Euro-IR Project Main Index

The APC European Internet Rights Project

Country Report — Netherlands

By Jelle van Buuren (2001)

1. Availability of Internet access

In The Netherlands, the Internet market has developed fast. This year 44% of the Dutch have Internet acces. Almost as many women as men have Internet access.

On the Dutch Internet market some 80 providers are active. Most ISP’s offer acces through the telephone network or cable. Only a few ISP’s offer both ways of access. Most cable and telephone companies have Internet daughter companies to offer the Internet access.

The costs of Internet access are partly composed of subscription fees, and partly of local telephone tarifs (pay per minute). Subscription fees are 5 to 30 Euro. Flat rate subscription is possible with cable access (25 to 50 Euro a month) and xDSL access (50 Euro a month or more). Free Internet access is also possible.

The telephone and the cable infrastructure in the Netherlands is highly developed and covers more than 90% of the country. There has been a spectacular rise in the use of mobile phones. But due to the high costs of aquiring UMTS-licenses, mobile internet services are lacking behind.

The Dutch government sees it as her responsibility to provide a good telecommunication and Internet infrastructure, provide good ICT-education and to stimulate the IT-aspects of Dutch economy. The Netherlands have the ambition to become an IT-based economy.

According to a survey of ICD, the Dutch are the forerunners in Europe on e-commerce.

The Netherlands’ booming economy, solid telecommunications infrastructure and multilingual, technophilic population are usually named as the factors that are beneficient to the Dutch position.

There is however some concern on the vulnurability of Dutch Internet infrastructure. A study by TNO and Stratix ,’Vulnerability of the Internet’[1], says the Dutch Internet is extremely vulnerable. A master plan is needed to safeguard the governmental and economical interests of the Netherlands. ‘Internet can go wrong on many places,’ the report states. ‘The security and reliability of parts of the Dutch Internet infrastructure are sometimes shocking bad. There is a clear need for a master plan to enhance the security.’

2. E-governement

Dutch governement is further considering the development of e-governement. This ranges from better availability of governemental information on Internet, to on-line registration for licenses and electronic voting.

A Dutch commission also proposed to give each Dutch citizen a so called digital safe deposit, which contains its personal data. In the digital safe-deposit not only personal data from the register of population should be stored, but citizens can also choose to store financial or medical information.[2] The register of population holds on every Dutch citizen about two hundred personal data, like name, date and place of birth, tax number, partners, children and other parts of the ‘administrative course of life’.

The police, tax office, pension funds and other organisations which are allowed to access these personal data should get a interface for direct access to the digital safe-deposits. The commission thinks this will discourage fraudulent behaviour.

But the Commission also proposes Dutch citizens get the possibility to store other information in their digital safe-deposit, like medical and financial information. Citizens can decide whom they will give access to these information. The digital safe-deposit should be located at the web sites of the municipalities. For the protection of the safe-deposits the commission suggests to give each Dutch citizen an electronic identity card with biometrics information.

Citizens who are not on-line should get access to their digital safe-deposit through public terminals at the municipal hall.

The Commission thinks the introduction of the system will give a boost to the digitalisation of Dutch society. New developments like electronic commerce and payment systems for driving have a clear need for the availability of reliable personal data that easily can be transferred and checked.

3. Freedom of speech and confidentiality of communication

The Dutch Constitution grants citizens an explict right of freedom of expression and a right on confidential communication. The Dutch government has proposed changes in the Constitution to make sure that also e-mail and other forms of digital communication will fall under the scope of the Constitution.[3] A breach of this confidentiality is only allowed under specific circumstances, for instance the interception of communication by the law enforcement authorities. A court order is needed every time the police want to intercept communication.

According the Dutch privacy watchdog De Registratiekamer[4] however, traffic data of Internet and telephone communications should also fall under the scope of the constitutional right of confidential communication. It points at a ruling of the European Court of Human Rights in Strasbourg that stipulated in 1984 that the dialling of a phone number is an integral part of a phone conversation. The provision of traffic data to the police without a proper court order therefore was a violation of article 8 of the European Convention on Human Rights, according to the court.

The Registratiekamer states the right of confidential communication should enclose the content of communication as well as the ‘in many occasions equal important data on who called when and where with whom’. If freedom and confidentiality of communication only means the government is restricted in its powers to listen in to the content of the communication, but gives wide powers to monitor the traffic data, than ‘the protection of the right of confidential communication is not properly assured’. The Registratiekamer states this is even more the case as traffic data will become more and more available in the telecommunication infrastructure of the digital area. ‘The issue at stake is not if traffic data can reveal much about persons, the point is that communication channels cannot be used confidential when the state is able to monitor this use in detail.’

Dutch governement refuses this claim. In a letter to Dutch parliament it wrote that traffic data schould be protected, but not at the same level as the content of communication.[5] Besides that, the governement fears that a higher level of protection would interfere with the prosecution of criminal acts. ‘If every time the police wants to have access to traffic data a court order is needed, the situation will be unworkable,’ the government states.

Dutch Parliament also asked why there was no proposal to include a ‘right on anonimity’ in the Constituion. According to the governement however, the starting point in a society should be ‘knowability’. For reasons of law enforcement and the fulfilment of contracts, means of identification are necessary, both in the ‘real world’ as in the digital world.

Besides that, a right of anonimity would require a huge amount of regulation to limit the right on anonimity in concrete cases. The government acknowledges there can be the need for anonimity in certain circumstances, but doesn’t think it must ne a constitutional right.

The governement also refuses a constitutional right on encryption. The parliament thinks citizens should have the constitutional right to encrypt there communications, in the ligt of the high interception potential. The governement however fears this could led to the suggestion that only encrypted communication is confidential.

Besides that the governement thinks Dutch citizens are well protected against interception, which is only allowed under certain circumstances regulated in Dutch law. This will give no protection against cross border interception, the government admits. For that kind of protection, international laws are required.

The constitutional protection of freedom of speech also means there is no censorship. This also is the rule for Internet. Illegal forms of expression, like racism, can only be prosecuted afterwards.

4. Criminal law

In recent years several changes in legislation have been proposed, all of which were intended to adapt the Dutch criminal code to the cyberworld.

In 1985, the Minister of Justice established the Commission for Computer Criminality. The commission, led by professor H. Franken, published a report entitled “Information technology and criminal law”, which formed the basis of the Computer Criminality Act that came into force in 1993. The proposed legislation closely followed the recommendations of OESO and the Council of Europe.

The Computer Criminality Act made illegal access to computers, virus spreading, the destruction of information, unauthorised interception and falsification of bankcards illegal. The instruments for criminal proceedings were increased with the authority to intercept all exchanges of information (including fax and e-mail), and permission to search any computers present in a house that is being searched. The decryption of encrypted material was also made compulsory. This obligation does not apply to suspects but to people whom can be “reasonably assumed” to be in possession of the keys, like, for example, network managers.

The Computer Criminality bill II, that now is under parliamentary deliberation, also outlines what the police are allowed to do on the Internet.[6] Agents are allowed to surf around freely on the Internet, just like ordinary citizens, and do not have to identify themselves as being police officers. They are also allowed to download information and save it temporarily in a register.

It is a different case if investigative activities are carried out that would constitute a violation of civil rights and the individual’s privacy.

In this respect, the “Special Investigative Powers Act” is important. This was drawn up by the government in response to an inquiry into a series of scandals on unauthorised police investigations in order to give what the police had been doing without authorisation a legal basis.[7] This legislation contains a number of specific regulations concerning the Internet. It allows the police to infiltrate newsgroups and to systematically gather information about people (in a newsgroup, for example). Pseudo-purchasing and service providing (front stores) on the Internet are also permitted, as are “scouting” research, or so-called pro-active investigation on the Internet. The latter concerns investigating “a group of people, in order to determine how crimes that seriously affect public order are devised and executed”. According to the bill it would be “conceivable” to subject certain sections of the Internet community to such exploratory investigation.

The “Special Investigative Powers Act” also gives the police the authority to directly bug suspects; to place microphones in their houses or elsewhere in order to record conversations directly. The government has stated explicitly that among other things, this aims to circumvent encryption. “The recording of confidential communications is particularly important in those situations where suspects use encrypted mail. Among other things, in certain circumstances, this power allows the placing of a bug in the keyboard of a computer in an office, so that confidential messages can be intercepted before they are encrypted.”[8]

The introduction to the Special Investigative Powers bill also pointed out the dangers of encryption. “Technological developments necessitate authorisation for direct interception. Now and certainly in the future, these technological developments will make it possible to communicate beyond the range of the police and law enforcement. The availability of powerful cryptography is one example. The proposed authorisation can, to a certain degree, compensate for the decreasing possibilities to intercept communication.”[9]

It is not clear if this legitimises the use of TEMPEST, the interception of screens. The Special Investigative Powers Act does not mention Tempest, or the determination of screen radiation. According to Bert-Jaap Koops, a university specialist on information law, this is not permitted. Special investigative powers and methods must be formulated explicitly and precisely, and this places Tempest outside the police’s arsenal.[10] The question is whether the police would agree. A parliamentary inquiry commission (IRT-enquête) set up after a series of scandals concerning unauthorised police investigations showed that the police followed the opposite line of reasoning; if the law does not state explicitly that approval is necessary for a method, than it is not necessary to ask for sanctioning. Time will tell whether or not the Dutch police, under pressure from the IRT affair and the resulting recommendations for special investigative powers now follow another paradigm.

The Central Investigative Unit CRI and the Forensic Institute have developed specific computer expertise. The Forensic Institute is the leading expert in the Netherlands on cryptography and continues to develop its expertise. The institute has, for example, designed a program that can crack electronic agendas. This software is not only included in the briefcases of every police computer specialist, but has become an important export product of the Dutch police. The police can crack many “ordinary” security systems and cryptography, including those in Word or Excel from Windows in next to no time. The Forensic Institute works closely on cryptography with Dutch intelligence and the Military Intelligence Service.[11]

The police corps has seven interregional centres for digital expertise that helps investigations that involve information technology. The CRI has since established a special unit of “cybercops”, who actively search the Internet for criminal activities. “We search in teams for specific subjects like child pornography, drug smuggling, people smuggling, false passports, fraud or trade in stolen objects”, declared team leader Richard Vriesde.[12]

5. illegal content

Dutch Internet Service Providers are not liable for illegal content. There is no obligation to censor their networks or to check the content of websites or e-mail in advance. However, if the police or others point at the existence of illegal content, and ISP’s refuse to remove the illegal content, they breach the law and are liable.

Dutch ISP’s have cooperated in the grounding of information points, where people can report illegal content. After checking if it is indeed illegal content, the information point and the ISP will take action.

6. Privacy

According to a report of the official Dutch privacy watchdog, the Registratiekamer, most of the Dutch Internet service providers violate privacy laws. An investigation of 60 providers revealed that internet service providers ask their clients all kinds of information, that isn’t of any use for the opening of an internet account, like education, income, family situation and personal preferences. The Dutch privacy watchdog states that providers only have the need for information on the name and adress of new clients.

The Dutch providers also fail in informing their clients of the right of access to the personal information the provider is saving. The privacy watchdog further critices the refusal of providers to take legal responsibility for the privacy protection.

The general conditions for opening an account are vague and not clear, according to the Registratiekamer. The consumer therefore run the risk of permitting unintentional the use of his personal details and internet behaviour for commercial purposes. De little letters of the general conditions sometimes give the provider the right to save and store the traffic data. Dutch privacy laws forbid the use and selling of personal details for other purposes than necessary for operational management.

7. Cooperation with law enforcement

Dutch internet providers made in 1998 a deal with the Public Prosecutor about the provision of confidential client information in the case of cybercrime investigations. A Dutch researcher spoke with seven internet providers on a confidential base. It turned out that the organisation of Dutch internet providers NLIP, that represents 60 Dutch providers, closed a deal with the Public Prosecutor in 1998 to cooperate voluntary in providing confidential client information. The Dutch Public Prosecutor can force providers to cooperate, but this is by law limited to specific cases and circumstances. The law enforcement authorities found these requirements to restrictive, and made a deal with te providers on voluntary cooperation.

According to the deal, providers give the name, adress, residence of their clients, and information on their use of internet if requested by the public prosecutor, on the condition the client is accused of a crime that can be punished with at least four years of imprisonment.

According to the researcher this is inconsistent with Dutch privacy law. The privacy law states that if a company wants to provide on a voluntary base confidential personal information, it has to consider carefully if there are ‘important and urgent’ reasons to do so. They have the legal liability to do so and a client can ask a court to rule if the consideration made by a company was justified. The internet providers however don’t make this assesment, but leave it to the public prosecutor.

The study showed this wasn’t the only way Dutch providers are assisting law enforcement on a voluntary base. For instance, one provider saved for a long time logfiles of a client, when asked by the police. Two other providers continued accounts of clients they orginally wanted to close, because they were used for the distribution of child pornography. The law enforcement authorities asked for this to be able to investigate the case further. In another cited case, the provider first made a copy of a website, before closing down the account. Also, a provider gave website material, that was secured by a password, to law enforcement.

Police officers interviewed in the study stated the deal with the Dutch providers isn’t going far enough. They find the limitation to crimes punishable with four years or more too restrictive. Also, they want to be able to ask themselves providers to cooperate, instead of the public prosecutor.

Dutch providers are not legally required to save information on their clients and their internet behaviour. However, all providers keep information on the name, adress and residence of their client, the study shows. In the case of free internet providers it is however unclear if these data are correct, because they don’t check it. According to the interviewed providers, the public prosecutor asks 12 to 15 times a year to provide these kind of client information.

The providers also save logfiles. Usually, they register the general IP-adress of the user, the beginning and ending of a internet session, and the date and login name. Providers can use these information to find out which client used their services on a specific date and time, and can reveil the identity of that client by comparing the information with the name and adress of users.

With the exeption of one free access provider, all providers also registrated the telephone number the clients used to get access. This Calling Line Identification (CLI) is transferred automatically by the telephone company whenever a connection is made. However, users can switch off their CLI-number and ask the telephonecompany not to transfer the number. But one provider, that is closelly linked with a telephone company, told that telephone companies can always trace down the CLI of a user, because it is always registrated in the phone central itself.

Two providers also took measures against ‘spoofing’. In such a case, a user forges the IP-number that is in the header of email messages and changes the system time of the computer. If the police investigates these messages, all they have is a fake IP-number and a fake date and time, so it is merely impossible to trace the real user.

To prevent this, the providers use so called X-tracing. The computer of the providers automatically fill in the real IP-number of an user in the header, and the correct time and date. A client cannot prevent this. In this way, a message contains the fake IP-number, as wel as the correct IP-number.

According to the study, the Dutch providers legitimized their voluntary cooperation by saying they dind’t want give law enforcement ‘a hard time’.

After the secret deal hit the newspapers, the organisation of Dutch Internet providers NLIP hastily declared they had stopped recently the cooperation. The reason was a court decision in May 2000, when a judge ruled the provision of confidential client information was not lawfully. In the pending case, police searched the house of a suspect whose name, address and residence was given voluntary by an Internet provider.

The internet providers now fear they will be hold responsible for violation of the privacy of their client, which can led to claims for compensation.

The NLIP also claimed the number of requests for cooperation had exploded in the last years from between ten and fifty, to several hundreds.

The NLIP now advise the Dutch providers to only provide client information, when asked by an investigative judge with a court order. The NLIP says it is now waiting for new and clear legislation on the provision of client information and traffic information to the law enforcement.

Proposals for this new legislation came in 2001 from the commission Mevis. The commission advises to give police easier access to personal information of clients stored in company’s databases.[13] According to the commission, lead by Professor P. Mevis, the current investigative powers no longer satisfy the needs of the police in the information society. Privacy rules are often an obstacle, as are legal definitions, which are not adjusted to the digital developments. Companies don’t know what their obligations are. In many cases companies cooperate voluntary in providing confidential client information. But according to the commission Mevis, this situation is not acceptable for both parties.

The commission therefore proposes new investigative powers for the police. Police officers should, without the need of a legal order, get the power to ask personal information like name, address, living place, client number, bank account, access codes, and registration plate. The personal information does not have to belong to suspects; the police are authorised to ask this kind of information for a group of persons, to investigate networks and communications, and floods of money or goods. This is called pro-active investigation: the screening by police of whole groups of citizens to see if they can establish criminal patterns.

A whole range of companies will be forced to work with the police: telephone companies, Internet providers, lease companies, car rental companies, travelling agencies, flying companies, garages, real estate agencies, credit card companies, insurance companies, mortgagors, transport companies, banks, accountants, chemical industry, chambers of commerce, educational institutes, art houses, hospitals, hotels and jewellers.

Location data that will give information where persons or goods were on certain times, which for instance are stored by warehouses and super markets (bonus cards!), telephone companies, travel companies, credit card companies and banks, also have to be given to the police. For this kind of information a legal order by the public prosecutor is needed and there has to be the suspicion of a crime punishable by four years or more.

‘Sensitive information’, like information on political believes, race, health, sexual habits or membership of trade unions, can be demanded when there is a serious breach of the legal order.

The commission further proposes the power to ask for ‘future data’, so companies will be obliged to give every bit of new information they obtain in the future. Companies can also get the obligation to work up their registers or database to analyse or combine all bits of information.

8. Interception

The new Telecommunications Act that came into force on 15 December 1998 extended the compulsory obligation to intercept messages for telephone companies to include Internet service providers (IPS) and other telecom providers.[14]

Internet providers were granted temporary exemption from the mandatory installation of interception equipment, but were ordered to comply with all the regulations by August 2000.[15] The providers had not had enough time to prepare for the installation of the necessary equipment and besides, the technical, financial and judicial consequences were not entirely clear. The interception requirements laid down were a direct copy of the demands that had already been formulated in international treaties. Neither the providers nor the government knew how these demands were to be translated either practically or organisationally.

Later, the Dutch service providers were granted another year to resolve the problems. The new deadline was fixed at 15th April 2001.

In February of 2001 however, the Dutch providers announced the new deadline was unrealistic. They claim there were still no clear technical specifications for the way in which intercepted traffic has to be delivered to the police. Therefore manufacturers of Internet interception equipment couldn’t develop the proper installations. ‘This indistinctness has resulted in a lack of relevant offers from which Internet Service Providers can choose,’ stipulated the providers in a letter to the Ministry of Transport and Waterways.

They also pointed again at the differences between Dutch and European requirements for the interception of Internet traffic. ‘The Dutch government has chosen to implement the interception obligation at a time when the European interception standard still has to be completed. Most other European countries wait for that standard, before they compel their providers to make their systems interceptable.’

In May the Dutch ISP’s claimed they had reached a compromise with the government. The providers will ground a common organisation, which is going to manage the interception equipment. Within six to nine months the providers should be able to fulfil their interception obligations. According to the director of the Dutch organisation of Internet service providers NLIP, Hans Leemans, his organisation was told informally by governmental officials that they would accept the crossing of the official deadline.

Buying and managing together the interception equipment will reduce the costs of fulfilling the interception obligation. This was one of the main problems for Dutch Internet service providers. The providers claimed a third of the Internet providers were expected to face bankruptcy as a result of the high interception costs.

The interception equipment has three parts: a black box which makes the interception possible, a sniffer to trace e-mail and websurfing, and a box which encrypts the intercepted material and transmits it in a common format to the authorities. This last box is according to Leemans the most expensive part of the equipment.

Providers now will transmit the intercepted material to the common organisation, where the material is encrypted and transmitted to the authorities.

The common organisation will also check the legality of the interception orders and send them to the providers. In this way providers don’t have to check themselves each interception order.

9. Encryption

In the area of cryptography, a preliminary draft of a bill aiming to ban the use of encryption was introduced in March 1994. Anyone who could show that they had a legitimate reason to use cryptography was allowed to apply for a license. Concealed within the text was a clause making it compulsory to hand over the key to the authorities. The draft was withdrawn after a storm of protest from the legal world, the business community and privacy groups. For a long time afterwards, silence reigned on this subject.

In February 1998, the government gave the go ahead to cryptography in their memorandum “Legislation for the electronic highway”. “The use of cryptography will remain permissible.”[16]

The government’s reasons for this decision were the impossibility of controlling the availability of cryptographic products, the need of the business community for security and reliability, and the public’s need for privacy. However, the Minister of Justice continued to try to restrict the use of cryptography. The first versions of the Computer Criminality bill II included the obligation for a suspect to decode their files. After much criticism from the legal world, the Minister of Justice withdrew the proposal. The Computer Criminality bill II, which is now being discussed in parliament, does not oblige suspects to decode their files. There is, however, an obligation to decode for third parties, for example, telecom or Internet providers which codify data traffic themselves. The same applies to a Trusted Third party (TTP).

The obligation for a third party to cooperate with decoding messages nevertheless has far- reaching consequences. All encoded messages for which the provider has supplied the encryption can still be read. Personally encrypted communication is also no longer safe. As long as he himself is not suspect in the case, the police and law enforcement can simply approach the recipient of the encrypted message and demand that he decode the message.

According to secret documents revealed by the Dutch digital rights movement Bits of Freedom in May 2001, the governement is forcing TTP’s to use key recovery. The Dutch Ministries of Traffic and Waterways and Economical Affairs started in 1998 the national TTP project[17] to regulate in co-operation with industry the grounding of TTP’s.

In a policy paper of March 1999 the Ministries pointed at the need of ‘lawful access’ and announced that if voluntary agreements on this subject would not be possible, the government would come with legislation.

“If industry does not want to cooperate in an active way in the development of the possibility of lawful access, the government will consider legislative initiatives to fulfil the need of lawful access.”[18]

In a secret policy paper (January 2001) of the ‘Technical Working Group Lawful Access’, which is part of the National TTP Project, an analyse is made of the needs of intelligence services and law enforcement and the different forms of TTP’s.[19]

According to the document, law enforcement and intelligence services want to get access to the communication in ‘clear language’. They don’t want to get hold of the encryption keys, unless ‘it is the only way to get access to encrypted communication’. The agencies also want to listen in to encrypted communication in real time. Access has to be possible without the co-operation or knowledge of the user.

The Technical Working Party then analyses different forms of TTP architectures and concludes that only two types will make lawful access possible: when a TTP has a copy of the encryption key, or when the TTP is technical able to use key recovery. This is, according to the working party, a problem: ‘The question that has to be answered is if it is desirable that forms of TTP’s will exist that cannot fulfil the demands of the intelligence services and law enforcement.’

In the minutes[20] of the co-ordinating committee of the National TTP Project of March 2001, the question is formulated more strongly:

‘According to the law, TTP’s which do not posses encryption keys, are not obliged to co-operate. But the aim is to prevent TTP’s from claiming this position, by making it an obligation to organise their services in a way that makes lawful access possible.’

The coordinating committee recognises that TTP’s have problems with providing lawful access. It is doubtful if TTP’s are willing to give lawful access, as companies and consumers will have little faith in their services if they know the TTP is able to read their communications and deliver it to government. Companies have already indicated that the grounding of a good TTP infrastructure in the Netherlands is not possible if Dutch TTP’s are forced to give lawful access, while other TTP’s don’t have this obligation. Clients will take a foreign TTP.

But the Technical Working Party decided to recommend nevertheless that TTP’s must choose architecture, which make lawful access possible. It is called ‘obligatory self regulation’. They also recommend making a study to the economical impacts of this solution. If the study makes clear the obligation to give lawful access is economical not feasible, it may change the decision.

The companies, which are involved in the National TTP Project, were not amused. ‘What is the use of this exercise, if the technical working group has already decided that lawful access is one of the criteria TTP’s have to fulfil to get their certification,’ a member of the telco KPN asked according to the minutes.

But a representative of the Ministry of Economic Affairs assured it is still possible to change the recommendations. ‘If the study shows that Dutch consumers will choose foreign TTP’s as a result of this, the proposed recommendation is no longer effective.’ He adds that there is a huge clash of interest between the different ministries involved.

10. Dutch Intelligence

Obviously, the Dutch National Security Service BVD is allowed a broader range of powers and correspondingly, the possibilities to monitor their actions are much more restricted. The

Intelligence and Security Services bill [WIV][21] does not only give the BVD a new name (General Intelligence and Security Service AIVD), but also new powers, many of which concern interception.

The first bill for the new WIV gave the BVD permission to intercept, record and listen to all telecommunication. The latest amendment, which will be presented to parliament this spring, adds that besides intercepting, the BVD is also authorised to “receive”, that is to intercept telecommunications directly out of the ether (as the case of GSMs for example). The BVD is no longer dependant upon the willingness of operators to plug in a line, and could for example, set up its own parallel mobile network to intercept messages. This would also prevent any providers “leaking” information about what the BVD had been getting up to. Furthermore, the authorisation to decrypt encrypted messages is being extended. The first bill gave permission to decode messages using technical facilities, but the new bill extends this to permission to decode messages using any means necessary. The explanatory note states the following: “in practise, it appears that using technical aids is not the only way in which telecommunications can be decrypted”. This cryptic remark seems to refer to the unravelling of keywords by, for example, infiltrators who can look over shoulders or break into houses in search of that little piece of paper on which the keyword has been written down for safe keeping.

The AIVD will also be authorised to break into computers, or hack as it’s more commonly called. In this way, the intelligence services can steal data from a computer, or manipulate software, corrupt key words or leave a Trojan Horse behind that will give continual access which would make it unnecessary to decode encryption.

The largest step is taken in the newly added article 25a. This article grants permission to intercept international telecommunication that is not conducted via the cable lines and to go through these messages (search or scan) for information (about people, subjects or catch phrases) that might be of interest to the intelligence service. According to the explanatory notes, these kinds of investigations aim to allow the service to find out whether there is any interesting information for them between all these messages. They nonchalantly comment that it is inevitable that the content of these messages is viewed. ‘Searching is primarily a means of exploring communication with a view to determining the nature of the communication as well as the identity of the person or the organisation making the communication can be determined. The fact that the content of the message must hereby inevitably be viewed is an inevitable part of discovering who is sending the message and whether the communication concerns an individual or an organisation, which may deserve further attention. However, the “searching” does not aim to view the entire content of the telecommunication. It can, in a way, be compared to listening to telephone conversations to find out if the connection is working.’

As much international telecommunication is conducted via beam transmitters and satellites, it is clear that this article covers an equally large part of telecommunication. This boils down to an uncontrolled authorisation to eavesdrop upon and scan all forms of data communication not taking place via the cable. This could have an enormous impact upon Internet communications. Because a message sent onto the Internet chooses the quietest route and the gravitational centre of the Internet is in America, there is a large chance that e-mail sent within the Netherlands will choose an international route. This could also apply to telephones in the future. All these messages could be indiscriminately intercepted in the future.

The new powers awarded to the AIVD imply that they have access to the facilities of the Technical Information Processing Centre (TIVC) belonging to the Ministry of Defence. This interception centre, where intercepted communication is scanned and processed is in Kattenburg, Amsterdam.

Earlier versions of the law stated that the Minister of the Interior must give permission for the use of key words needed for scanning, but if this new bill were to become law, the minister would receive an information list once a year and the intelligence service would then be able to add words or combinations of words to the list as they saw fit.

The last substantial extension concerned the authority to save intercepted and received telecommunication. Previously, conversations that were irrelevant to the intelligence service had to be deleted immediately, but the new bill will give the services permission to save everything that they intercept for up to a year.

Furthermore, there is an interesting addition about encrypted messages. Encrypted messages can be saved until intelligence is able to decode them. The explanatory notes read as follows: “with respect to telecommunication that has not yet been decrypted, whenever the fact that it has been encrypted attracts the intelligence service’s interest, it is desirable to save this until it is possible to decrypt it”. After the material has been decoded, it can be kept for another year to see whether the information recovered can be of any use.

In addition, “anyone” considered capable of decoding the encryption is obliged to cooperate in doing so. Refusal to cooperate is punishable by a spell of up to two years in prison. Parliament raised questions on this point during the written procedure, but the government has as yet to give its answer. If the government’s answer states that “anyone” could also be a suspect, then this legislation is breach of fundamental rights, as has been explained in the previous chapter. It boils down to an order to cooperate with your own conviction and an inversion of the burden of evidence.

Since 1995 Dutch police forces and the intelligence agencies are working closely together in breaking crypto codes. That year the secret project ‘co-operation on the operational approach towards cryptographic issues’ started. Later, the co-operation was expanded to the interception of communications. This is revealed in documents obtained under the Dutch Freedom of Information Act.

The decision to create the formal co-operation was taken by the Ministerial Committee on the Intelligence and Security Agencies (MICIV). This Committee, chaired by the Prime Minister, decides on the general policy and co-ordination of Dutch Intelligence agencies. In the Cabinet meeting of 6 July 1995, a special budget was approved for the project.

In the beginning, the co-operation concentrated on cryptographic issues. In September 1996 it was decided to expand the project to “intensive co-operation in the field of interception”. For that, a ‘national interception centre’ was established. In 1997 the project was renamed on the request of the Ministry of Justice into the ‘project operational crypto and interception’ (OCI-project).

The target of the co-operation between the police and Intelligence is “to contribute to the investigation of crime and increase the state security”. The operational co-operation on the breaking of crypto codes and interception issues is the cornerstone of the OCI-project. Police and Intelligence are jointly researching the problems of interception and cryptography and the possible answers. For that, the agencies are searching the assistance of specialised companies and the academic world. Experts of the police and Intelligence are exchanging skills and knowledge. According to the terms of reference of the OCI-project, it has to “actively solve problems and promote coherence, harmony, co-operation and combination.”

Most of the requested documents on the OCI-project however were refused under the Freedom of Information Act, for instance a report on the co-operation in the field of interception, the complications which occurred and achieved operational results in the breaking of codes. Also the access to lists of decisions, recommendations and letters of ministries was refused. As reason for this refusal, the Ministry of Justice wrote: “it cannot be ruled out that criminals will be tuning in their activities on the governmental policy when the information you requested is made public.”

In the steering group that supervises the co-operation members of the departments of Justice and Foreign Affairs, de Dutch security service BDV, the police, the military intelligence agency MID, the Military police, the Economical inspection agency, the fiscal intelligence and investigation squad, the Office of the Public Prosecutor, the Council of Police Commissioners, the Department of Traffic and Waterways and the advisor of the national co-ordinator of the intelligence agencies are represented.

The real work is done in two working groups, the ‘working group operational approach to crypto issues’, and the ‘project group interception’. In these working groups members of the security service BVD, the military intelligence MID, the police and the Forensic Institute are working together. The Forensic Institute is the leading authority in the Netherlands in the breaking of cryptography. The general management of the OCI-project is in the hands of an external consultant from KPMG Management Consulting.

11. Additional Information

Internet rights groups:

1. Bits of Freedom

2. Bureau Jansen & Janssen

Critical Dutch Internet Service Provider:

1. xs4all

Official Dutch Privacy Watchdog:

1. De Registratiekamer

Research schools:

1. Computerrecht On line

2. Nationaal Programma Informatietechnologie en Recht

3. Platform voor ICT-professionals

4. The Dutch Privacy Page

Organisation of Dutch Internet Service Providers:





[3] Kamerstukken 2000-2001, 27460 nr. 1


[5] Kamerstukken 2000-2001, 27460 nr. 2

[6] Kamerstukken 1999-2000, 26671 nrs 1 en verder

[7] Kamerstukken 1996-1997, 25403 nrs 1 en verder

[8] Kamerstukken 1997-1998, 25880 nr. 1, Memorie van Toelichting bij Nota ‘Wetgeving voor de elektronische snelweg’

[9] Kamerstukken 1994-1995, 23047 nr. 3

[10] Bert-Jaap Koops, The Crypto Controversy, a key conflict in the information society, Kluwer Law International, The Hague 1998

[11] Annual Report of the Militairy Intelligence Service 1997

[12] Vrij Nederland, 22 december 2000


[14] Kamerstukken 1997-1998, 25533 nr. 1 en verder

[15] Staatssecretaris van Verkeer en Waterstaat, Beleidsregels voor het verlenen van uitstel voor de aftapverplichting van Internet Dienstaanbieders, DGTP/99/1170/Jd/, 3 mei 1999

[16] Nota ‘Wetgeving voor de elektronische snelweg’, Kamerstukken 1997-1998 25880 nr. 1





[21] Kamerstukken 1997-1998, 25877 nrs. 1 en verder

Euro-IR Project Main Index