Intelligence services AIVD and MIVD violate the law by storing data of citizens that are not the subject of investigation for a long time. That is the conclusion of the intelligence watchdog, the Commission of Supervision of the Intelligence and Security Services (CTIVD). The data must be deleted.
This is not about what critics call the ‘dragnet’, with which the intelligence services can retrieve data from many people at the same time via untargeted internet taps. Instead, it concerns large amounts of private data that the service receives via, for example, a hack. The privacy impact of such a ‘bulk dataset’ can be comparable or even greater than with an internet tap.
For example, an intelligence service could hack a telecom provider to get the bills of all customers, and then retrieve the call history of possible terrorists. A mail provider could also be cracked. It is not known what kind of data is involved; it can concern both Dutch and foreigners.
“The law states that these data may be kept for a year and a half, but they have kept them much longer,” said Addie Stehouwer, who is responsible for the complaints at the CTIVD. “That includes data that they know will never be relevant.”
Binding
The verdict comes after a complaint from Bits of Freedom. It is not the first time that the regulator has warned about this, but now the judgment is binding. “We are very happy with the ruling, and that this data must now be destroyed,” said Lotte Houwing of Bits of Freedom.
The fact that the data now really has to be deleted is due to an inconsistency in the Intelligence Act. If the CTIVD conducts its own investigation, the supervisor can only issue advice. In principle, the cabinet and parliament do not have to do anything about it. However, if someone submits a complaint, the supervisor can impose a binding judgment.
“We filed our complaint because the services broke the law, but the ministers did nothing about it,” says Houwing. “It’s problematic that this is happening and that our surveillance system is incapable of solving it on its own.”
One and a half year
According to the regulator, the intelligence services store the data of ‘innocent’ citizens for far too long if they get their hands on a bulk dataset. The services have a year and a half to extract the interesting data from such a dataset and then the rest has to be thrown away, but that doesn’t happen: instead all or a large part of it is kept.
In practice, it turns out to be impracticable to assess gigantic data sets within the legal term of one year to one and a half years. That is why the services label datasets in their entirety as ‘relevant’; according to that logic, all data could be kept, even if it still contained data from citizens that are not relevant at all for an investigation.
The CTIVD is not warning for the first time that the law does not allow this at all. Already in 2019 wrote the CTIVD that the way the giant datasets are handled is wrong. In 2020, the services again received a slap on the wrist, and the CTIVD ruled that a number of datasets had to be destroyed. Then that didn’t happen.
Goat path
The Ministers of the Interior and Defense did come up with a legal goat path to let the services continue to work with the datasets, because they would be so important. But not only did the services not adhere to the conditions of that goat path, the goat path is no good either, writes the CTIVD.
The regulator further investigated five datasets, and in those cases the AIVD and the MIVD were also unable to clearly demonstrate how useful the datasets were for the investigation. AIVD employees also had much easier access to datasets than was intended.
Shipped surveillance
The tapping is also under a magnifying glass. Earlier, the CTIVD announced that it would closely monitor large-scale wiretapping. Since that stricter supervision, the services have broken the law again: they tapped more than they were authorized to do, wrote the CTIVD to the House last Friday.
Meantime wil the government will temporarily give the intelligence services more powers in investigations into digital threats. In addition, the services may also more easily search and tap in bulk datasets, wrote de Volkskrant, who has seen the law.
The AIVD and MIVD could not be reached for comment.
–