Dutch- Dragnet and Data Drama; An End to End-to-end-Encryption

Since 2018 here in these Netherlands we’ve had sweeping new law dealing with bulk collection of data, breaking into devices and sharing information with foreign powers dubbed; (the) ‘dragnet-law’ (footnote1). But powers that be would like more data, more access and less encryption(!)


satirical picture of me; “data hacker extraordinaire” (browser-hacker at best)

Meanwhile we voted against the dragnet via a referendum but as a result we only got a few legislative caveats, some minor limitations and some hollow promises. Meanwhile the same government scrapped the whole notion of referendums(!!)

A few years on now, all of our data scraped from every connection in 2018, should be wiped somewhere this year. But along the way the idea grew that insight into parts of our data was too cumbersome. End-to-end-encryption and the rising use of this technical solution, to thwart prying eyes, in popular niche messaging apps, is a ‘thorn in the eye’; a Dutch saying, to parts of our leadership.

“Wouldn’t it be nice and easy if ‘we’ could pass laws to weaken encryption or force parties to share encryption-keys?” (sarcasm)

Barring the fact our security services have tools at their disposal to monitor traffic, collect data and if need be hack devices. Having the keys to the kingdom is what some legislators would like (footnote2); having all our communication in ‘plain text’ to data-mine and analyze(!)

This would apply to popular apps like Telegram’s messenger, Facebook, Whatsapp, anything that currently forms a barrier, anything still considered somewhat private! Like I said; agencies already have tools and go-ahead to hack. This existing precedence isn’t limited to individuals either; we’ve seen the agencies here hijack Encrochat’s infrastructure last year; with purportedly ‘tens’ of currently pending criminal court cases as a result. (footnotes3,4,5)

Proving that if our security apparatus meets resistance in their hunger for data, other means are very possible! Sure, it takes more effort and no; I’m not a fan of criminality! But I do value privacy and departments of the Dutch government have displayed a lack of securing data it collects in the (not too distant) past;

This past January Dutch health-authority ‘GGD’ got in the spotlight (again) for flagrantly flaunting private data, including, but not limited to (our equivalent of) social security numbers, name, age, sex, addresses, phone numbers, current email addresses and more. Quite the leak and largely due to neglect; they had multiple early warnings of data being sold off!

Instead of monitoring who was accessing (and indeed exporting) large data-sets, or screening workers for registered offences (as was the law), the higher-ups were criminally-neglectful and are hiding behind the currently-ongoing health-scare and influx of work and subsequent influx of workers, as some sort of excuse! (footnote6)

My personal data was possibly compromised and so were millions of other Dutch citizens! Due to a hype of testing and ‘contact-tracing’ and a total lack of focus for data-security-practices. Tens of thousands of newly recruited external workers had ‘carte blanche’ and the organization didn’t attract a single new ‘data officer’ and didn’t perform any serious vulnerability assessment!

The GGD didn’t make a report to our Authority of Personal-data (Dutch: “AP: autoriteit persoonsgegevens”), an agency charged to deal with data-leaks and theft. GGD also neglected to contact people who’s data was likely compromised. Both of these actions are required by law!

I made a formal complaint to our Ministry of Justice, 2 months ago and haven’t hear a peep. I asked GGD for information on who was in the chain of command there, similarly I only received a message-receipt on my queries. I also notified the AP of my personal and general complaints. (footnote7 for reference)

This is a complete travesty! The lack of data-protection combined with the renewed calls for breaking the fundamentals of encryption from legislators has me perplexed! It’s ludicrous, it’s farcical; it’s indeed vicious!

“I will be following up on this in a separate article and renew my efforts to get those responsible up the chain to feel the consequences..”

The news I’m getting points at a perverse motivation to go after encrypted platforms and a few low-level data-sellers in the leak scandal, there is zero news of any consequences for (mis-)management; the actual data-brokers. I am working on a reconstructing a timeline on the GGD-data-leak that is startling: Early signs of data-theft and -sale from mid 2020 and security-holes acknowledged but left open from early 2020, up to reporters blowing the lid off of the case in early 2021.
(I will add a link to that here once it’s ready)

Update (March 11, 2021): even more examples of why our agencies DON’T need any change to encryption or a wider mandate; they hacked another service, ‘Sky ECC’, which denies being hacked, but still resulted in a string of arrests in the Netherlands (and Belgium). (footnote8, 9) Also it was in the news that our legislators are now actively working to limit oversight on our agencies through new legislation(!). (footnote10)


footnotes:

note1: Read about our existing ‘intelligence and security services’-laws here.

note2: On the push for willingly weakening encryption and/or forcing parties to share encryption keys here.

note3: On the case of ‘Enchrochat’ from 2020 here.

note4: A security bulletin on ‘Enchrochat’ from Europol, our EU focused sibling of Interpol here.

note5: A news article on ‘Enchrochat’ and resulting prosecutions here.

note6: About the Dutch GGD data leak and theft here. (more on this in an upcoming article here on KK)

note7: About our Dutch official authority for personal data ‘Autoriteit Persoonsgegevens’ here.

note8: On SkyECC being compromised and services looking in on messages here

note9: A news article on SkyECC denying the hack here

note10: An in-depth article on our oversight commissions being possibly reighned in by new legislation here

Data Drama