Hear No Evil?
The Dutch “Surveillance Kings of Europe” Are About to Get Even Nosier
The Netherlands is considering a new law that would give its spooks unprecedented access to global data, including yours and mine.
AMSTERDAM — When the exiled American whistleblower Edward Snowden dubbed the Dutch “the Surveillance Kings of Europe” earlier this year, he attracted little attention outside The Netherlands. But he was talking about an issue with global implications, not least for the United States.
Snowden, now resident in Russia (and largely silent about its pervasive surveillance activities) told “Nieuwsuur,” a Dutch television news program, that the U.S. National Security Agency and its partners in Europe were encouraging the Dutch intelligence services to join the FVEY or “Five Eyes.”
These Anglophone countries—Australia, Canada, New Zealand, the United Kingdom and the United States—share electronic surveillance in its many forms under a multilateral treaty dating back to the early days of the Cold War. (The term Five Eyes comes from the classification heading “SECRET—AUS/CAN/NZ/UK/US EYES ONLY.”) And their goal, Snowden claimed, is to “create a surveillance super-state that shares all of its information.”
Snowden suggested The Netherlands is being bullied into an unhealthy alliance with the Five Eyes. But if Dutch Minister of Interior Ronald Plasterk is worried about that, it certainly doesn’t show.
Indeed, those in charge of the Dutch intelligence services seem positively enthusiastic about the possibility they could play surveillance with the big boys and they get rather resentful when some of their fellow Europeans try to rein them in. (The Dutch are already part of a second-tier agreement called the Nine Eyes, with the “Anglo-Saxons” plus Denmark, France, and Norway, and a third-tier one called the Fourteen Eyes that adds Germany, Belgium, Italy, Spain and Sweden. But those a junior varsities.)
In a memorandum addressed to the Dutch parliament last month, Plasterk registered his strong opposition to proposals for what is called the European Intelligence Codex, an initiative from the Parliamentary Assembly of the Council of Europe that insists current intelligence practices “endanger fundamental human rights” (PDF). The codex is meant to help protect personal data Europe-wide.
“I have serious hesitations on the subject,” Plasterk wrote: “A codex in which allied countries commit to not use investigative power on one another for, for instance, political reasons, is not realistic. The intelligence tasks of the AIVD and MIVD [Dutch intelligence services]—which notably involve intelligence collection concerning covert political and military intentions and activities of other countries—would be limited in an irresponsible manner.”
Snowden decided to weigh in and the debate has been intensified because of a new law expanding the capabilities of the “WIV,” short for “law, intelligence and security services” in Dutch, which is scheduled to come up for parliamentary consideration in The Netherlands this month.
The existing legislation allows the Dutch services to tap into the data of specific persons of interest if they get ministerial permission, and already that’s a problem. The CTIVD, a small commission charged with investigating unauthorized use of that mandate has warned that the intelligence services have been overstepping their boundaries.
That would be less of a legal difficulty under the new law, because many of the boundaries would virtually disappear. The legislation under consideration allows for much more generalized information gathering—or “bulk” monitoring—with just one stroke of the ministerial pen.
The intelligence services argue, with some justification, that there is no other way to monitor communications, given the massive flow of traffic through fiber optic cables. It’s impossible to isolate one line for monitoring. All the data has to be downloaded, then filtered until the specific communication turns up. Imagine trying to catch a specific minnow in Niagara Falls. It’s impossible to get one at a time, the whole flood has to be diverted.
And since The Netherlands is a major hub for the fiber optic networks that carry huge amounts of information from many different countries, including the United States, the new law would open the way for the Dutch services to suck in communications that U.S. law might prevent the American intelligence agencies from tapping directly. Email, telecom data, social media information—anything traveling through Dutch fiber-optic cables could be up for grabs.
For instance, the Amsterdam Internet Exchange, or AMS-IX, is one of the biggest Internet hubs in the world. Think of it as a roundabout with the data from over 700 major Internet companies moving into it, converging, then separating again. The roundabout connects data freeways from Europe to the Middle East, from the United States to Hong Kong and back. AMS-IX claims it business traffic “has a peak of over 3.5 Terabit per second, making it the largest Internet Exchange in the world.”
Twitter, Facebook, Microsoft, AOL and Google are all flowing through this roundabout. So are AT&T Global, Saudi Telecom, Etihad, Russian Eurotrans Telecom and China Mobile. A virtual mother lode of metadata is streaming incessantly through those Dutch highways of glass fiber, and the contemplated Dutch law offers little specific protection for it.
It should be remembered that the Dutch already are noteworthy for their big ears. Even under the current law they have a stunning predilection for wiretapping. In 2013 alone, this country’s judiciary tapped 26,150 of its citizens’ phone numbers. By comparison, U.S. criminal courts authorized 3,576 taps in total in that same year in a country whose population is 20 times great than The Netherlands’. The number of wiretaps carried out by the intelligence servies is not available.
Jaap Henk Hoepman, director of the Privacy and Identity Lab of Radboud University, says the way the Dutch have framed the new law the focus is on the location of the infrastructure and whether and how the intelligence services are able to access it, not on who or what is using it.
In the process the privacy of American citizens could be exposed. U.S. laws and restrictions don’t apply in The Netherlands, so could the Dutch look at communications American intelligence agencies are not allowed to monitor.
"In general terms, that's the case,” says Hoepman. “The WIV proposal says 'undirected' searches are not permitted, but the information gathered can then be shared with the United States. The GCHQ [Britain’s equivalent of the NSA] already does that on a large scale.”
“We see a pattern,” said Hoepman. “If the intelligence services are not allowed to do something locally, they gather the information from some place else. To give you a local example: The Dutch intelligence services know of crimes committed by certain people because they have been tapping them, unofficially. So they go to the police and ask them to get a warrant through the Public Prosecutor. The police do so and the information is reconfirmed through the official taps and used in criminal court cases."
There is also a maxim in the world of spooks that even the Five Eyes understand: “There’s no such thing as intelligence sharing,” as a former head of the CIA’s clandestine services put it. “There is only intelligence trading.” What Plasterk and his colleagues understand only too well is that this new law will put them in a great bargaining position with other intelligence agencies around the world, especially if they can help those agencies circumvent their own national laws.
What’s to stop them? Possibly the commercial interests of a very commercially minded country.
Bastiaan Goslings, governance and policy officer at AMS-IX is frank about his concerns regarding the new law. The Amsterdam Internet Exchange feels it has an obligation toward its clients to protect their information, obviously. “All the big content providers are located here, as well as a large number of networks from abroad.” But those companies do not have to be in The Netherlands. If their security is compromised, they could take their business elsewhere.
“The Dutch government will stress that [intelligence] agencies are not allowed to operate beyond what the law states,” says Goslings. But the temptation for abuse would be great. “It is, after all, a give and take,” and what intelligence agencies trade in is information that others cannot or should not access.
“From day one our mission has been to maintain the absolute neutrality and independence of the Amsterdam Internet Exchange, as well as the integrity of the technical platform,” says Goslings. “This legislation can fundamentally damage the reputation of the Dutch digital infrastructure, with potential severe detrimental economic consequences. We are seriously worried about that.”
Dutch authorities will argue in their defense that the foreign security services, like the British GCHQ or the American NSA, already have the ability to siphon off the huge flow of information in the fiber optic cables that transit their territory (and wherever else they can tap into them).
But the Dutch are and have been at the forefront of technological development in these areas and their very advanced network of fiber cables carry data from a multitude of major Saudi, Russian, Israeli and Chinese companies, among others. The data traveling through Dutch cables is different from the data transiting the United States.
In the barter economy of spying, the Dutch services think they have some very valuable things to trade, if only the new law goes through. “There is tight cooperation between the Dutch security services and the NSA and GCHQ already,” says Internet lawyer Christiaan Alberdingk Thijm. “They just want to get on even par with them.”