The Netherlands will hold an advisory referendum on legislation that gives law enforcement authorities far-reaching surveillance powers, the Dutch Voting Commission said last week.
The new legislation, which lawmakers in the Netherlands’ upper house passed in July, is supposed to come into effect on January 1, 2018. It gives the intelligence service AIVD and its military equivalent MIVD extensive powers for monitoring online activity and collecting data.
Currently, Dutch citizens’ computers, phones and tablets can only be hacked when intelligence agencies suspect their owners of a crime. Under the new law, the Netherlands’ intelligence and security services would be allowed to gather information “by massively tapping into communications even by citizens who are not under suspicion,” as stated by students from Amsterdam University.
There’s a broad coalition of people and organizations who want to see the law reformed, ranging from the Libertarian and Pirate parties to international NGOs such as Amnesty International and digital rights groups such as Bits of Freedom. Those that have spoken out in favor of the act have so far managed to muster the usual arguments about security and innocent people having nothing to hide or fear.
Under Dutch law, the government must hold a non-binding referendum on an issue if the country’s Voting Commission receives no less than 300,000 valid signatures demanding it. Campaigners have collected over 417,000 signatures, of which the Commission confirmed 384,126 as valid.
To influence the new law, the referendum needs to achieve a turnout of at least 30% and for a majority of the voters to oppose it. If that happens, the government would be expected to look into the law once again, but could theoretically just make minor adjustments and put it into effect as planned.
Besides, the government agreement presented in October stated that the newly elected cabinet wants to get rid of advisory referendums. In April 2016, Dutch eurosceptic groups were triumphant after voters in a similar referendum gave the red light to a critical EU-Ukraine treaty. It was an embarrassing blow to Prime Minister Mark Rutte, who was then forced to negotiate with the 27 other countries and seek minor amendments to the agreement.
However, even if the Dutch campaigners lose this fight, another ruling in the coming years may boost their position. At some point in future, the Court of Justice of the European Union will have to determine whether the UK’s mass-surveillance legislation is legal, and the decision would also apply to other EU countries.
The new law grants Dutch authorities the powers to intercept and analyze Internet traffic, which has alarmed Mozilla developers.
Mozilla maintainers are concerned that the interception could be enabled by abusing SSL proxying. In fact, article 45 1.b of the new law directly licenses the use of “false keys” in third-party systems to obtain access to systems and data. That resulted in a proposal that the national Certificate Authority (CA) – the CA of the Staat der Nederlanden – be removed from Firefox’s automatic trust list.
“It’s ironic since the Netherlands was sent back to pencil and paper in 2011 when it’s official machine identity issuer – DigiNotar – was breached and used to aid Iran to trick and intercept private communications,” Kevin Bocek, chief cyber-security strategist at Venafi, told SC Media UK. “So you would think they’d know better.”
If the Dutch government doesn’t climb down, other browsers will most likely consider following Mozilla’s lead and distrusting certificates provided by the Netherlands.
It is always worrying to see the growing trend of governments seeking to control the power of encryption. From the UK’s Investigatory Powers Act of 2016 to the Chinese cyber-security law of 2017, lawmakers continuously choose to put dubious security benefits ahead of the digital rights of the citizens. We hope the Dutch government will take another look at the potential consequences of its actions and choose to respect the system of trust behind privacy and commerce across the Internet.
In any case, it is essential to be aware of the growing surveillance powers and look for safety measures on your own, no matter if you live in the Netherlands or any other corner of the world. A reliable way to protect your personal information from both cyber criminals and unwanted monitoring is to use a VPN service whenever you go online. Make sure to choose a VPN service provider that respects your privacy and keeps no logs of your Internet activity, like NordVPN.