Vol.11--No.2019
CyberGuerrilla 2018
Saturday,Nov 23,2019 
By Anonymous | March 17, 2018 - 17:34 | Posted in Ops | Comments Off on Pitching security vs. privacy is asking the wrong question

Does a “no” vote against the Law for the intelligence and security services (Wet inlichten- en veiligheidsdiensten, Wiv) make our society less secure? Proponents of the new law answer “yes” without any reservations. However we, researchers in cyber security, computer scientists and security professionals are skeptical of their statement.

We think that the public debate about the new law is framed too simply: security vs. privacy. If you are in favor of security then you vote “yes”; if you consider privacy more important then you vote “no”. That the new law itself leads to security risks does not fit into this narrow framing, but is nevertheless the case. These risks have to be taken into account in the debate and need to translate into suitable considerations in the law.

The first security problem is the extended hacking powers which authorize the agencies to break into devices and networks using unknown vulnerabilities. There is no requirement to report these vulnerabilities to the producers and developers of the devices or the software. By not reporting not only does the target of surveillance remain vulnerable but also countless people in the Netherlands and abroad. There is a real chance that others will use the same vulnerabilities for different purposes. Cyber criminals and more dubious intelligence agencies may either find the vulnerabilities themselves or break into the agency’s database to steal this information. The multi-day cyber attack on the container terminal in the Rotterdam harbor used a vulnerability that was reportedly stolen from the NSA. Not reporting vulnerabilities runs the risk of causing serious economic damage. The agencies cannot reconcile this with their mission to provide security.

The government’s use of the vulnerability can also introduce new vulnerabilities, as was the case with the German Bundestrojaner. This security risk is amplified by the new competence given in the Wiv: The government can hack a third party who (unknowingly) is connected to the target, e.g., by being the system administrator or otherwise “technically related”. This means that people in security critical positions will be kept vulnerable, or even made more vulnerable, exposing the system to other attackers.

The second security problem is related to bulk interception, the competence that gave the new law its nickname: dragnet surveillance law (de sleepwet). Collecting data in bulk from cables requires adding taps to the network. In cyber security any interception point creates another potential vulnerability. How can we be sure that hackers will not make use of the taps? In addition, the storage of data intercepted in bulk brings severe security risks, because the troves of data are a gold mine for agents from other services and cyber criminals. What level of guarantees can the Dutch services offer that this data will not leak? The threat of data leaks becomes more severe as the new law permits sharing the bulk data, inclusive of “bycatch”, with foreign agencies, even without first checking the contents. The Netherlands has cooperation agreements with, among others, the British and the Americans. Both of these countries have a rich history of data breaches in the government. Sharing data with these countries is thus not without security risks for the Netherlands.

In addition, more and more communication is successfully encrypted and the metadata is masked, certainly by criminals and (potential) terrorists. This causes the dragnet to fill with data of random citizens and gives the government an incentive to forbid security technologies such as VPNs and end-to-end encryption. We already see this happen in China. However, these technologies are highly important for a secure Internet and forbidding them leads to grave security risks for society and economy.

The third security risk is the loss of control when foreign agencies use the shared bulk data. Stored data, whether suspicious or not, can be shared with foreign agencies without first checking the contents. Abuse by the foreign agencies for their benefits is no exception in the world of spies. For example the German agency BND offered database access to the US agency NSA in connection with the fight against terrorism. However, it later turned out that this access was abused by the Americans to conduct industrial espionage against their host Germany. Neither the new review committee (TIB) nor the oversight committee (CTIVD) can control what happens with our data outside the Dutch borders. This security risk deserves a place in the debate.

So far we mentioned a number of security threats coming with the new law. There are also some strong indications that the usefulness and necessity of bulk collection in the fight against terrorism is being exaggerated by the supporters of the Wiv. Analyses show that not-targeted bulk collection and automated (meta-)analysis of the data is not the most suitable means to stop terrorism. Not only does it not offer any means to detect the so-called lone wolves but it also turns out that attackers are typically already known to the secret services. Traditional and targeted interception powers, which the Dutch secret services already have, must be sufficient to focus onto such targets. The New America Foundation performed research into the effectiveness of bulk collection in more than 200 legal investigations into terror suspects in the U.S., and concluded that the typical starting point for the investigations was traditional investigative powers, such as use of informants, tip-offs by local communities, and targeted surveillance operations.

Even the Anderson review is a reason to remain skeptical about the necessity of this very invasive means in the fight against terrorism. Supporters of the law often cite this report because it is supposed to demonstrate the usefulness of bulk collection by the British secret services. In the end it turned out that, out of the 5 cases of anti-terror investigations that the agency had presented themselves as examples of success, the dragnet was used mostly where the eventual targets already were part of an existing terror network and had contact with known targets, which means that targeted taps would have given the same result. The necessity of bulk interception is to the least debatable.

In their quest for security the Dutch government created the above mentioned security risks. These must be included in the debate which unfortunately is more complicated than simply privacy vs. security. If it only was this simple.

Dutch/nederlandse version/versie.

Initial signatories

Dr. Greg Alpar
Open Universiteit & Radboud Universiteit

Jaya Baloo

Erwin Bleumink
SURF

Prof.dr.ir. Herbert Bos
Vrije Universiteit Amsterdam

Stoffel Bos

Dr. Fabian van den Broek
Open University

Prof. dr. Marko van Eekelen
Open Universiteit & Radboud Universiteit

Sacha van Geffen
Directeur Greenhost

Simon Hania

Dr. Jaap-Henk Hoepman
Radboud Universiteit Nijmegen

Dr. Andreas Hülsing
Technische Universiteit Eindhoven

dr. Slinger Jansen
Universiteit Utrecht

Dr. Ir. Hugo Jonker Open Universiteit

LLM Merel Koning
Radboud Universiteit Nijmegen

Prof. dr. Bert-Jaap Koops
Tilburg University

dr.ing. Matthijs Koot
Secura B.V. & Universiteit Amsterdam

prof. dr. Eleni Kosta
Tilburg University

Prof. Dr. Tanja Lange
Technische Universiteit Eindhoven

Michiel Leenaars
Director of Strategy NLnet Foundation

Rachel Marbus

Veelasha Moonsamy
Universiteit Utrecht

Adriana Nugter

Dr. Andreas Peter
Universiteit Twente

dr. Jean Popma Radboud Universiteit Nijmegen

Prof. Dr. Aiko Pras
Universiteit Twente

Dr.ir. Rick van Rein
OpenFortress B.V.

Dr. Melanie R. Rieback
Radically Open Security B.V.

dr. ir. Roland van Rijswijk-Deij
Universiteit Twente

Dr. Christian Schaffner
Universiteit van Amsterdam

Dr. Peter Schwabe
Radboud Universiteit Nijmegen

Dr. Boris Skoric
Technische Universiteit Eindhoven

Prof. dr. Jan M. Smits
Technische Universiteit Eindhoven

Rogier Spoor
Honeypot programm, TCC

dr. Marco Spruit
Universiteit Utrecht

Dr. Erik Tews
Universiteit Twente

ing. Hans Van de Looy RCX UNICORN Security

dr. Benne de Weger
Technische Universiteit Eindhoven

Dr. Philip R. Zimmermann
TU Delft Cybersecurity Group

Contact

For press inquiries contact us at press@veiligheid-en-de-wiv.nl.

To co-sign contact us at add-me@veiligheid-en-de-wiv.nl stating your name in the form you would like it to appear.

(Visited 670 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

This Post is Tagged with:
Whoever you are, we are ungovernable! Whoever lays his hand on us to govern us, is a usurper and tyrant, and we declare you our enemy.