Intelligence agencies need to remove large amounts of data citizens

Intelligence agencies AIVD and MIVD are breaking the law by storing data of citizens who are not the subject of investigation for a long time. That concludes the intelligence watchdog, the Intelligence and Security Services Supervision Commission (CTIVD). The data must be deleted.

This is not about what critics call the trawl net, which allows the intelligence services to collect data from many people at the same time via unfocused internet taps. Instead, it involves large amounts of private data that the service receives through, for example, a hack. The privacy impact of such a โ€œbulk datasetโ€ can be similar or even greater than an internet tap.

For example, an intelligence service could hack into a telecom provider to get their hands on the invoices of all customers, and then find out the call history of possible terrorists. A mail provider could also be cracked. Exactly what kind of data is not known; it can concern both Dutch and foreigners.

โ€œThe law states that this data may be kept for a year and a half, but they have kept it much longer,โ€ says Addie Stehouwer, who deals with the complaints to the CTIVD. โ€œThis includes data that they know will never be relevant.โ€

Binding

The verdict comes after a complaint from Bits of Freedom. It is not the first time that the regulator has warned about this, but now the judgment is binding. โ€œWe are delighted with the statement, and that this data must now be destroyed,โ€ says Lotte Houwing of Bits of Freedom.

The fact that the data really needs to be deleted is due to an inconsistency in the intelligence law. If the CTIVD does its own research, the supervisor can only issue advice. In principle, the cabinet and the parliament do not have to do anything about this. But if someone submits a complaint, the regulator can impose a binding judgment.

โ€œWe filed our complaint because the services broke the law, but ministers did nothing to do with it,โ€ Houwing says. โ€œIt is problematic that this happens and that our monitoring system is not able to solve that on its own.โ€

A year and

According to the regulator, the intelligence agencies store the data of โ€œinnocentโ€ citizens for far too long if they get their hands on a bulk dataset. The services have a year and a half to extract the interesting data from such a dataset, and then the rest must be discarded, but that does not happen: instead, all or a large part of it is kept.

In practice, it turns out that it is impossible to assess gigantic datasets within the legal period of one year to a year and a half in terms of content. That is why the services label datasets as relevant in their entirety; according to that logic, all data could be kept, even if there were still data from citizens that are not at all relevant to an investigation.

The CTIVD does not warn for the first time that the law is not allowed to do so at all. As early as 2019, the CTIVD wrote that the way the gigantic datasets are handled is wrong. In 2020, the services received another tap on the fingers, and the CTIVD ruled that a number of data sets should be destroyed. That didnt happen next.

Goat path

However, the Ministers of Interior and Defence came up with a legal goat path to allow the services to continue working with the datasets, because they would be so important. But not only did the services not comply with the conditions of that goat path, the goat path is not right either, writes the CTIVD.

The regulator carried out further research into five datasets, and in those cases, the AIVD and the MIVD were also unable to clearly demonstrate exactly how useful the datasets were for the investigation. AIVD employees also had much easier access to data sets than intended.

Shipped supervision

The draining is also under a magnifying glass. Earlier, the CTIVD announced that it is tightening oversight of large-scale wiretapping. Since that enhanced supervision, the services have once again violated the law: they tapped more than they received permission for, the CTIVD wrote to the House last Friday.

In the meantime, the cabinet wants to temporarily give the intelligence services more powers in investigations into digital threats. In addition, the services are also allowed to search and tap in bulk datasets more easily, wrote de Volkskrant, who has inspected the law.

The AIVD and MIVD were not available for comment.