Connect with us

Hi, what are you looking for?

Technology

Intelligence watchdog resigns to blow whistle on Dutch hacking law

Press play to listen to this article

A key member of the committee overseeing the Netherlands’ intelligence agencies has resigned to ring the alarm over an incoming law he says would allow security services to hack and wiretap without proper oversight.

Bert Hubert, a renowned Dutch IT engineer and former intelligence official, served as one of three key officials overseeing intelligence agencies’ requests to use hacking tools, surveillance, wiretapping and other “special powers.” 

He left his post in protest of a draft law that would remove some of the checks that intelligence officers have to comply with before carrying out sophisticated cyber operations on countries with “offensive cyber programs” against the Netherlands — most notably China and Russia.

Agencies “are asking for less oversight so that they can use their powers more swiftly and with less scrutiny,” Hubert told POLITICO, calling it “a step backward.”

Hubert’s resignation sheds light on how intelligence is adopting new digital powers. It comes as the Pegasus spyware scandal continues to ripple across the EU, raising questions over how security services have deployed intrusive operations against domestic opposition and civil society figures without proper checks on whether they were justified. 

“We need to be very careful with this slippery slope because it’s not going down well, for democracies around the world. And every step backwards, you need to be very vocal and noisy,” Hubert said. 

A self-proclaimed “nerd,” Hubert joined the Netherlands’ three-person committee that assesses intelligence agencies AIVD and MIVD’s surveillance and hacking requests — called the TIB — in 2020, as the committee’s technical expert. He left his role earlier this month in order to speak freely about the threats of the incoming law, he said in an earlier public statement. Hubert previously worked in various roles for Dutch intelligence, including as a software developer and hacker, as well as in roles as tech expert, adviser and consultant, and founded internet company PowerDNS in 1999.

‘Any cable anywhere’

The Dutch law, which is still in draft and expected to pass parliamentary approval in the fourth quarter of this year, would allow intelligence and security services to intercept communications without seeking regulatory approval if it concerns targets and data involving countries with offensive cyber programs like China and Russia.

Three articles of the Dutch law concern the former watchdog. For signals intelligence, or the interception of large internet cables, Hubert says the law allows Dutch security services to intercept “any cable anywhere, for one year, and to store the contents for a year as well” without providing a justification in advance for the surveillance. 

“They’ve explicitly stated that look, we don’t have to give a reason for that. We just have to say, we’re interested in that cable,” Hubert said. 

The new law, Hubert said, also removes protections for “non-targets” if they involve countries with offensive cyber programs. A non-target is a person or organization who themselves are not the focus of an investigation, but who can provide information on actual targets because they share computers or provide IT services to them. Non-targets can also be individuals or SMEs that are victims of hackers. 

The Netherlands currently requires a high standard for surveilling non-targets. “You have to argue there is no other way to get this information,” Hubert said. He believes the new law will change this, extending intelligence services’ power to surveil hackers’ victims too: “If you have a warrant on a bunch of hackers, you now administratively also have a warrant on all their victims and all the computers used by their victims, and that’s weird,” he said.

Hubert said the new Dutch law allows Dutch security services to use computers to study the intercepted data without pre-approval. Currently there are restrictions on how much data the services can look at and analyze. It also no longer requires a disclosure upfront about the technical risks. “There is always a chance you break something, when you hack it, creating a backdoor to the company,” he explained.

Power to hack back

Former Dutch Defense Minister Henk Kamp said that the government has been waiting to intercept cables since 2017 | Atta Kenare/AFP via Getty Images

Proponents of stronger investigatory and intelligence powers say requirements for regulatory pre-approval have stymied efforts to protect national security. 

Former Dutch Defense Minister Henk Kamp told local newspaper NRC in January that the government has been waiting to intercept cables since 2017 as the regulatory committee on which Hubert served kept denying applications. “Effectively we are hamstrung in what we can do. Countries like Russia and China can do what they want, but we have ethics and rules,” Kamp said at the time. 

The Dutch government is now awaiting legal checks and a parliament process to see how the bill shapes up. A Ministry of Defense spokesperson said it is “currently processing the written counsel of the Council of State. The time for debate and discussion of the adapted piece of legislation is when it has been submitted to Parliament,” adding it would not comment on the bill’s contents before that.

Not all of Hubert’s peers agree with his criticism of the new law. Ronald Prins, Hubert’s predecessor as the technical expert on the TIB regulatory committee, argued the laws previously were not permissive enough as they allowed too little space for necessary intelligence work.

“You want to actually be in the networks of your attacker beforehand,” Prins said about easing hacking limits for intelligence officers. “Some people call this hacking back … We want to be in their computers.”

“With the old law it’s not possible to keep up the same pace as the Russian and Chinese hackers,” he said.

Prins and Hubert have a different understanding of the new law. Prins says it eases the approval process for the “exploration” of cables to gather technical information, making it less strict than it was before. Security services need that data to determine which communications to more deeply monitor, and make a detailed request of the government for approval. 

Prins says it is also impossible for security services to know, and thus disclose, the technical risks of their operations in advance. As for oversight, he says that power has shifted to another committee which can monitor and stop Dutch cyber operations.

But at a time when European security services are ramping up their own powers to decrypt, tap and hack, Hubert argues the Netherlands shouldn’t do away with its strict oversight regime. EU countries need to develop stronger, more detailed laws around intelligence requiring the creation of an independent committee, tribunal, or judge to pre-approve cyber operations, he said. 

“I am very much in favor of robust intelligence agencies, because you also need that,” he said, “but it is tricky to strike the balance to say how much surveillance is good enough, and that is where I feel the balance is shifting right now.”

This article is part of POLITICO Pro

The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology


Exclusive, breaking scoops and insights


Customized policy intelligence platform


A high-level public affairs network

Click to comment

Leave a Reply

Your email address will not be published.

You May Also Like

Europe

NATO countries urgently need to boost weapons production, Ukrainian Foreign Minister Dmytro Kuleba warned ahead of a meeting of the alliance’s ministers this week....

Europe

LONDON — Rishi Sunak sought to up his rhetoric on China on Monday while carefully opening the door to further talks with President Xi...

Europe

Jamil Anderlini is editor-in-chief of POLITICO Europe and spent two decades as a reporter in China. “Chinese people should be braver!” the young man...

Technology

Press play to listen to this article Voiced by artificial intelligence. Spain is proving the most troublesome country to probe in EU lawmakers’ ongoing...

Europe

KYIV — It’s all about the weapons — and we’ll do everything to get them to Kyiv.  That was the message from Nordic and...

Europe

Ireland’s privacy authority Monday announced it was imposing a €265 million fine and other corrective measures on Meta for failing to properly protect its...

Foreign Policy

BERLIN — The German government gave a piece of advice to China on Monday as the country faces historic protests against its rigid zero-COVID...

Energy

EU countries resumed last-ditch talks on Monday to secure agreement on a price cap for Russian oil, with deep splits among them on where...