On my resignation as regulator of the Dutch intelligence and security services

2022-09-103:55566230berthub.eu

I’ve seen some mediocre automated translations of my Dutch language resignation statement go round. To prevent any confusion, please find the story here in English: Until today I was one of the three…

Show article

I’ve seen some mediocre automated translations of my Dutch language resignation statement go round. To prevent any confusion, please find the story here in English:

Until today I was one of the three members of the board that checks warrants for the Dutch intelligence and security services. This board is called “Toetsingscommissie Inzet Bevoegdheden” or TIB.

If either of the civil or the military intelligence and security services of The Netherlands want to use their lawful intercept, SIGINT or hacking (& some other) legal powers, they have to first convince their own jurists, then their ministry and finally the TIB. The TIB then studies if the warrant is legal, and that decision is binding.

To further international transparency, the TIB also publishes its annual report in English.

When I joined the regulatory commission, I was very happy to find that the Dutch intelligence and security services were doing precisely the kinds of things you’d expect such services to do. I also found that our regulatory mechanisms worked as intended - if anything was found to be amiss, the services would actually stop doing that. If the ex-ante regulator (ie, my board) ruled a permission to do something was unlawful, it would indeed not happen. I think it is important to affirm this in public.

Over the past two years however there have been several attempts to change or amend the Dutch intelligence law (English language translation).

The most recent attempt has now cleared several legislative hurdles and looks set to be passed by parliament.

Under this new law, my specific role (technical risk analysis) would mostly be eliminated. In addition, the Dutch SIGINT (bulk interception) powers would be stripped of a lot of regulatory requirements. Furthermore, there are new powers, like using algorithmic analysis on bulk intercepted data, without a requirement to get external approval. Finally, significant parts of the oversight would move from up front (’ex ante’) to ongoing or afterwards (’ex post’).

Doing upfront authorization of powers is relatively efficient, and is also pleasingly self regulating. If an agency overloads or confuses its ex ante regulator, they simply won’t get permission to do things. This provides a strong incentive for clear and concise requests to the regulator.

A regulator that has to investigate ongoing affairs however is in a different position. It can easily become overloaded, especially if it is unable to recruit sufficient (technical) experts. In the current labor market, it is unlikely that a regulator will be able to swiftly recruit sufficient numbers of highly skilled computer experts able to do ongoing investigations of sophisticated hacking campaigns and bulk interception projects. An overloaded regulator does not provide good coverage. It is also vulnerable to starve the beast tactics.

Once it became clear the intended law would likely pass parliament, I knew I would have to resign anyhow, since I don’t agree with the new expanded powers and the changes in oversight.

As a member of the regulatory board, I could not share my worries about the new law. The regulatory board itself is staffed with excellent people, but by design, the board only operates within the existing law. It is not responsible for formulating or even criticizing any new laws.

Instead of waiting out the likely passing of the new law, I’ve decided to leave now.

This enables me to speak my mind on what is wrong with the new law. It may not help, but at least it is better than watching democratic backtracking in silence.

It has been a great honor to have been part of the regulatory powers board. Its staff and members are an impressive bunch, and I wish them the best of luck with their ongoing and important work.

On a final note, if anyone is looking for a government regulator with a proven track record of resigning when things go wrong, know that I’m available.

Read the original article

Comments

By evrydayhustling 2022-09-1015:012 reply

This is a really elegant point.

> Doing upfront authorization of powers is relatively efficient, and is also pleasingly self regulating. If an agency overloads or confuses its ex ante regulator, they simply won’t get permission to do things. This provides a strong incentive for clear and concise requests to the regulator.

It is very easy for regulators, even well-meaning, to focus on what they require of an individual transaction. But we live in a world where automation and dynamic workforces make it possible to break every expectation about how a system will be used.

By dekken_ 2022-09-1015:50

Those that would impose unaccountable automated systems think themselves your master.

By permo-w 2022-09-1017:362 reply

just to play devil’s advocate, I would imagine it could and will be argued that this system is broken by being too much at the mercy of the competence of the regulator. if national police need to tap someone’s phone now or lives may be lost, and the regulator drags their feet/is understaffed/has an inefficient workflow, that is an issue

personally, I support the ‘ex ante’ approach, but - especially for the all-too-common kind of free-market ideologues that despise government regulation and have no trust in the competence of public organisation whatsoever - shoot first, ask questions later is hard to argue against

By upsidesinclude 2022-09-1017:59

It's just that this almost never happens.

It's always the excuse for why unlimited surveillance should be granted to the state, but we know from 20 years since the "patriot" act passed that it doesn't ever help.

Of course it has been abused verifiably many times & countless times that can't be verified.

By tene 2022-09-1019:23

I understand that you're not personally advocating for this position, but I'm glad you brought it up, because I really resent this kind of "Here's an imaginable scenario where this would have some negative consequence" argument.

Yes, if the regulators stop doing their job well, and there's a sudden extreme emergency requiring some kind of action that regulators have not already approved for use in emergencies, then there will be some costs, and sometimes those costs can be measured in lives.

This is true, but all it says is "there is some nonzero chance of society paying some nonzero cost". These costs are what we are paying in order to have a well-regulated intelligence service. The bet is that the expected risk from an effectively-unregulated intelligence service has worse costs for society than one with effective regulation.

In order for "think about the children" to be a meaningful argument, you need to actually establish that the nightmare scenario is meaningfully more likely than overreach and abuse of power that causes similar or worse costs for society.

Has this kind of "We could save the children if only we could get regulator approval to tap this phone line! Unfortunately, the regulator is taking a nap, so we're forced to let the children die." scenario actually been happening? If so, is there any kind of much-more-specific permissions that could be granted by the regulators to address the actual emergencies that have been coming up?

I kind of get "You can't trade off a life!" for some kinds of arguments, but we're talking about national security issues, and failures of corruption and overreach also involve risking lives.

"We need to just drop all safeguards and trust our valiant heroes" only works if the people who are subject to regulations actually are pretty reliably valiant heroes, or there are other significant incentive and oversight mechanisms to rely on. I don't have personal experience with people who work in national intelligence and security, but I haven't ever heard anyone willing to say that people in this line of work are consistently virtuous and corruption-resistant. There are good individuals, certainly, but there really are also both selfish individuals, and well-intentioned-but-misinformed individuals who can do a lot of damage.

By vintermann 2022-09-1010:271 reply

That last line made me laugh, but it's funny because it's true. It's down to the "sit where you're sitting" effect.

Noam Chomsky famously told Andrew Marr during an interview that he was sure Marr was sincere and believed everything he was saying, but if he'd believed anything else, he wouldn't sit where he was sitting.

It follows from that true observation that the only time such appointed watchdogs (whether oversight board members or news personalities) are actually doing something, is when they quit, or at least threaten to quit.

By DaiPlusPlus 2022-09-1017:172 reply

I googled for "\"sit where you're sitting\" noam" and there's just 1 result: this very HN post link. Do you have a source for that Chomsky quote?

By r0uv3n 2022-09-1017:271 reply

I believe this [1] should be the interview, found it via leaving out the quotes and using "Chomsky" instead of "Noam".

[1] https://youtu.be/lLcpcytUnWU?t=170

By TakeBlaster16 2022-09-1017:42

Here's the full interview https://www.youtube.com/watch?v=GjENnyQupow

The quote at is 11:10

By seper8 2022-09-109:232 reply

Thank you so much, it takes courage to do this. Bedankt voor je dienst de afgelopen jaren, ik hoop dat je onze veiligheidsdiensten af en toe goed dwars hebt gezeten!

By FabHK 2022-09-109:331 reply

Indeed. Respect. Gotta love the last line:

> On a final note, if anyone is looking for a government regulator with a proven track record of resigning when things go wrong, know that I’m available.

Hope this triggers re-evaluation of the proposed law by the Dutch legislators.

By daniel-cussen 2022-09-1015:41

Dude would love that for http://fgemm.com. Not raking in those revenues yet, yes I have the speedup and yes that's considered the hard part, but to me that's the easy part and translating that into human currency is the hard part.

Like I'd have to think for just a fucking second, stop and think it's a big ask...but yeah.

Idealism.

Yeah.

By brnt 2022-09-1011:03

He did first enable them through setting up their networks securely ;)

My reading is that it isn't so much about the security agencies (in the Netherlands at least), but the politicians that are widening scope because that's what they think is needed.

One of the problems in recent Dutch political culture is that elected officials listen less and less to their experts and own ministerial advices, and more and more to (imagined) public calls. The idea that part of their role means to translate, explain and defend technical advices from their ministries seems to have been entirely abandoned.

Hacker News