Pitching security vs. privacy is asking the wrong question

Does a “no” vote against the Law for the intelligence and security services (Wet inlichten- en veiligheidsdiensten, Wiv) make our society less secure? Proponents of the new law answer “yes” without any reservations. However we, researchers in cyber security, computer scientists and security professionals are skeptical of their statement.

We think that the public debate about the new law is framed too simply: security vs. privacy. If you are in favor of security then you vote “yes”; if you consider privacy more important then you vote “no”. That the new law itself leads to security risks does not fit into this narrow framing, but is nevertheless the case. These risks have to be taken into account in the debate and need to translate into suitable considerations in the law.

The first security problem is the extended hacking powers which authorize the agencies to break into devices and networks using unknown vulnerabilities. There is no requirement to report these vulnerabilities to the producers and developers of the devices or the software. By not reporting not only does the target of surveillance remain vulnerable but also countless people in the Netherlands and abroad. There is a real chance that others will use the same vulnerabilities for different purposes. Cyber criminals and more dubious intelligence agencies may either find the vulnerabilities themselves or break into the agency’s database to steal this information. The multi-day cyber attack on the container terminal in the Rotterdam harbor used a vulnerability that was reportedly stolen from the NSA. Not reporting vulnerabilities runs the risk of causing serious economic damage. The agencies cannot reconcile this with their mission to provide security.

The government’s use of the vulnerability can also introduce new vulnerabilities, as was the case with the German Bundestrojaner. This security risk is amplified by the new competence given in the Wiv: The government can hack a third party who (unknowingly) is connected to the target, e.g., by being the system administrator or otherwise “technically related”. This means that people in security critical positions will be kept vulnerable, or even made more vulnerable, exposing the system to other attackers.

The second security problem is related to bulk interception, the competence that gave the new law its nickname: dragnet surveillance law (de sleepwet). Collecting data in bulk from cables requires adding taps to the network. In cyber security any interception point creates another potential vulnerability. How can we be sure that hackers will not make use of the taps? In addition, the storage of data intercepted in bulk brings severe security risks, because the troves of data are a gold mine for agents from other services and cyber criminals. What level of guarantees can the Dutch services offer that this data will not leak? The threat of data leaks becomes more severe as the new law permits sharing the bulk data, inclusive of “bycatch”, with foreign agencies, even without first checking the contents. The Netherlands has cooperation agreements with, among others, the British and the Americans. Both of these countries have a rich history of data breaches in the government. Sharing data with these countries is thus not without security risks for the Netherlands.

In addition, more and more communication is successfully encrypted and the metadata is masked, certainly by criminals and (potential) terrorists. This causes the dragnet to fill with data of random citizens and gives the government an incentive to forbid security technologies such as VPNs and end-to-end encryption. We already see this happen in China. However, these technologies are highly important for a secure Internet and forbidding them leads to grave security risks for society and economy.

The third security risk is the loss of control when foreign agencies use the shared bulk data. Stored data, whether suspicious or not, can be shared with foreign agencies without first checking the contents. Abuse by the foreign agencies for their benefits is no exception in the world of spies. For example the German agency BND offered database access to the US agency NSA in connection with the fight against terrorism. However, it later turned out that this access was abused by the Americans to conduct industrial espionage against their host Germany. Neither the new review committee (TIB) nor the oversight committee (CTIVD) can control what happens with our data outside the Dutch borders. This security risk deserves a place in the debate.

So far we mentioned a number of security threats coming with the new law. There are also some strong indications that the usefulness and necessity of bulk collection in the fight against terrorism is being exaggerated by the supporters of the Wiv. Analyses show that not-targeted bulk collection and automated (meta-)analysis of the data is not the most suitable means to stop terrorism. Not only does it not offer any means to detect the so-called lone wolves but it also turns out that attackers are typically already known to the secret services. Traditional and targeted interception powers, which the Dutch secret services already have, must be sufficient to focus onto such targets. The New America Foundation performed research into the effectiveness of bulk collection in more than 200 legal investigations into terror suspects in the U.S., and concluded that the typical starting point for the investigations was traditional investigative powers, such as use of informants, tip-offs by local communities, and targeted surveillance operations.

Even the Anderson review is a reason to remain skeptical about the necessity of this very invasive means in the fight against terrorism. Supporters of the law often cite this report because it is supposed to demonstrate the usefulness of bulk collection by the British secret services. In the end it turned out that, out of the 5 cases of anti-terror investigations that the agency had presented themselves as examples of success, the dragnet was used mostly where the eventual targets already were part of an existing terror network and had contact with known targets, which means that targeted taps would have given the same result. The necessity of bulk interception is to the least debatable.

In their quest for security the Dutch government created the above mentioned security risks. These must be included in the debate which unfortunately is more complicated than simply privacy vs. security. If it only was this simple.