De Week

Head of Dutch security service is fed up with privacy concerns

Bits of Freedom biedt Bertholee cursus Grondrechten aan
DOSSIER / Versleuteling

Will people who value privacy know that they allowed a terrorist attack to take place? Rob Bertholee, head of the General Intelligence and Security Service of the Netherlands (AIVD) made this and other bold statements in a revealing interview, clearly showing his frustration about legitimate privacy concerns.

In the interview (in the Dutch daily De Volkskrant) he demands access to any encrypted communications despite the major security implications this may have for millions of citizens. By taking this position he even goes against the position of the Dutch government made earlier this year, when it said it would: “not adopt restrictive legislative measures against the development, availability and use of encryption within the Netherlands.”.¬† And when he is challenged by the interviewer, Huib Modderkolk, about the negative consequences of the new powers he demands, he responds by framing the issue as a false dichotomy between privacy and security.

Bits of Freedom is worried that the head of the Dutch security service does not fully recognize that the right to privacy and the use of encryption is a core element of a secure and free society. It is not possible to weaken encryption just a little bit for “good causes” only. Introducing back doors would not only allow the Dutch security service to access encrypted communications but also make our communications vulnerable to criminals and foreign intelligence services.

This is a good moment for the Dutch government to put its laudable position about encryption into practice, and tell Mr. Bertholee why weakening encryption is truly a bad idea.

Below you will find a translation of the relevant passages from the interview. We would like to thank Tim van der Molen for helping us with the translation!

Excerpts of interview with Rob Bertholee, head of the AIVD:

Why is the threat so large?
“The threat is manifold. There are the jihadists who returned from Syria and are traumatised. There are jihadists who returned and willfully blend into society waiting to strike at a later time. And there are those who are inspired through social media without ever having gone to Syria or Iraq. The people who intentionally blend into society and are waiting for orders, are perhaps the easiest to discover for us. Because it requires communicating with Syria and communication can be intercepted. The largest threat comes from the lone wolve who gets inspired and radicalised at home. They remain invisible to us.”

Terrorists are said to mostly use chat applications like Telegram, WhatsApp and Signal. These applications offer strong encryption, making it very difficult for security services to read chat messages. France and Germany have proposed to restrict this use of encryption. The Dutch government is opposed, however, because encryption also provides security for millions of users. Bertholee’s position is clear: he believes his service should always be able to undo encryption.

The problem is that there is no such thing as partial encryption. If the AIVD can acces ecnrypted data, then encryption becomes useless for millions of others.

“That’s true. But we are not interested in all those other people.”

Still, if the AIVD is able to access encrypted data, then so can the Americans, the Russians, the British and anyone else. This is why the Dutch government opposes restrictions on encryption.

“In that case the Dutch government should also accept the fact that we are no longer able to access communications of terrorist. We have the legal authority to decrypt information and in many cases we actually do this. I want to have access to the communications of those who pose a threat.”

The crux of the matter is that it’s not possible to do this in selected cases only. This is why Apple refused to comply with the request from the FBI to unlock that particular iPhone 5c — because doing so would render insecure all phones of that type. Do you understand Apple’s position?

“Let me ask a counter question. Should helping terrorists communicate securely be one of Apple’s aims? We want to protect the law. This means we use our powers with restraint. We are not allowed to use them against persons not posing a threat.”

There is, however, no guarantee whatsoever that other intelligence services won’t abuse this [Bits of Freedom: i.e. the possibilibity to access encrypted data].

“Then you should accept the fact that you lose some security. Then you should ask yourself how much security you are prepared to sacrifice for privacy.”

Isn’t this a false dichotomy? After all, for many people more privacy also means a greater sense of security.

“I truly wonder. I, too, believe that protection of privacy is very important. But will people who value privacy over anything else continue to pursue their goal with the same enthusiasm after they have fallen victim to a terrorist attack? When they know that they allowed such an attack to take place?”

Bertholee gets fierce. He is fed up with the privacy discussion. Privacy is fine and important and all that, but according to him the image of the AIVD being a large violator of privacy is far from being true. “I admire the privacy organizations that invented a catchy term for this: the dragnet. But that’s incorrect. We don’t collect everything. We can’t do this and we aren’t allowed to. I cannot stress enough that we exist to protect freedom, and not to sustain some sort of regime.”

This invites the question of what exactly the AIVD intends to do. The Dutch government is preparing a bill allowing the AIVD to intercept internet traffic. This constitutes a considerable increase of the AIVD’s legal powers of what it can do.

Bertholee finds it difficult to answer questions about this subject. He prefers to give generic examples, pointing out that the enemies of the Netherlands are using the enormous data network and that the service wants to search for their communication in the most specific and directed way possible. Just trust us, he appears to be saying.

Essentially the AIVD will be able to scan a large part of all internet traffic.

“Do you know how thick a glass fiber cable is? And how many of those little fibers it contains? It’s an illusion to think that we can tap such a thick cable in its entirety. We can’t do that, we aren’t allowed to do that, and it’s not something I want to do. We will be looking for that one particular cable, make a network analysis and then zoom in.”

What will the new bill allow you to do what you cannot do now?

“Our opponents usually operate in networks. The new bill will help us to make a network analysis much faster. If an attack is being prepared in one of those networks, we will be able to filter much more easily and get to the people we need to get to. Right now we have to eavesdrop on everyone in such a network in order to find out the leaders. In the future we will be able to get to the core much faster.”

Still, this is not the full story. The AIVD is not empty handed at all. Technological developments make it easier for the service to intrude further into someone’s private life. It is possible to hack someone’s smartphone or computer, to look at CCTV images, or to attach GPS trackers to vehicles. Bertholee admits these possibilities exist. Just as he admits that wiretapping alone never has prevented a terrorist attack. In the end, the real work has to be done by humans.

  1. Merijn Vogel

    Forbidding can never work, The age-old argument “then only criminals will have encryption” applies here. After repeating that for 20+ years I do get a bit tired.

    Furthermore, he already has (or will have in the near future) all metadata relevant to his cases.

    And yes, I’d rather be the victim of a terrorist attack if that gives me privacy. (I was rather close of being one in 1988 by the way, see https://nl.wikipedia.org/wiki/Terrorisme_in_Nederland )

    The chance of becoming a victim of that is, in my estimation, a lot less than being dragged into something because I am interested in, say, privacy, computer security etc. Which I like to discuss with people, through all kinds of media. In private.

  2. Peter Knoppers

    Ik denk dat de politie en de veiligheidsdiensten zich moeten voorbereiden op een tijdperk dat het overgrote deel van de persoonlijke communicatie zo versleuteld is dat ze er niet meer bij kunnen.

    De volgende stap is dat ze ook geen bruikbare metadata meer kunnen krijgen. Hoe lang denk je dat het duurt voordat er een WhatsApp-achtig programma komt/doorbreekt waarbij de communicate via TOR (of iets dergelijks) verloopt zodat niemand meer kan traceren wie met wie communiceert?

    Ik houd het op maximaal 5 jaar.

    • Peter Knoppers

      I should have written my previous comment in English. Fixing that with this message.

      I believe that police and security services should prepare for an era where the majority of person to person communication is so well encrypted that they can never read it.

      The next step is that they won’t get useful meta-data either. How long will it take before WhatsApp-alike software appears/conquers the market that communicates via TOR (or something similar), ensuring that no one can track who communicates with whom?

      My estimate is 5 years.

  3. Samir Allioui

    Terrorism deos not pose a existential risk to society. Secret police c.q intelligence agencies do.

    • kees koek

      Totally agree. Terrorism is used as a tool by the rich elite to control us. So is religion. Were all actors in a bad movie.

    • Kea

      I do not agree with Kees. One of our human rights is freedom of religion. 25 September people from all religions in Amsterdam are gathering on Dam Square in the heart of the city, peaceful celebrating our freedom.
      The issue here is mass surveillance and terrorism, not inequality of income or religion.
      Mister Bertholee overestimates the capacities of his organisation, thinking that he can prevent terrorism with mass surveillance. It will be a cat-and- mouse game and he always will be too late. It will not help him. The silly thing is, that criminal hackers can do what he wants to do if there are backdoors. These are practical arguments. The other argument is a more serious one: human rights, our dignity. Bertholee neglects this and that’s why he really needs a course, like bof suggests.

  4. M. Steltman

    We have to stop playing their game.
    This is not about our privacy. Its is about freedom of speech.
    It is no problem to limit the privacy of a suspect or target. We hav no problem with that.
    But I am free to say “the potatoes are ready. I repeat, the potatoes are ready”. That is encryption, with a pre-shared key. Isn’t it ?
    Bertholee, in fact, wants to forbid me from saying something that he does not understand. He wnts to take away our freedom of speech.

  5. MathFox

    We accept 600 traffic deaths per year… there are 150 violent killings in the Netherlands every year. We even accept that our dikes may fail. I suggest that we should accept that there is a probability that a terrorist act may succeed once every few years; The country has survived every act since the killing of William the Silent.

  6. A.

    Die man heeft niks te willen. Hij moet zich netjes naar de politiek en naar de burger schikken. Rob moet uit andermans spullen blijven die bange pannenkoek

  7. Klaske

    May 2015 : attack on the Jewish Museum in Brussels
    Jan. 2015 : attack on Charlie Hebdo and a Jewish supermarket in Paris
    Febr. 2015 : attack in Kopenhagen
    Nov. 2015 : attacks in Paris
    March 2015 : attacks in Brussels
    17 Islamists were invloved in these attacks. 15 were identified, they were already known to the authorities. 12 had travelled to Syria, Irak, and Jemen. 10 had been convicted before, because of violent crimes.
    So why did the authorities not invest in a more intensive and clever surveillance on these people, instead of chosing for cheap mass surveillance of a whole population, ignoring the right of privacy of us all?
    I think it is because people like Bertholee believe in everything that IT promises. Mister Bertholee c.s. should start thinking more critical.

  8. Sjors

    As to the supposed contradiction between privacy and security, what should be addressed is for which insecurity the judiciary wants to be empowered to search the metadata of the communications of Dutch citizens.

    Crime: What should be discussed is which crimes are the most harmful to Dutch society, and then whether these crimes are actually committed by many unsuspected Dutch citizens.

    Terrorism: What should be discussed is why the Dutch government does not comply with Article 2 (4) of the Charter of the United Nations and then what effect this breach has on terrorism threats.
    https://en.wikipedia.org/wiki/United_Nations_Charter#Article_2

Geef een reactie

Het e-mailadres wordt niet gepubliceerd.

Help mee en steun ons

Door mijn bijdrage ondersteun ik Bits of Freedom, dat kan maandelijks of eenmalig.