Professors warn about 'dragnet' act
The new Dutch Intelligence and Security Services Act (the 'Dragnet' Act), is a threat to cyber security, assert dozens of professors from the world of computer science and cyber security.
In the open letter published last Saturday, the professors are reacting primarily to the idea that the referendum this coming Wednesday is only concerned with security versus privacy. ‘In the public debate, the Act has been framed in a way that is too simple,’ say the professors and experts. The point they are trying to make is this: the new law itself is introducing new security risks.
The authors of the letter provide several arguments to support this assertion.
► By hacking the Internet, the security services are making it more vulnerable
Security services will gain the power to infiltrate systems through as yet unknown vulnerabilities. Security services will thus be exploiting these holes, instead of reporting them and helping to ensure they are plugged. ‘There is therefore a real danger that others will use these vulnerabilities for other purposes,’ states the letter.
And that's more than just a fanciful idea. The attack on the container terminal of APM, in the Port of Rotterdam, for instance, has been linked to security holes that entered the public domain through leaked information from America's NSA. According to Professor of Cryptology Tanja Lange, one of the initiators of the open letter, the risk goes even deeper than that. ‘The German government created new vulnerabilities when hacking suspects due to the tracking software they used for their espionage activities. The ‘Bundestrojan’ actually made it easier for others to infiltrate the affected computer systems.’ Read more about this Bundestrojan in an article from Der Spiegel (in German) from 2011.
► Extra vulnerability via third parties
According to Lange, this point lends extra weight to this issue as the new law authorises security services to hack people that are ‘technically linked’ to the suspect. 'That makes it legal for a security service to hack someone, a system administrator for instance. If they are infected by the security service with a Trojan horse, then everyone who uses that system is also more vulnerable.' A similar action in the US lead to major outrage, and this is prohibited by law there. But here such actions are to be legalised.
► And any data stored by the government is not necessarily secure
Now that the security services are being given carte blanche to collect data on a massive scale and store it for three years, there is an even greater focus on the issue of exactly how safe data is in the hands of the state. Lange: ‘The US and UK security services in particular are notorious for data leaks.’ As an example, she mentions the leak at the US Office of Personnel Management, where more than twenty million records were stolen containing information about background checks and social security numbers. ‘The new law makes it possible to share the dragnet data with these countries.’ Lange also points out that both in the US and the UK, the official line is that the security services may not collect data on a large scale on its citizens, but only on foreigners. ‘Aside from whether that really is the case, there is strong demand for data from other countries, from the Netherlands, for example.’
► Access to data creates a slippery slope
Another point, according to Lange, is that once the principle has been acknowledged that security services may access internet traffic, they will be under a certain degree of pressure to ensure that the data gathered is accessible to them. ‘I hope it doesn’t get that far, but it could mean that the government will be tempted to end security technology such as end-to-end encryption (used by WhatsApp, for example), or to forbid secure VPN connections.’ There are already countries where this is the case. For instance, China forbids the use of secure VPN connections.
► No controls on the use of bulk information
One further objection is that there is no control of data use once it is handed over to other security services. America's NSA, for example, used data from German intelligence agency BND for industrial espionage against Germany.
OFFENDERS WERE ALREADY UNDER SURVEILLANCE
Finally, the letter points to existing studies into the effectiveness of bulk interception for combating terrorism, including the David Anderson Report by MI5. ‘If you take the trouble to read these studies, you'll discover that in all cases the suspects were already known via informants, tips from local communities and targeted surveillance. In none of these cases did the ‘blind’ collection of large amounts of data enable the authorities to track down the suspect.’
The letter concludes that these security risks have been largely ignored by the new legislation up till now, and that there is much more going on than just the question of 'security vs. privacy'.
If you found this article interesting, subscribe for free to our weekly newsletter!