarded to the AIVD imply that they have access to the facilities of the Technical Information Processing Centre (TIVC) belonging to the Ministry of Defence. This interception centre, where intercepted communication is scanned and processed is in Kattenburg, Amsterdam.
Earlier versions of the law stated that the Minister of the Interior must give permission for the use of key words needed for scanning, but if this new bill were to become law, the minister would receive an information list once a year and the intelligence service would then be able to add words or combinations of words to the list as they saw fit.
The last substantial extension concerned the authority to save intercepted and received telecommunication. Previously, conversations that were irrelevant to the intelligence service had to be deleted immediately, but the new bill will give the services permission to save everything that they intercept for up to a year.
Furthermore, there is an interesting addition about encrypted messages. Encrypted messages can be saved until intelligence is able to decode them. The explanatory notes read as follows:
“with respect to telecommunication that has not yet been decrypted, whenever the fact that it has been encrypted attracts the intelligence service’s interest, it is desirable to save this until it is possible to decrypt it”. After the material has been decoded, it can be kept for another year to see whether the information recovered can be of any use.[23]
In addition, “anyone” considered capable of decoding the encryption is obliged to cooperate in doing so. Refusal to cooperate is punishable by a spell of up to two years in prison. Parliament raised questions on this point during the written procedure, but the government has as yet to give its answer. If the government’s answer states that “anyone” could also be a suspect, then this legislation is breach of fundamental rights, as has been explained in the previous chapter. It boils down to an order to cooperate with your own conviction and an inversion of the burden of evidence.
Finally, judging by the bill, it seems that Dutch Intelligence considers economic espionage to be an important activity. It concerns the protection of “vital economic interests” covered by the general term “national security”. According to the memorandum, these are interests that can be best promoted by the state itself. “To a large extent, the Dutch economy relies on economic developments in the rest of the world; these developments are characterised by further internationalisation and globalisation. Decisions taken elsewhere can have an enormous influence upon the Dutch economy. Information on developments in other countries in this area can be obtained in various ways, including cooperation with intelligence services in other countries. However, these can be expected to be mindful of their own interests. In order not to be dependent upon information from third parties, we judge it necessary to build and maintain an independent information position.”[24]
What vital economies’ interests precisely are remains shrouded in mystery. “It can lastly be remarked that the inclusion of ‘the Netherlands’ vital economic interests’ to the AIVD’s new responsibilities enables them, if considered desirable, to investigate in this area without national security as such being involved or its involvement having to be proved.”[25]
[1] Marie-José Klaver, De Echelon–methode, NRC 20 June 1998
[2] Guikje Roethof in Lopende Zaken, VPRO television, Sunday 23 January 2000
[3] Secretary of State for Transport and Water, Policy regulations on the granting of exemption from facilitating interception of Internet services, DGTP/99/1170/Jd/, 3 May 1999
[4] Report of Partial Organ for Interception, 4 March 1999, DAF 98/23
[5] Progress project for operational crypto- and interception problems, Directory legislation, General Directory of Legislation, Law and Legal Aid, Ministry of Justice, 14 July 1998
[6] Report on informal agreements with telecommunications providers, A.S. van Bercheycke, policy official at the BVD, supplement by invitation to a meeting. Partial Organ for Interception, DAF 99/1, 23 February 1999
[7] Temporary ruling on interception of public telecommunications networks and services 2000, Staatscourant, 28 February 2000
[8] Memorandum Legislation for the Electronic Highway, Parliamentary documents 25 880 nr.1, The Hague, 12 February 1998
[9] Amendment to the Statutes of Criminal Law, the Statutes of Penalisation and the Telecommunications Act in relation to new developments in information technology, Parliamentary documents 26 671, nr. 1 – 3, 8 July 1999
[10] R.H.P. Vriesde, “ The scaffolding is finished….”, Year review 1996 Advisory Group on Information Technology and Criminality, Zoetermeer, June 1997
[11] Special Investigative Powers Act, parliamentary documents 1996/97, 25 403, nr. 1-3
[12] Visionary memorandum on digital investigation, Policy advice group on computer criminality, CRI, Zoetermeer June 1996
[13] Annual Report of the Military Intelligence Service 1997
[14] Vrij Nederland, 22 January 2000
[15] W. Ph. Stol, R.J. van Treeck, A.E.B/M. van der Ven, Criminality in Cyberspace, In-pact research series nr.5, Elsevier 1999
[16] See Chapter 3
[17] Memorandum Legislation for the Electronic Highway, parliamentary documents 25 880 nr.1, The Hague, 12 February 1998
[18] Parliamentary documents 23047 nr.3, 1994-1995
[19] Bert-Jaap Koops, The crypto controversy, a key conflict in the information society, Kluwer Law International, Den Haag 1998
[20] Parliamentary documents 25 877, nr.1-3, 7 February 1998, and subsequent amendment notes.
[21] Parliamentary documents 25 877, nr 9, 29 September 1999.
[22] Parliamentary documents 25 877, nr 9, 29 September 1999
[23] Parliamentary documents 25 877, nr 9, 29 September 1999
[24] Parliamentary documents 25 877, nr 9, 29 September 1999
[25] Parliamentary documents 25 877, nr 9, 29 September 1999