Dutch Government Moves To Let Intelligence Community Have More Hacking & Mass Surveillance Powers

from the the-endless-march-of-fear-based-progress dept

The Dutch government is looking to expand its surveillance powers, something which would seemingly be at odds with the current public antipathy towards mass surveillance, but of course isn't, because governments are expanding powers even while complaining about being spied on. This would be the first major update of its surveillance authorities since 2002, something likely viewed as essential due to changes in technology and "evolving threats."

Matthijs R. Koots has a very thorough examination of the proposed expanded authorities at his blog, which notes the expansion would come bundled with "improvements to oversight." While there does appear to be better oversight (and better targeting) in the bill, final approval for much of this leads back to a single person: the Minister of the Interior. Legal oversight is provided by the Dutch Review Committee on the Intelligence and Security Services -- roughly the equivalent to the US's intelligence committees in the House and Senate.

The good news is that, while the bill provides for bulk interception/collections, it does require more specific targeting than the twisted definition of "relevant" the FISA Court applies to the NSA's collections. The country's bulk interception program would go further than simple metadata and much further than targeting telcos and major service providers. The bill would demand mandatory cooperation from "providers of communications services," which is very broadly defined.

["Providers of communications services"] is defined in a way that includes not only providers of public electronic communications networks and services, but also providers of closed networks, and includes telcos, access providers, hosting providers and website operators.

While the sources are broadly defined, the requests for information will (hopefully) be much more limited.

The use of this power requires approval from the Minister, and the approval request must specify the investigation, the purpose of interception — “purpose-orientation” (Dutch: “doelgerichtheid”) is introduced as a new requirement that intends to limit bulk interception to what is relevant to a “purpose” that must be specified ‘as specifically as possible'; ‘a general indication does not suffice’ —, the type of telecommunications (e.g. GSM, radio, satellite, internet; optionally including geographic boundaries), optionally the types of traffic that are relevant (e.g. voice, chat, file transfer), and in the case of cable networks, the cable infrastructure that is targeted. In other words, no blanket authorizations for non-specific interception will exist, although blanket-like authorizations may, depending on how broad a “purpose”, in the context of a specified investigation, is allowed to be in practice; the requirement, mentioned in the MoU, that the purpose be specified “as specific as possible”, leaves room for interpretation (perhaps necessarily so).

Thus endeth the good news. The broadly-defined providers would be required to "provide access" to their systems and bulk data interceptions would remain "live" for three years, rather than just one. This bulk data can also be shared with "foreign powers." Again, this is at the discretion of the Minister, so it all depends on how much the Dutch trust their minister to be mindful of their data and communications.

Additionally, service providers would be compelled to hand over stored communications (emails, text messages) in addition to any bulk data collected. Worse, the government would be granted the power to force providers to assist in the decryption of sought data and communications.

Furthermore, the intelligence services are authorized, under certain conditions and after approval from their Minister (Art.30-6 and Art.41-2), to compel anyone (Dutch: “een ieder”) to help decrypt data in an automated work (Art.30-5 to 30-8) or help decrypt conversations, telecommunications or data transfer (Art.41-1), e.g. by handing over keys or providing decrypted data. (A similar provision is present in the current law.) Another legal option to defeat encryption is the use of the hacking power (Art.30, see below), which requires after approval from the Minister; and yet another legal option is the use of agents (who can be tasked with interception or hacking) or informants (e.g. a sysop who, as part of daily work, has access to cryptographic keys).

The government's hacking powers would also be slightly expanded. The bill would provide authorities with the power to hack adjacent systems to find a side door/back door if the original target proves resistant to its efforts.

The technical reality shows that targets are generally security-aware, but that operational opportunities for using weaknesses in technical peripheral users, such as co-tenants of a certain server, which can lead to successful breaking into the automated work of the target.

There's more bad news than good in the proposal. While it's understandable that surveillance laws would need to be revisited more than a decade on from their original installation, it would have been nice to see a little more restraint deployed, rather than the assumption that an expansion of powers (without a corresponding expansion of oversight) is the only way to deal with evolving communications methods.

For what it's worth, Dutch citizens have until September 1st to offer their input on the bill's proposals. How much deference the government will show to dissenting opinions remains to be seen.

Filed Under: dutch, hacking, mass surveillance, netherlands, surveillance

Dutch Fiasco Demonstrates Futility Of Security Through Obscurity

from the no-secret-algorithms dept

Recent research on the security vulnerabilities of a new Dutch fare card system offers important lessons for computer security. The Dutch government spent $2 billion on the system, which has now been demonstrated to have fatal flaws. The researchers disassembled the smart cards used by the system and took high-resolution photographs of the circuitry. This allowed them to reverse-engineer the encryption algorithms being used by the system. As Felten points out, this wouldn't have been a problem if the Dutch had used an open crypto algorithm that has been widely tested and found to be secure. But because the system relied on algorithmic secrecy for security, this could be catastrophic. The algorithm uses a relatively short 48-bit key. This means that once the algorithm is known, it becomes possible to perform a brute-force attack, simply trying all 281 trillion possible keys in parallel until the correct one is found. That requires a non-trivial amount of computing power, but it's well within the capabilities of modern computer hardware. Indeed, this is precisely the approach taken by a Johns Hopkins research group three years ago when they cracked the encryption on the Exxon Mobil Speedpass, which used a 40-bit key. Brute forcing the 40-bit algorithm reportedly took the Hopkins team about 20 minutes, which suggests that -- even ignoring improvements in hardware -- it should be possible to brute force a 48-bit key in under a week. Since they're just deploying the system now and are presumably planning to use it for a decade or more, 48 bits is woefully inadequate. They ought to have used a standard, widely-tested cryptographic algorithm with a significantly longer key size, in order to make brute force attacks impractical.

Filed Under: dutch, security