Pitching security vs. privacy is asking the wrong question

Does a "no" vote against the Law for the intelligence and security services (Wet inlichten- en veiligheidsdiensten, Wiv) make our society less secure? Proponents of the new law answer "yes" without any reservations. However we, researchers in cyber security, computer scientists and security professionals are skeptical of their statement.

We think that the public debate about the new law is framed too simply: security vs. privacy. If you are in favor of security then you vote "yes"; if you consider privacy more important then you vote "no". That the new law itself leads to security risks does not fit into this narrow framing, but is nevertheless the case. These risks have to be taken into account in the debate and need to translate into suitable considerations in the law.

The first security problem is the extended hacking powers which authorize the agencies to break into devices and networks using unknown vulnerabilities. There is no requirement to report these vulnerabilities to the producers and developers of the devices or the software. By not reporting not only does the target of surveillance remain vulnerable but also countless people in the Netherlands and abroad. There is a real chance that others will use the same vulnerabilities for different purposes. Cyber criminals and more dubious intelligence agencies may either find the vulnerabilities themselves or break into the agency's database to steal this information. The multi-day cyber attack on the container terminal in the Rotterdam harbor used a vulnerability that was reportedly stolen from the NSA. Not reporting vulnerabilities runs the risk of causing serious economic damage. The agencies cannot reconcile this with their mission to provide security.

The government's use of the vulnerability can also introduce new vulnerabilities, as was the case with the German Bundestrojaner. This security risk is amplified by the new competence given in the Wiv: The government can hack a third party who (unknowingly) is connected to the target, e.g., by being the system administrator or otherwise "technically related". This means that people in security critical positions will be kept vulnerable, or even made more vulnerable, exposing the system to other attackers.

The second security problem is related to bulk interception, the competence that gave the new law its nickname: dragnet surveillance law (de sleepwet). Collecting data in bulk from cables requires adding taps to the network. In cyber security any interception point creates another potential vulnerability. How can we be sure that hackers will not make use of the taps? In addition, the storage of data intercepted in bulk brings severe security risks, because the troves of data are a gold mine for agents from other services and cyber criminals. What level of guarantees can the Dutch services offer that this data will not leak? The threat of data leaks becomes more severe as the new law permits sharing the bulk data, inclusive of "bycatch", with foreign agencies, even without first checking the contents. The Netherlands has cooperation agreements with, among others, the British and the Americans. Both of these countries have a rich history of data breaches in the government. Sharing data with these countries is thus not without security risks for the Netherlands.

In addition, more and more communication is successfully encrypted and the metadata is masked, certainly by criminals and (potential) terrorists. This causes the dragnet to fill with data of random citizens and gives the government an incentive to forbid security technologies such as VPNs and end-to-end encryption. We already see this happen in China. However, these technologies are highly important for a secure Internet and forbidding them leads to grave security risks for society and economy.

The third security risk is the loss of control when foreign agencies use the shared bulk data. Stored data, whether suspicious or not, can be shared with foreign agencies without first checking the contents. Abuse by the foreign agencies for their benefits is no exception in the world of spies. For example the German agency BND offered database access to the US agency NSA in connection with the fight against terrorism. However, it later turned out that this access was abused by the Americans to conduct industrial espionage against their host Germany. Neither the new review committee (TIB) nor the oversight committee (CTIVD) can control what happens with our data outside the Dutch borders. This security risk deserves a place in the debate.

So far we mentioned a number of security threats coming with the new law. There are also some strong indications that the usefulness and necessity of bulk collection in the fight against terrorism is being exaggerated by the supporters of the Wiv. Analyses show that not-targeted bulk collection and automated (meta-)analysis of the data is not the most suitable means to stop terrorism. Not only does it not offer any means to detect the so-called lone wolves but it also turns out that attackers are typically already known to the secret services. Traditional and targeted interception powers, which the Dutch secret services already have, must be sufficient to focus onto such targets. The New America Foundation performed research into the effectiveness of bulk collection in more than 200 legal investigations into terror suspects in the U.S., and concluded that the typical starting point for the investigations was traditional investigative powers, such as use of informants, tip-offs by local communities, and targeted surveillance operations.

Even the Anderson review is a reason to remain skeptical about the necessity of this very invasive means in the fight against terrorism. Supporters of the law often cite this report because it is supposed to demonstrate the usefulness of bulk collection by the British secret services. In the end it turned out that, out of the 5 cases of anti-terror investigations that the agency had presented themselves as examples of success, the dragnet was used mostly where the eventual targets already were part of an existing terror network and had contact with known targets, which means that targeted taps would have given the same result. The necessity of bulk interception is to the least debatable.

In their quest for security the Dutch government created the above mentioned security risks. These must be included in the debate which unfortunately is more complicated than simply privacy vs. security. If it only was this simple.

Terug naar de nederlandse versie.

Initial signatories

Dr. Greg Alpar
Open Universiteit & Radboud Universiteit

Jaya Baloo

Erwin Bleumink
SURF

Prof.dr.ir. Herbert Bos
Vrije Universiteit Amsterdam

Stoffel Bos

Dr. Fabian van den Broek
Open University

Prof. dr. Marko van Eekelen
Open Universiteit & Radboud Universiteit

Sacha van Geffen
Directeur Greenhost

Simon Hania

Dr. Jaap-Henk Hoepman
Radboud Universiteit Nijmegen

Dr. Andreas Hülsing
Technische Universiteit Eindhoven

dr. Slinger Jansen
Universiteit Utrecht

Dr. Ir. Hugo Jonker
Open Universiteit

LLM Merel Koning
Radboud Universiteit Nijmegen

Prof. dr. Bert-Jaap Koops
Tilburg University

dr.ing. Matthijs Koot
Secura B.V. & Universiteit Amsterdam

prof. dr. Eleni Kosta
Tilburg University

Prof. dr. ir. C.T.A.M. de Laat
University of Amsterdam

Prof. Dr. Tanja Lange
Technische Universiteit Eindhoven

Michiel Leenaars
Director of Strategy NLnet Foundation

Rachel Marbus

Dr. Veelasha Moonsamy
Universiteit Utrecht

Adriana Nugter

Dr. Andreas Peter
Universiteit Twente

dr. Jean Popma
Radboud Universiteit Nijmegen

Prof. Dr. Aiko Pras
Universiteit Twente

Dr.ir. Rick van Rein
OpenFortress B.V.

Dr. Melanie R. Rieback
Radically Open Security B.V.

dr. ir. Roland van Rijswijk-Deij
Universiteit Twente

Dr. Christian Schaffner
Universiteit van Amsterdam

Dr. Peter Schwabe
Radboud Universiteit Nijmegen

Dr. Boris Skoric
Technische Universiteit Eindhoven

Prof. dr. Jan M. Smits
Technische Universiteit Eindhoven

Rogier Spoor
Honeypot programm, TCC

dr. Marco Spruit
Universiteit Utrecht

Dr. Erik Tews
Universiteit Twente

ing. Hans Van de Looy RCX
UNICORN Security

dr. Benne de Weger
Technische Universiteit Eindhoven

Dr. Philip R. Zimmermann
TU Delft Cybersecurity Group

Contact

For press inquiries contact us at press@veiligheid-en-de-wiv.nl.

We accepted co-signatories via add-me@veiligheid-en-de-wiv.nl. This section is now closed.

Co-signatories

Joost Rijneveld
Radboud Universiteit Nijmegen

Dr. Freek Verbeek
Virginia Polytechnic Institute and State University

Mischa Rick van Geelen
Beveiligingsonderzoeker bij het NFIR

J.N. Lancel
Fast Forward Society

ir. Arnoud Zwemmer
Universiteit van Amsterdam

Paul Oranje

Olaf M. Kolkman

Evert de Pender

Benoît Viguier MRes.
Radboud Universiteit Nijmegen

Shazade Jameson, MSc.
TILT, Tilburg University

mr.drs. Paulan Korenhof
Hogeschool van Amsterdam

Bas Westerbaan
Radboud Universiteit

Brenno de Winter
zelfstandig beveiligingsexpert en hacker

Frank Terpoorten
Edam

Mr. Peter van Schelven
Docent Privacyrecht

ing. Michiel Steltman
Directeur Stichting DINL

Richard Lamb, MSc
TrendWatcher.com // Future Expertise Center

Ahmed Aarad
Open Source & Overheid

Gerke Pekema

Ir. Daan Koot
Adviseur privacy en informatiebeveiliging
Safeharbour B.V.

Arjen Kamphuis
Technology & Security Director
Pretty Good Knowledge BV

Dr. Anna Krasnova
Radboud Universiteit

Niels van der Weide
Radboud Universiteit

Dr. Mirko Tobias Schäfer
Projectleider Utrecht Data School
Universiteit Utrecht

Ronald Kingma, CISSP
Access42, Security Specialist

Ir. Guido van Rooij

dr. Bernard van Gastel
Open Universiteit

Vera Taihuttu

Dick Engelgeer

Prof. dr. ir. Bart Preneel
KU Leuven

LLM Sascha van Schendel
Tilburg University

Adrianus Warmenhoven

Menso Heus
Technology Officer, Free Press Unlimited

Bart B. Willemsen

Drs. H. Mulders, MSc
Functionaris Gegevensbescherming sinds 2003
Voor gemeenten en private instellingen
Oud secretaris NGFG
Directeur Privacy Expertise

Prof. dr. Joris van Hoboken
Vrije Universiteit Brussel & Universiteit van Amsterdam

Dr. Sietse Ringers
Radboud Universiteit

Gustavo Banegas
Technische Universiteit Eindhoven

J. Kirk Wiebe
former NSA Senior Intelligence Analyst and NSA Whistleblower

Gerard Freriks, niet praktiserend arts
Mede-auteur NEN7510 Informatiebeveiliging in de Zorg

dr.ir. Jeroen Keiren
Open Universiteit

Dr. ir. Harrie Passier
Open Universiteit

Dr Nadezhda Purtova
Tilburg University

Dr. Kristina Irion
Institute for Information Law
University of Amsterdam

Martijn Terpstra, MSc

Dr. Frederik Zuiderveen Borgesius
researcher at the Vrije Universiteit Brussels, and at the University of Amsterdam

Stanislav Plotnikov

Jacob Appelbaum
Technische Universiteit Eindhoven

Prof. dr. Tom M. van Engers
Professor in Legal Knowledge Management
University of Amsterdam/Faculty of Law

Wouter van Rooij
Onepoint NL

Dr. ing. Sven Kiljan

Vladimir Bondarev, B.Eng
R&D SW Designer

Henk Bouman
Information Security Management student

Mara Paun, LLM
Tilburg University

Claudia Quelle
Tilburg Insitute for Law, Technology and Society (TILT)

Ancilla van de Leest
Privacy Expert Startpage.com

Tom Bakker
Zelfstandig Information Security professional

William Binney
a former Technical Director at NSA

Prof.dr. Jos de Mul
Hoogleraar Wijsgerige Antropologie
Erasmus Universiteit Rotterdam

Anton Tomas

Ir. Lex Borger

Ir. Christine van Vredendaal
Technische Universiteit Eindhoven

Dr. Matthijs Pontier
Piratenpartij

ing. Vincent S. Breider
Security Advisor, Ethical Hacker
ITsec Security Services bv.

ing. Edwin Gozeling
Advisor, Ethical Hacker
ITsec Security Services bv.

Prof. Dr. Sandro Etale
Technische Universiteit Eindhoven

Elena Plotnikova
onderneemster

Pete Herzog
ISECOM - Institute for Security and Open Methodologies

Johan den Hartog
Security Specialist

Ir. Erik-Jan Bos
JIB Consult BV

Tineke Belder
10 Training & Coaching

Dr. Marijn Pool
Eigenaar MPMD

Dr. Gjenna Stippel

Nico Pattinasarany

Aris Lambrianidis

Hans-Peter Ligthart

ing. Dennis van Warmerdam
Advisor, Ethical Hacker
ITsec Security Services bv.

Gerdriaan Mulder
Limesco B.V.
Radboud Universiteit Nijmegen


Version: Last changed 2018.03.21. First version 2018.03.17.