By Bits of Freedom

A recent report by Dutch Military Intelligence and Security Service CTIVD shows that the Dutch secret services regularly violate the law when sharing intelligence with foreign services. For the sake of privacy and freedom of communication, it is crucial that data sharing safeguards are both tightened and more strictly enforced.

A report issued by the CTIVD revealed that the secret services do not necessarily act in accordance with the law when it comes to sharing (sometimes sensitive) information with the intelligence agencies of other countries. Ten instances were found in which the Dutch secret services had illegally provided raw data to foreign services, disregarding what is already a fairly weak legal regime for information sharing. The services’ casual attitude towards existing legal frameworks and their reluctance to be more meaningfully regulated may set a dangerous precedent for the relationship between intelligence agencies and democratic oversight in the Netherlands.

The Dutch secret services routinely exchange data with foreign secret services. Dutch EDRi member Bits of Freedom argues that the services should always know what they are exchanging, because they are tasked with protecting the citizens, and part of that task includes not giving away risky information about them. Sadly, services’ internal guidelines to that effect are missing, while legal provisions are insufficient and often ignored.

A lack of internal policy

The Dutch secret services’ internal policy for sharing data with other services is porous and vague: It does not distinguish between different legal basis, the assessments against the requirements of necessity, propriety, and due care are missing, and two legal bases lack additional requirements entirely. It further does not stipulate that weighting notes, which assess the trustworthiness of any cooperating agency, need to be taken into account when deciding whether to share information. There are also no standard procedures as to whether foreign services are allowed to use the information provided (or that they must act in accordance with international law if they do so) or pass it on without thinking twice about it.

Non-compliance with already limited legal provisions

Aside from services’ internal policy, or lack thereof, the law provides a rough framework for the sharing of raw data. Raw data are data which have not been processed, filtered, or analysed based on their nature or content by the services in any form. Under the current regulation, whenever the services wish to share raw data, they must obtain permission from the responsible minister. This permission is subject to a set of circumstances. According to the CTIVD, however, the services not only do not pay sufficient attention to these circumstances, they are also given the leeway to do so.

Sometimes, the services even have their very own ideas about sharing raw data, deeming an internal assessment of whether the information they seek to share is relevant to the receiving body a sufficient benchmark. Not only is an assessment of potential relevance significantly more abstract than the criterion of evaluation, it is also simply not how the law works, and the CTIVD therefore objects to this line of reasoning.

Additional instances in which the clearance protocol for raw data have been violated include: classified data incorrectly labelled as evaluated; data incorrectly added to an existing permission without obtaining separate consent; and missing reference to the weighting notes that would have classified the other service as a risk. If the services want to share raw data with a service that is known to be problematic, the risk, and what the services do to manage it, must be outlined in the permission request. Failure to provide this greatly undermines the functioning of the minister’s permission as a guarantee. After all, how can the minister properly consider a request if they are not informed of the risks involved?

Safeguards are needed

An important stipulation when providing data to a foreign service is that that service may not pass on the data, also known as the third-party-rule. Both secret services (MIVD and AIVD) structurally fail to set this condition, though it is required by law, when providing data to foreign services. The AIVD, for instance, neglected to do so three times over the last year despite the weighing note on the receiving foreign service indicating risks that would have indeed required it.

According to the CTIVD, the agreements with other countries on which the services currently base their data sharing practices are also not satisfactory. Some are still from the 1960s or do not relate to the relevant data dispensation, others are still in draft form, or exist only with one country while the data is shared with several. Moreover, during their inquiry, the CTIVD was unable to find the agreements and the services were unable to state where they were recorded.

Oversight is hindered

To make oversight possible, the services have a duty to record what they do, including what information is given to foreign services. Because records are kept at different levels, however, there is no comprehensive overview of the data shared with foreign services. Furthermore, the services are neglecting their reporting duties. Every time the secret services provide raw data to foreign services, they must inform the CTIVD accordingly. They failed to do so eight times in eight months.

How to address the problem

Bits of Freedom is deeply concerned about the provision of raw data to foreign services. It seems irresponsible that the secret services are allowed to collect data in bulk, and share it with foreign services without properly evaluating the request. Against that backdrop, the CTIVD report has raised a whole range of important questions around the services’ due diligence in risk assessment and their regard for ministerial permission protocol, civil liberties protection, and oversight.

The upcoming implementation of the dragnet, which will allow for the untargeted, systematic, and large-scale interception and analysis of citizens’ online communication, likely means that even more raw data will be shared with foreign countries. Bits of Freedom argues that this is highly problematic. How can citizens’ rights be guaranteed when the services share information (also about them) without even knowing what it is exactly that they are sharing? The House of Representatives will soon discuss proposed amendments to the Dragnet Act and while the dragnet itself seems inevitable, the Parliament should at least take into account the following points to defend privacy and freedom of communication:

  1. The services should be obligated to show that the sharing of raw data is accompanied by ensuring minimal risk for civilians and organisations, following a “least-intrusive-means” doctrine for data sharing, as it were.
  2. The sharing of raw data should be taken more seriously. As is the case with the services’ other special powers, the “Assessment Committee for the Deployment of Powers” (TIB) should review the request of the services and the approval of the minister before the sharing of data is ultimately cleared.
  3. The services have shown that they do not always comply with the law. As a result, the CTIVD, as the body tasked with reviewing the lawfulness of the services’ activities, should be given more power. When the services violate the law they should be stopped immediately by the CTIVD.

Bits of Freedom
https://www.bitsoffreedom.nl/

Casual attitude in intelligence sharing is troubling
https://aboutintel.eu/intelligence-sharing-troubling/

Dutch Senate votes in favour of dragnet surveillance powers (26.07.2017)
https://edri.org/dutch-senate-votes-in-favour-of-dragnet-surveillance-powers/

(Contribution by Lotte Houwing, EDRi member Bits of Freedom, the Netherlands)