The Dutch state is developing a considerable surveillance and intelligence sharing apparatus. For what purpose?
The available evidence indicates the use of electronic surveillance practices that go beyond traditional, targeted surveillance for intelligence purposes in five EU countries: the UK, Sweden, France, Germany and the Netherlands. Each member state is examined with the following criteria in mind: the basic technical features of large-scale surveillance programmes; stated purpose of programmes, targets and types of data collected; actors involved in collection and use, including evidence of cooperation with the private sector; cooperation or exchange of data with foreign intelligence services, including the NSA; and the legal framework and oversight governing the execution of the programme(s).
There are currently no publicly disclosed programmes of mass cyber surveillance in the Netherlands. Current discussions around large-scale surveillance are limited to expert arenas and are linked to the mandate and capabilities of a new Sigint and Cyber agency, the Joint Sigint Cyber Unit (JSCU) to be established in 2014.
(Potential) programmes for large-scale surveillance
The Joint Sigint Cyber Unit (JSCU), codenamed ‘Project Symbolon’, will start to function in 2014. The unit was announced as part of the Dutch Ministry of Defence’s Cyber Strategy in 2012 as a joint effort of the AIVD (General Intelligence and Security Service) and MIVD (Military Intelligence and Security Service). It will replace the current National Signals Intelligence Organisation (NSO), also created with staff from AIVD and MIVD in 2003.
The JSCU is expected to centralise all Signals and Cyber surveillance in the Netherlands and will have a staff of 350. Its headquarters should be located in the offices of the AIVD in Zoetermeer, while other departments will be located in MIVD premises in The Hague. The signals location in Burum and the analysis location in Eibergen, currently operated by the NSO, will stay active.
There is currently little knowledge about the budget that will be dedicated to the JSCU. Project Argo II (establishment of the agency) has a budget of €17 million.
Concerning the objectives of the new agency, traditionally, Dutch SIGINT activities have focused on supporting military missions abroad and increasingly on counterterrorism activities  but their official mandate also includes non-security related tasks, such as the collection of economic intelligence. The official objectives of the new agency are both defensive and offensive cyber activity. Offensive activities are being justified by recent cyber-attacks, such as the compromising of the security of government services by the hijacking of electronic signatures issued by certificate authority DigiNotar.
The official objectives of the program, as reported in the 2012 Cyber Strategy prepared by the Ministry of Defence, are the following:
* Infiltration of computers and networks to acquire data: mapping out relevant sections of cyberspace; monitoring vital networks; gaining a profound understanding of the functioning of and technology behind offensive cyber assets.
* The gathered information will be used for: early-warning intelligence products; the composition of a cyber threat picture; enhancing the intelligence; production in general; conducting counterintelligence activities.
* Cyber intelligence capabilities cannot be regarded in isolation from intelligence capabilities such as: signals intelligence (SIGINT); human intelligence (HUMINT) and the MIVD’s existing counterintelligence capability.
At the moment, SIGINT activities in the Netherlands are limited to targeting specific individuals, both citizens and non-citizens, domestically and abroad. The MIVD is responsible for overseas SIGINT, while the AIVD is responsible for domestic targeted searches.
As mentioned previously, Dutch intelligence agencies are prohibited from conducting mass cable surveillance. Telecommunication interceptions are focused on individuals, and have to receive ministerial approval. In the meantime, both the AIVD and the MIVD working within the NSO are allowed to collect and store internet communications. This data can be searched through queries and keywords, but these also need to receive prior ministerial approval. It is worth noting however the potential for large-scale surveillance that the Netherlands holds given that the Amsterdam Internet Exchange Point (IXP) is the second largest in Europe after Frankfurt.
The information currently gathered by the NSO and in the future by the JSCU will be available to both AIVD and the MIVD. It is not known yet which other law enforcement agencies will have access to the information produced by the JSCU.
Concerning the involvement of private actors, Dutch MP Ronald Van Raak has asked the Ministry of Interior and Kingdom Relations to comment on the alleged involvement of private sector companies in project Argo II: NICE Systems, an Israeli firm specialising in cyber security, and Accenture, an American consulting firm. It also asked the government about the role of the Amsterdam Internet Exchange (AMS-IX). In its response to van Raak, the Dutch Ministry of Interior and Kingdom Relations did not confirm the involvement of NICE Systems nor Accenture, invoking national security reasons: "The functional specifications of the platform give insight into the modus operandi of the MIVD and are therefore classified state secret". It has also implicitly denied that the Amsterdam Internet Exchange (AMS-IX) was involved in the project stating that there was "no involvement of a supplier, either directly or through subsidiaries, in the collection of Sigint".
Ot van Daalen, from the the Dutch Digital Rights organisation Bits of Freedom (BoF) has however recently raised concerns about the vulnerability of the AMS-IX to Dutch and US intelligence services: First, he raised concern over the fact that in a recent parliamentary hearing AMS-IX ”did not consider the Dutch secret services to be part of its threat model”. Second, he found AMS-IX project to expand to the US a worrying prospective, arguing that “one of the most significant worries brought forward by members is that the NSA by this expansion would be legally authorised to gain access to data handled on the Dutch AMS-IX”. According to AMS-IX, which has confirmed its expansion in the US, the new legal structure of the firm should however separate US-based activities and EU-based activities,
Cooperation with foreign intelligence services
Anonymous sources from the Dutch intelligence agencies have told the Telegraaf newspaper that the AIVD has routine access to information from the NSA “within five minutes”. This would allegedly allow Dutch intelligence services to have access to information on Dutch individuals from the US PRISM programme without the need for an express warrant as required by Dutch law. The Dutch Parliament has launched an inquiry into the role of the AIVD in this context to assess whether they have used private data obtained through the NSA’s activities. Dutch officials such as Home Affairs Minister Ronald Plasterk have denied that AIVD and MIVD make direct use of the PRISM programme. The Dutch government also released an official statement rebuffing the allegation.
Legal framework and oversight
The current legislative framework the Dutch Intelligence and Security Act 2002 (Wiv 2002) does not permit the services to wiretap "cable-bound communications" under any circumstances. The establishment of the JSCU will therefore require a modification of the law. A commission, headed by C.W.M. Dessens, has been established to investigate if and under which conditions should the law be modified.The conclusions of the commission, initially expected in September 2013, were made public at the end of 2013. On the basis of the composition of the commission, two of our respondents suggested that it is likely that the law will be amended to permit the tapping of cable-bound communications.
Currently, wiretapping activities require the approval of the minister of interior, who signs off all wiretapping orders. The main institution in charge of the monitoring of the AIVD and MIVD activities is the CTIVD (Review Committee on the Intelligence and Security Services). The CTIVD does not have direct access to all activities of the services, but is allowed to “sample” some of their activities for compliance. A recent report showed that when the committee looked into the compliance in the context of international SIGINT assistance, “it found that such assessments were not always made properly”.
There is currently no information about the structure of checks and balances that will apply to the new JSCU, although it is likely that it will fall under CTIVD mandate.
The data presented here was gathered on the basis of news articles, checked and complemented by interviews with the following experts: Ot van Daalen, Bits of Freedom; Jelle van Buuren, Leiden University, Center for Terrorism and Counter-terrorism; Axel Arnbak, cybersecurity and information law researcher at the Institute for Information Law, University of Amsterdam.
 The need for autonomous Dutch SIGINT was made particularly pressing after the debacle of the ‘Dutchbat’ (Dutch Battalion under the command of the United Nations Protection Force) in Srebrenica during the war in Bosnia-Herzegovina, which was largely based on misleading intelligence. Source: Interview with Axel Arnbak.
Read more from our 'Joining the dots on state surveillance' series here.