Does a "no" vote against the Law for the intelligence and security services (Wet inlichten- en veiligheidsdiensten, Wiv) make our society less secure? Proponents of the new law answer "yes" without any reservations. However we, researchers in cyber security, computer scientists and security professionals are skeptical of their statement.
We think that the public debate about the new law is framed too simply: security vs. privacy. If you are in favor of security then you vote "yes"; if you consider privacy more important then you vote "no". That the new law itself leads to security risks does not fit into this narrow framing, but is nevertheless the case. These risks have to be taken into account in the debate and need to translate into suitable considerations in the law.
The first security problem is the extended hacking powers which authorize the agencies to break into devices and networks using unknown vulnerabilities. There is no requirement to report these vulnerabilities to the producers and developers of the devices or the software. By not reporting not only does the target of surveillance remain vulnerable but also countless people in the Netherlands and abroad. There is a real chance that others will use the same vulnerabilities for different purposes. Cyber criminals and more dubious intelligence agencies may either find the vulnerabilities themselves or break into the agency's database to steal this information. The multi-day cyber attack on the container terminal in the Rotterdam harbor used a vulnerability that was reportedly stolen from the NSA. Not reporting vulnerabilities runs the risk of causing serious economic damage. The agencies cannot reconcile this with their mission to provide security.
The government's use of the vulnerability can also introduce new vulnerabilities, as was the case with the German Bundestrojaner. This security risk is amplified by the new competence given in the Wiv: The government can hack a third party who (unknowingly) is connected to the target, e.g., by being the system administrator or otherwise "technically related". This means that people in security critical positions will be kept vulnerable, or even made more vulnerable, exposing the system to other attackers.
The second security problem is related to bulk interception, the competence that gave the new law its nickname: dragnet surveillance law (de sleepwet). Collecting data in bulk from cables requires adding taps to the network. In cyber security any interception point creates another potential vulnerability. How can we be sure that hackers will not make use of the taps? In addition, the storage of data intercepted in bulk brings severe security risks, because the troves of data are a gold mine for agents from other services and cyber criminals. What level of guarantees can the Dutch services offer that this data will not leak? The threat of data leaks becomes more severe as the new law permits sharing the bulk data, inclusive of "bycatch", with foreign agencies, even without first checking the contents. The Netherlands has cooperation agreements with, among others, the British and the Americans. Both of these countries have a rich history of data breaches in the government. Sharing data with these countries is thus not without security risks for the Netherlands.
In addition, more and more communication is successfully encrypted and the metadata is masked, certainly by criminals and (potential) terrorists. This causes the dragnet to fill with data of random citizens and gives the government an incentive to forbid security technologies such as VPNs and end-to-end encryption. We already see this happen in China. However, these technologies are highly important for a secure Internet and forbidding them leads to grave security risks for society and economy.
The third security risk is the loss of control when foreign agencies use the shared bulk data. Stored data, whether suspicious or not, can be shared with foreign agencies without first checking the contents. Abuse by the foreign agencies for their benefits is no exception in the world of spies. For example the German agency BND offered database access to the US agency NSA in connection with the fight against terrorism. However, it later turned out that this access was abused by the Americans to conduct industrial espionage against their host Germany. Neither the new review committee (TIB) nor the oversight committee (CTIVD) can control what happens with our data outside the Dutch borders. This security risk deserves a place in the debate.
So far we mentioned a number of security threats coming with the new law. There are also some strong indications that the usefulness and necessity of bulk collection in the fight against terrorism is being exaggerated by the supporters of the Wiv. Analyses show that not-targeted bulk collection and automated (meta-)analysis of the data is not the most suitable means to stop terrorism. Not only does it not offer any means to detect the so-called lone wolves but it also turns out that attackers are typically already known to the secret services. Traditional and targeted interception powers, which the Dutch secret services already have, must be sufficient to focus onto such targets. The New America Foundation performed research into the effectiveness of bulk collection in more than 200 legal investigations into terror suspects in the U.S., and concluded that the typical starting point for the investigations was traditional investigative powers, such as use of informants, tip-offs by local communities, and targeted surveillance operations.
Even the Anderson review is a reason to remain skeptical about the necessity of this very invasive means in the fight against terrorism. Supporters of the law often cite this report because it is supposed to demonstrate the usefulness of bulk collection by the British secret services. In the end it turned out that, out of the 5 cases of anti-terror investigations that the agency had presented themselves as examples of success, the dragnet was used mostly where the eventual targets already were part of an existing terror network and had contact with known targets, which means that targeted taps would have given the same result. The necessity of bulk interception is to the least debatable.
In their quest for security the Dutch government created the above mentioned security risks. These must be included in the debate which unfortunately is more complicated than simply privacy vs. security. If it only was this simple.
Terug naar de nederlandse versie.
Initial signatories
Dr. Greg Alpar
Open Universiteit & Radboud Universiteit
Jaya Baloo
Erwin Bleumink
SURF
Prof.dr.ir. Herbert Bos
Vrije Universiteit Amsterdam
Stoffel Bos
Dr. Fabian van den Broek
Open University
Prof. dr. Marko van Eekelen
Open Universiteit & Radboud Universiteit
Sacha van Geffen
Directeur Greenhost
Simon Hania
Dr. Jaap-Henk Hoepman
Radboud Universiteit Nijmegen
Dr. Andreas Hülsing
Technische Universiteit Eindhoven
dr. Slinger Jansen
Universiteit Utrecht
Dr. Ir. Hugo Jonker
Open Universiteit
LLM Merel Koning
Radboud Universiteit Nijmegen
Prof. dr. Bert-Jaap Koops
Tilburg University
dr.ing. Matthijs Koot
Secura B.V. & Universiteit Amsterdam
prof. dr. Eleni Kosta
Tilburg University
Prof. dr. ir. C.T.A.M. de Laat
University of Amsterdam
Prof. Dr. Tanja Lange
Technische Universiteit Eindhoven
Michiel Leenaars
Director of Strategy NLnet Foundation
Rachel Marbus
Dr. Veelasha Moonsamy
Universiteit Utrecht
Adriana Nugter
Dr. Andreas Peter
Universiteit Twente
dr. Jean Popma
Radboud Universiteit Nijmegen
Prof. Dr. Aiko Pras
Universiteit Twente
Dr.ir. Rick van Rein
OpenFortress B.V.
Dr. Melanie R. Rieback
Radically Open Security B.V.
dr. ir. Roland van Rijswijk-Deij
Universiteit Twente
Dr. Christian Schaffner
Universiteit van Amsterdam
Dr. Peter Schwabe
Radboud Universiteit Nijmegen
Dr. Boris Skoric
Technische Universiteit Eindhoven
Prof. dr. Jan M. Smits
Technische Universiteit Eindhoven
Rogier Spoor
Honeypot programm, TCC
dr. Marco Spruit
Universiteit Utrecht
Dr. Erik Tews
Universiteit Twente
ing. Hans Van de Looy RCX
UNICORN Security
dr. Benne de Weger
Technische Universiteit Eindhoven
Dr. Philip R. Zimmermann
TU Delft Cybersecurity Group
Contact
For press inquiries contact us at press@veiligheid-en-de-wiv.nl.
We accepted co-signatories via add-me@veiligheid-en-de-wiv.nl. This section is now closed.
Co-signatories
Joost Rijneveld
Radboud Universiteit Nijmegen
Dr. Freek Verbeek
Virginia Polytechnic Institute and State University
Mischa Rick van Geelen
Beveiligingsonderzoeker bij het NFIR
J.N. Lancel
Fast Forward Society
ir. Arnoud Zwemmer
Universiteit van Amsterdam
Paul Oranje
Olaf M. Kolkman
Evert de Pender
Benoît Viguier MRes.
Radboud Universiteit Nijmegen
Shazade Jameson, MSc.
TILT, Tilburg University
mr.drs. Paulan Korenhof
Hogeschool van Amsterdam
Bas Westerbaan
Radboud Universiteit
Brenno de Winter
zelfstandig beveiligingsexpert en hacker
Frank Terpoorten
Edam
Mr. Peter van Schelven
Docent Privacyrecht
ing. Michiel Steltman
Directeur Stichting DINL
Richard Lamb, MSc
TrendWatcher.com // Future Expertise Center
Ahmed Aarad
Open Source & Overheid
Gerke Pekema
Ir. Daan Koot
Adviseur privacy en informatiebeveiliging
Safeharbour B.V.
Arjen Kamphuis
Technology & Security Director
Pretty Good Knowledge BV
Dr. Anna Krasnova
Radboud Universiteit
Niels van der Weide
Radboud Universiteit
Dr. Mirko Tobias Schäfer
Projectleider Utrecht Data School
Universiteit Utrecht
Ronald Kingma, CISSP
Access42, Security Specialist
Ir. Guido van Rooij
dr. Bernard van Gastel
Open Universiteit
Vera Taihuttu
Dick Engelgeer
Prof. dr. ir. Bart Preneel
KU Leuven
LLM Sascha van Schendel
Tilburg University
Adrianus Warmenhoven
Menso Heus
Technology Officer, Free Press Unlimited
Bart B. Willemsen
Drs. H. Mulders, MSc
Functionaris Gegevensbescherming sinds 2003
Voor gemeenten en private instellingen
Oud secretaris NGFG
Directeur Privacy Expertise
Prof. dr. Joris van Hoboken
Vrije Universiteit Brussel & Universiteit van Amsterdam
Dr. Sietse Ringers
Radboud Universiteit
Gustavo Banegas
Technische Universiteit Eindhoven
J. Kirk Wiebe
former NSA Senior Intelligence Analyst and NSA Whistleblower
Gerard Freriks, niet praktiserend arts
Mede-auteur NEN7510 Informatiebeveiliging in de Zorg
dr.ir. Jeroen Keiren
Open Universiteit
Dr. ir. Harrie Passier
Open Universiteit
Dr Nadezhda Purtova
Tilburg University
Dr. Kristina Irion
Institute for Information Law
University of Amsterdam
Martijn Terpstra, MSc
Dr. Frederik Zuiderveen Borgesius
researcher at the Vrije Universiteit Brussels, and at
the University of Amsterdam
Stanislav Plotnikov
Jacob Appelbaum
Technische Universiteit Eindhoven
Prof. dr. Tom M. van Engers
Professor in Legal Knowledge Management
University of Amsterdam/Faculty of Law
Wouter van Rooij
Onepoint NL
Dr. ing. Sven Kiljan
Vladimir Bondarev, B.Eng
R&D SW Designer
Henk Bouman
Information Security Management student
Mara Paun, LLM
Tilburg University
Claudia Quelle
Tilburg Insitute for Law, Technology and Society (TILT)
Ancilla van de Leest
Privacy Expert Startpage.com
Tom Bakker
Zelfstandig Information Security professional
William Binney
a former Technical Director at NSA
Prof.dr. Jos de Mul
Hoogleraar Wijsgerige Antropologie
Erasmus Universiteit Rotterdam
Anton Tomas
Ir. Lex Borger
Ir. Christine van Vredendaal
Technische Universiteit Eindhoven
Dr. Matthijs Pontier
Piratenpartij
ing. Vincent S. Breider
Security Advisor, Ethical Hacker
ITsec Security Services bv.
ing. Edwin Gozeling
Advisor, Ethical Hacker
ITsec Security Services bv.
Prof. Dr. Sandro Etale
Technische Universiteit Eindhoven
Elena Plotnikova
onderneemster
Pete Herzog
ISECOM - Institute for Security and Open Methodologies
Johan den Hartog
Security Specialist
Ir. Erik-Jan Bos
JIB Consult BV
Tineke Belder
10 Training & Coaching
Dr. Marijn Pool
Eigenaar MPMD
Dr. Gjenna Stippel
Nico Pattinasarany
Aris Lambrianidis
Hans-Peter Ligthart
ing. Dennis van Warmerdam
Advisor, Ethical Hacker
ITsec Security Services bv.
Gerdriaan Mulder
Limesco B.V.
Radboud Universiteit Nijmegen
Version: Last changed 2018.03.21. First version 2018.03.17.