The ministers of Home Affairs and Defence published the new law for intelligence agencies in 2015. During the internet consultation on this proposal, many have voiced negative opinions on the plans. Never before did so many civilians, social organisations and corporate businesses (including BIT) react on an internet consultation. Nevertheless, the social discussion did not happen and the proposal was accepted by the Senate and the Parliament with minor adaptations.
A number of weeks ago some concerned students requested a referendum on the law. BIT supports this initiative and hopes for a broad social debate about the law. Our objections against the law will be listed below.
The legislator has neglected to prove the use, necessity and effectivity of the law, which makes the proportions of the measures questionable. Thousands of organisations will have to give away data and allow their networks to be tapped. The privacy objections for these actions is not properly addressed. Citizens will feel spied on and therefore be restricted in their privacy. Even Amnesty International, not particularly known as an activist group, speaks up against this invasion of human rights. The law describes the basis of “important interests of the state” for the use of special powers. This description is vague to the degree that the risk of “function creep” becomes quite significant.
The business climate, in terms of the privacy, security and financial perspective will be less attractive due to this law. Particularly for online businesses, including start-ups. This has direct consequences for businesses like BIT that service such online businesses and start-ups. Virtually any organisation or business will then be considered as a provider of communication services. This means that they will all have to make their data searchable and make sure their network can be tapped and they will have to pay for that themselves. Other countries that set such demands do give reimbursements for such costs. To top it off, businesses like BIT will suffer image and confidentiality damages. This lowers the (international) competitive position even more.
The hacking right that is described in the law ensures that services have no need for reporting (zero-day) vulnerabilities. During recent virus outbreaks, we have seen that the Dutch digital infrastructure is also susceptible to vulnerabilities developed by the intelligence agencies. The malware of those intelligence agencies can also be used by the wrong people. The hacking right can also be used on third parties, so as to reach the target of the intelligence agencies anyway. That poses security risks for those third parties. A system that is infiltrated by the intelligence agencies is more vulnerable for users with malicious intent, including the initial target. Additionally, you should not want to think about what could go wrong if those agencies start using Internet of Things systems where it is not immediately clear what kind of system is being dealt with, like medical systems.
This law allows the intelligence agencies to place taps on such a large scale that all the phone and internet traffic of a middle sized city can be tapped. In addition to the privacy concerns this poses, placing taps will increase the risks in reliability and security of the networks. Telecom providers have indicated that they have experienced that placing the current, smaller taps, causes stability issues. That is a troubling problem when our communication infrastructure is concerned, especially with calls to the emergency number.
The law set down a decryption requirement for communication networks. That comes with extra costs for these networks. The better the encryption, the higher the decryption costs will be. A technique like Diffie-Hellman may therefore be avoided. Some encryption techniques, like one-way-encryption and the use of HSMs where the private key cannot is often unavailable, could even prevent the decryption requirement from being met. A possible consequence of this law could be the use of weaker encryption methods. Also, the release and thus the wider availability of the private keys causes security risks if those keys get into the wrong hands.
By: Wido Potters