Pitching security vs. privacy is asking the wrong question

Does a "no" vote against the Law for the intelligence and security services (Wet inlichten- en veiligheidsdiensten, Wiv) make our society less secure? Proponents of the new law answer "yes" without any reservations. However we, researchers in cyber security, computer scientists and security professionals are skeptical of their statement.

We think that the public debate about the new law is framed too simply: security vs. privacy. If you are in favor of security then you vote "yes"; if you consider privacy more important then you vote "no". That the new law itself leads to security risks does not fit into this narrow framing, but is nevertheless the case. These risks have to be taken into account in the debate and need to translate into suitable considerations in the law.

The first security problem is the extended hacking powers which authorize the agencies to break into devices and networks using unknown vulnerabilities. There is no requirement to report these vulnerabilities to the producers and developers of the devices or the software. By not reporting not only does the target of surveillance remain vulnerable but also countless people in the Netherlands and abroad. There is a real chance that others will use the same vulnerabilities for different purposes. Cyber criminals and more dubious intelligence agencies may either find the vulnerabilities themselves or break into the agency's database to steal this information. The multi-day cyber attack on the container terminal in the Rotterdam harbor used a vulnerability that was reportedly stolen from the NSA. Not reporting vulnerabilities runs the risk of causing serious economic damage. The agencies cannot reconcile this with their mission to provide security.

The government's use of the vulnerability can also introduce new vulnerabilities, as was the case with the German Bundestrojaner. This security risk is amplified by the new competence given in the Wiv: The government can hack a third party who (unknowingly) is connected to the target, e.g., by being the system administrator or otherwise "technically related". This means that people in security critical positions will be kept vulnerable, or even made more vulnerable, exposing the system to other attackers.

The second security problem is related to bulk interception, the competence that gave the new law its nickname: dragnet surveillance law (de sleepwet). Collecting data in bulk from cables requires adding taps to the network. In cyber security any interception point creates another potential vulnerability. How can we be sure that hackers will not make use of the taps? In addition, the storage of data intercepted in bulk brings severe security risks, because the troves of data are a gold mine for agents from other services and cyber criminals. What level of guarantees can the Dutch services offer that this data will not leak? The threat of data leaks becomes more severe as the new law permits sharing the bulk data, inclusive of "bycatch", with foreign agencies, even without first checking the contents. The Netherlands has cooperation agreements with, among others, the British and the Americans. Both of these countries have a rich history of data breaches in the government. Sharing data with these countries is thus not without security risks for the Netherlands.

In addition, more and more communication is successfully encrypted and the metadata is masked, certainly by criminals and (potential) terrorists. This causes the dragnet to fill with data of random citizens and gives the government an incentive to forbid security technologies such as VPNs and end-to-end encryption. We already see this happen in China. However, these technologies are highly important for a secure Internet and forbidding them leads to grave security risks for society and economy.

The third security risk is the loss of control when foreign agencies use the shared bulk data. Stored data, whether suspicious or not, can be shared with foreign agencies without first checking the contents. Abuse by the foreign agencies for their benefits is no exception in the world of spies. For example the German agency BND offered database access to the US agency NSA in connection with the fight against terrorism. However, it later turned out that this access was abused by the Americans to conduct industrial espionage against their host Germany. Neither the new review committee (TIB) nor the oversight committee (CTIVD) can control what happens with our data outside the Dutch borders. This security risk deserves a place in the debate.

So far we mentioned a number of security threats coming with the new law. There are also some strong indications that the usefulness and necessity of bulk collection in the fight against terrorism is being exaggerated by the supporters of the Wiv. Analyses show that not-targeted bulk collection and automated (meta-)analysis of the data is not the most suitable means to stop terrorism. Not only does it not offer any means to detect the so-called lone wolves but it also turns out that attackers are typically already known to the secret services. Traditional and targeted interception powers, which the Dutch secret services already have, must be sufficient to focus onto such targets. The New America Foundation performed research into the effectiveness of bulk collection in more than 200 legal investigations into terror suspects in the U.S., and concluded that the typical starting point for the investigations was traditional investigative powers, such as use of informants, tip-offs by local communities, and targeted surveillance operations.

Even the Anderson review is a reason to remain skeptical about the necessity of this very invasive means in the fight against terrorism. Supporters of the law often cite this report because it is supposed to demonstrate the usefulness of bulk collection by the British secret services. In the end it turned out that, out of the 5 cases of anti-terror investigations that the agency had presented themselves as examples of success, the dragnet was used mostly where the eventual targets already were part of an existing terror network and had contact with known targets, which means that targeted taps would have given the same result. The necessity of bulk interception is to the least debatable.

In their quest for security the Dutch government created the above mentioned security risks. These must be included in the debate which unfortunately is more complicated than simply privacy vs. security. If it only was this simple.

Terug naar de nederlandse versie.

Initial signatories

Dr. Greg Alpar

Open Universiteit & Radboud Universiteit

Jaya Baloo

Erwin Bleumink

SURF

Prof.dr.ir. Herbert Bos

Vrije Universiteit Amsterdam

Stoffel Bos

Dr. Fabian van den Broek

Open University

Prof. dr. Marko van Eekelen

Open Universiteit & Radboud Universiteit

Sacha van Geffen

Directeur Greenhost

Simon Hania

Dr. Jaap-Henk Hoepman

Radboud Universiteit Nijmegen

Dr. Andreas Hülsing

Technische Universiteit Eindhoven

dr. Slinger Jansen

Universiteit Utrecht

Dr. Ir. Hugo Jonker

Open Universiteit

LLM Merel Koning

Radboud Universiteit Nijmegen

Prof. dr. Bert-Jaap Koops

Tilburg University

dr.ing. Matthijs Koot

Secura B.V. & Universiteit Amsterdam

prof. dr. Eleni Kosta

Tilburg University

Prof. dr. ir. C.T.A.M. de Laat

University of Amsterdam

Prof. Dr. Tanja Lange

Technische Universiteit Eindhoven

Michiel Leenaars

Director of Strategy NLnet Foundation

Rachel Marbus

Dr. Veelasha Moonsamy

Universiteit Utrecht

Adriana Nugter

Dr. Andreas Peter

Universiteit Twente

dr. Jean Popma

Radboud Universiteit Nijmegen

Prof. Dr. Aiko Pras

Universiteit Twente

Dr.ir. Rick van Rein

OpenFortress B.V.

Dr. Melanie R. Rieback

Radically Open Security B.V.

dr. ir. Roland van Rijswijk-Deij

Universiteit Twente

Dr. Christian Schaffner

Universiteit van Amsterdam

Dr. Peter Schwabe

Radboud Universiteit Nijmegen

Dr. Boris Skoric

Technische Universiteit Eindhoven

Prof. dr. Jan M. Smits

Technische Universiteit Eindhoven

Rogier Spoor

Honeypot programm, TCC

dr. Marco Spruit

Universiteit Utrecht

Dr. Erik Tews

Universiteit Twente

ing. Hans Van de Looy RCX

UNICORN Security

dr. Benne de Weger

Technische Universiteit Eindhoven

Dr. Philip R. Zimmermann

TU Delft Cybersecurity Group

Contact

For press inquiries contact us at press@veiligheid-en-de-wiv.nl.

We accepted co-signatories via add-me@veiligheid-en-de-wiv.nl. This section is now closed.

Co-signatories

Joost Rijneveld

Radboud Universiteit Nijmegen

Dr. Freek Verbeek

Virginia Polytechnic Institute and State University

Mischa Rick van Geelen

Beveiligingsonderzoeker bij het NFIR

J.N. Lancel

Fast Forward Society

ir. Arnoud Zwemmer

Universiteit van Amsterdam

Paul Oranje

Olaf M. Kolkman

Evert de Pender

Benoît Viguier MRes.

Radboud Universiteit Nijmegen

Shazade Jameson, MSc.

TILT, Tilburg University

mr.drs. Paulan Korenhof

Hogeschool van Amsterdam

Bas Westerbaan

Radboud Universiteit

Brenno de Winter

zelfstandig beveiligingsexpert en hacker

Frank Terpoorten

Edam

Mr. Peter van Schelven

Docent Privacyrecht

ing. Michiel Steltman

Directeur Stichting DINL

Richard Lamb, MSc

TrendWatcher.com // Future Expertise Center

Ahmed Aarad

Open Source & Overheid

Gerke Pekema

Ir. Daan Koot

Adviseur privacy en informatiebeveiliging

Safeharbour B.V.

Arjen Kamphuis

Technology & Security Director

Pretty Good Knowledge BV

Dr. Anna Krasnova

Radboud Universiteit

Niels van der Weide

Radboud Universiteit

Dr. Mirko Tobias Schäfer

Projectleider Utrecht Data School

Universiteit Utrecht

Ronald Kingma, CISSP

Access42, Security Specialist

Ir. Guido van Rooij

dr. Bernard van Gastel

Open Universiteit

Vera Taihuttu

Dick Engelgeer

Prof. dr. ir. Bart Preneel

KU Leuven

LLM Sascha van Schendel

Tilburg University

Adrianus Warmenhoven

Menso Heus

Technology Officer, Free Press Unlimited

Bart B. Willemsen

Drs. H. Mulders, MSc

Functionaris Gegevensbescherming sinds 2003

Voor gemeenten en private instellingen

Oud secretaris NGFG

Directeur Privacy Expertise

Prof. dr. Joris van Hoboken

Vrije Universiteit Brussel & Universiteit van Amsterdam

Dr. Sietse Ringers

Radboud Universiteit

Gustavo Banegas

Technische Universiteit Eindhoven

J. Kirk Wiebe

former NSA Senior Intelligence Analyst and NSA Whistleblower

Gerard Freriks, niet praktiserend arts

Mede-auteur NEN7510 Informatiebeveiliging in de Zorg

dr.ir. Jeroen Keiren

Open Universiteit

Dr. ir. Harrie Passier

Open Universiteit

Dr Nadezhda Purtova

Tilburg University

Dr. Kristina Irion

Institute for Information Law

University of Amsterdam

Martijn Terpstra, MSc

Dr. Frederik Zuiderveen Borgesius

researcher at the Vrije Universiteit Brussels, and at the University of Amsterdam

Stanislav Plotnikov

Jacob Appelbaum

Technische Universiteit Eindhoven

Prof. dr. Tom M. van Engers

Professor in Legal Knowledge Management

University of Amsterdam/Faculty of Law

Wouter van Rooij

Onepoint NL

Dr. ing. Sven Kiljan

Vladimir Bondarev, B.Eng

R&D SW Designer

Henk Bouman

Information Security Management student

Mara Paun, LLM

Tilburg University

Claudia Quelle

Tilburg Insitute for Law, Technology and Society (TILT)

Ancilla van de Leest

Privacy Expert Startpage.com

Tom Bakker

Zelfstandig Information Security professional

William Binney

a former Technical Director at NSA

Prof.dr. Jos de Mul

Hoogleraar Wijsgerige Antropologie

Erasmus Universiteit Rotterdam

Anton Tomas

Ir. Lex Borger

Ir. Christine van Vredendaal

Technische Universiteit Eindhoven

Dr. Matthijs Pontier

Piratenpartij

ing. Vincent S. Breider

Security Advisor, Ethical Hacker

ITsec Security Services bv.

ing. Edwin Gozeling

Advisor, Ethical Hacker

ITsec Security Services bv.

Prof. Dr. Sandro Etale

Technische Universiteit Eindhoven

Elena Plotnikova

onderneemster

Pete Herzog

ISECOM - Institute for Security and Open Methodologies

Johan den Hartog

Security Specialist



Ir. Erik-Jan Bos

JIB Consult BV

Tineke Belder

10 Training & Coaching

Dr. Marijn Pool

Eigenaar MPMD

Dr. Gjenna Stippel

Nico Pattinasarany

Aris Lambrianidis

Hans-Peter Ligthart

ing. Dennis van Warmerdam

Advisor, Ethical Hacker

ITsec Security Services bv.

Gerdriaan Mulder

Limesco B.V.

Radboud Universiteit Nijmegen

Version: Last changed 2018.03.21. First version 2018.03.17.