How useful is the net 'dragnet' act?
If the result of the referendum on 21 March fails to change anything in the new Dutch Intelligence and Security Services Act, those services will be able to do a great deal more from 1 May onwards. The question is how useful ‘tapping’ the Internet will be and how often the security services will make use of the option.
One reason for the act being so controversial is that people fear that the security services will tap the Internet traffic of innocent civilians. According to the General Intelligence and Security Service of the Netherlands (AIVD), the perception of a ‘dragnet’ is incorrect. The AIVD states that it is not looking for non-relevant data and will only tap traffic as specifically as possible – at a street or district level – and only when given permission.
Mass taps have been technically possibly for a long time. There is special equipment for the purpose, known as ‘flow exporters’. A security service first has to copy the data passing through a fibre-optic cable, using a splitter or routers at the Internet providers. The exporters then read in the data and metadata. Filters are subsequently used to forward the relevant data to a human or computer for analysis.
According to the AIVD, however, this is a blunt instrument that they will not be using very often. Other measures for keeping an eye on someone, such as approaching the people in their surroundings or calling on someone at home, are cheaper, simpler and more effective.
Moving with the times
Nevertheless, political circles say that a new law is needed that makes tapping into web traffic possible. The old law is no longer fit for purpose in a changing world in which smartphones and the Internet are an integral part of life. The new act is worded more broadly, so that future technology may also be covered by the powers provided for in the act.
For many of the new things that the AIVD is authorised to do, it will need permission from a committee that decides beforehand whether a request will be granted or not. Opponents to the new Intelligence and Security Services Act are critical of that committee, believing it circumvents the judiciary. “We don’t know how their supervision is going to work out, and that creates uncertainty,” says one member of staff at the privacy organisation Bits of Freedom. “Is the committee capable of saying no, particularly when the request is urgent?”
The new law is giving the intelligence services too much power anyway, according to critics. Dutch newsmagazine De Groene Amsterdammer discovered for example that it would be possible to set up a DNA database. This database would in principle only be used for identifying terror suspects, but the government has often been seen in practice to handle sensitive genetic material clumsily.
Useless?
Whether the security services can garner useful information through Internet taps is unclear. Messaging apps such as WhatsApp and Telegram are end-to-end encrypted, meaning the content of messages cannot be read by third parties. However, metadata such as the time of transmission, the sender and the recipient can still yield important information, for example about the network around a terrorist.
Though technology is already overtaking the law in this regard too, because major platforms such as Apple, Facebook and Google are sending less and less metadata back and forth between two senders, seeing as the companies are competitors. “Instead, the traffic is going through Google’s own servers,” explains Aiko Pras of the University of Twente, “and so there’s no longer any direct line you can follow between the sender and recipient.” If the trend continues, the security services will be able to do very little with the data they collect: they will only see traffic to Google and Facebook, and not the actual sender and recipient.
If the content of the tapped data is often unbreakably encrypted and the metadata less often contains useful information, the question arises of whether there is any point in tapping the data. This does not necessarily undermine the new law, which partly comprises a badly needed update to the existing rules. But it could be the case that the new powers are rendered largely useless again within a couple of years, because malicious users will be able to evade the watching eye of the intelligence services relatively easily.
Final referendum
The new act is part of the final consultative referendum in its current form. The cabinet scrapped these referendums earlier this month. What effect a ‘no’ to the new Intelligence and Security Services Act will have is open to question. Dutch Christian Democrats party leader Sybrand Buma stated earlier that they wanted to ignore the result, and his CDA is now one of the coalition parties.
Photo: S.J. De Waard
If you found this article interesting, subscribe for free to our weekly newsletter!