Security versus privacy: a false opposition

Metadata collecting to protect your freedom

In response to a referendum held in the Netherlands on the 21/Mar/2018, asking citizens to vote yes or no on a proposal to collect metadata for security purposes, a group of eminent academics, security professionals and other stakeholders published a clear and concise analysis of the consequences of a yes vote prevailing.

The dutch version of the document (original) is here: A Google translation into English and a list of signatories follows hereunder:

“Security versus privacy: a false opposition

Does a no-vote against the Intelligence and Security Services Act (Wiv) make society more unsafe? Proponents of the new law say “yes” without reservation. But we, cybersecurity researchers, computer scientists and security professionals, question this.

We think the public debate about the new Wiv is too simple: security versus privacy. Are you for safety you vote “yes”; If your privacy is of greater importance, then you vote “no”. That the new law itself creates safety risks does not fit into this frame, but unfortunately this is true. These risks must be included in the debate and translated into the right considerations in the law.

The first security problem is the extensive hacking authority that allows the services to penetrate through unknown vulnerabilities on equipment and in networks. These vulnerabilities do not have to be reported to the producers and developers of the equipment or software. Due to this stagnation, not only the spy target is vulnerable, but also countless citizens at home and abroad. The chance is real that others use the same vulnerability for other purposes. Cyber ​​criminals and less fresh intelligence services will either find the vulnerability themselves or hack the data base of the services to steal this information. The multi-day cyber attack at the container terminal in the port of Rotterdam last summer is linked to information about vulnerabilities that were previously seized at the US service NSA. Not reporting vulnerabilities is a danger that causes serious economic damage and is difficult to reconcile with the safety task of the services. The use of vulnerabilities in devices and software by the government can also cause new vulnerabilities. In Germany this has been encountered with the Bundestrojaner: detection software that placed the German government in snare on computers of suspects, but whose control was easily taken over by third parties. This security risk is reinforced by a new power in the ISS. The law allows the services to hack third party devices that are not themselves a target of the services. This concerns devices that are connected to a target, for example the network equipment that is maintained by a system administrator. Individuals with a key role in IT, such as system administrators, become more vulnerable to external attacks by adding government software.

The second safety problem is related to the bulk interception, the phenomenon to which the new law owes its nickname: the drag law. To pick up the data traffic in bulk from the cable, tapping points are installed in the network. Within the cybersecurity, each tap point is an extra vulnerability. How do we know for certain that hackers do not use that taper? Moreover, the storage of the data acquired in bulk poses serious safety risks, because these mountains of data are also a gold mine for other spies and cyber criminals. With what degree of certainty can the Dutch services guarantee the non-leakage of these data? The threat of data leaks increases as the stored bulk information can be shared with foreign services (even without looking into it). The Netherlands is likely to do so with, among others, the British and the Americans. However, both countries have a rich history of data leaks in the government. Sharing data with these countries is therefore not without safety risk for the Netherlands.

In addition, more and more communication is effectively encrypted and metadata is being masked, certainly by criminals and (potential) terrorists. As a result, the dragnet quickly fills up with data from random citizens. This gives governments with a dragnet the incentive to ban security techniques such as end-to-end encryption and VPNs. We are currently seeing this happening in China. These techniques are, however, much needed for a secure internet and banning this poses a major security risk for citizens and society.

The third security risk is the loss of control over the use of the shared bulk information by foreign services. Stored bulk information, including by-catch, may be shared (even without looking into it) with foreign services. Abuse of favors from friendly services is not uncommon in the world of spies. For example, the German service BND granted unsuspecting access to the US service NSA to its databases in the fight against terrorism. Later it appeared that this access was being abused by the Americans for industrial espionage against Germany. Neither the new review committee (the TIB) nor the regulator (CTIVD) can check what happens to our shared data outside the country. This safety risk deserves a place in the debate.

So far a number of safety hazards of the new law. There are also strong indications that the use and necessity of the trawl in the fight against terrorism is exaggerated by the proponents. There is no evidence that undirected bulk collection and automated (meta) analysis are the most appropriate means. Not only does it offer no solution to fish out the so-called “lone wolves”. It also often appears afterwards that attackers were already known to the secret services. With traditional and targeted tap powers – which the Dutch secret services already have at their disposal – they should be able to get sight of them.

From research conducted by the New America Foundation into the effectiveness of bulk interception in more than 200 criminal investigations into terrorism suspects in the United States, it appeared that traditional research methods were often the initial motive, for example the use of informants, tips from local communities and targeted surveillance operations. Even the Anderson review report raises skepticism about the need for this very far-reaching means in the fight against terrorism. Proponents of the law cite this investigation because it would demonstrate the usefulness of bulk interception by the British intelligence services. Of the five investigated counterterrorism cases – which the services themselves had presented as successful examples – it appeared that the dragnet was mainly used in cases where the final suspects were already part of an existing terrorism network or had contact with targets, so that targeted tapping would have the same result. had. The need for bulk interception is therefore at least debatable.

In the search for safety, the Dutch legislator creates the above safety risks. These must be included in the debate that is unfortunately a lot more complicated than just privacy versus security. If only it was that simple.

Statement in English .

Initial signers

Dr. Greg Alpar
Open University & Radboud University

Jaya Baloo

Erwin Bleumink
SURF Herbert Bos
Vrije Universiteit Amsterdam

Stoffel Bos

Dr. Fabian van den Broek
Open University

Prof. dr. Dr. Marko van Eekelen
Open University & Radboud University

Sacha van Geffen
Director Greenhost

Simon Hania

Dr. Jaap-Henk Hoepman
Radboud University Nijmegen

Dr. Andreas Hülsing
Eindhoven University of Technology

Dr. Slinger Jansen
University of Utrecht

Dr. Ir. Hugo Jonker
Open University

LLM Blackbird King
Radboud University Nijmegen

Prof. dr. Dr. Bert-Jaap Koops
Tilburg University Matthijs Koot
Secura BV & Universiteit Amsterdam

Prof. Eleni Kosta
Tilburg University

Prof. dr. ir. CTAM de Laat
University of Amsterdam

Prof. dr. Dr. Tanja Lange
Eindhoven University of Technology

Michiel Leenaars
Director of Strategy NLnet Foundation

Rachel Marbus

Dr. Veelasha Moonsamy
University of Utrecht

Adriana Nugter

Dr. Andreas Peter
University of Twente

Dr Jean Popma
Radboud University Nijmegen

Prof. dr. Dr. Aiko Pras
University of Twente Rick van Rein
OpenFortress BV

Dr. Melanie R. Rieback
Radically Open Security BV

ir. Roland van Rijswijk-Deij
University of Twente

Dr. Christian Schaffner
University of Amsterdam

Dr. Peter Schwabe
Radboud University Nijmegen

Dr. Boris Skoric
Eindhoven University of Technology

Prof. dr. dr. Jan M. Smits
Eindhoven University of Technology

Rogier Spoor
Honeypot program, TCC

Dr. Marco Spruit
University of Utrecht

Dr. Erik Tews
University of Twente

ing. Hans Van de Looy RCX
UNICORN Security

Dr. Benne de Weger
Eindhoven University of Technology

Dr. Philip R. Zimmermann
TU Delft Cybersecurity Group


For questions from the press .

We accepted co-signatories via e-mail to . This section is now closed.


Joost Rijneveld
Radboud University Nijmegen

Dr. Freek Verbeek
Virginia Polytechnic Institute and State University

Mischa Rick van Geelen
Security researcher at the NFIR

JN Lancel
Fast Forward Society

ir. Arnoud Zwemmer
University of Amsterdam

Paul Oranje

Olaf M. Kolkman

Evert de Pender

Benoît Viguier MRes.
Radboud University Nijmegen

Shazade Jameson, MSc.
TILT, Tilburg University

mr.drs. Paulan Korenhof
University of Amsterdam

Bas Westerbaan
Radboud University

Brenno the Winter
independent security expert and hacker

Frank Terpoorten

Mr. Peter van Schelven
Docent Privacy law

ing. Michiel Steltman
Director of the DINL Foundation

Richard Lamb, MSc // Future Expertise Center

Ahmed Aarad
Open Source & Government

Gerke Pekema

Ir. Daan Koot
Privacy and information security advisor
Safeharbour BV

Arjen Kamphuis
Technology & Security Director
Pretty Good Knowledge BV

Dr. Anna Krasnova
Radboud University

Niels van der Weide
Radboud University

Dr. Mirko Tobias Schäfer
Project manager Utrecht Data School
University of Utrecht

Ronald Kingma, CISSP
Access42, Security Specialist

Ir. Guido van Rooij

Bernard van Gastel
Open University

Vera Taihuttu

Dick Engelgeer

Prof. dr. ir. Bart Preneel
KU Leuven

LLM Sascha van Schendel
Tilburg University

Adrianus Warmenhoven

Menso Heus
Technology Officer, Free Press Unlimited

Bart B. Willemsen

Drs. H. Mulders, MSc
Data Protection Officer since 2003
For municipalities and private institutions
Former secretary NGFG
Director of Privacy Expertise

Prof. dr. Dr. Joris van Hoboken
Vrije Universiteit Brussel & Universiteit van Amsterdam

Dr. Sietse Ringers
Radboud University

Gustavo Banegas
Eindhoven University of Technology

J. Kirk Wiebe
former NSA Senior Intelligence Analyst and NSA Whistleblower

Gerard Freriks, not a practicing doctor
Co-author NEN7510 Information Security in Healthcare Jeroen Keiren
Open University

Dr. ir. Harrie Passier
Open University

Dr. Nadezhda Purtova
Tilburg University

Dr. Kristina Irion
Institute for Information Law
University of Amsterdam

Martijn Terpstra, MSc

Dr. Frederik Zuiderveen Borgesius
researcher at the Vrije Universiteit Brussels, and at the University of Amsterdam

Stanislav Plotnikov

Jacob Appelbaum
Eindhoven University of Technology

Prof. dr. dr. Tom M. van Engers
Professor in Legal Knowledge Management
University of Amsterdam / Faculty of Law

Wouter van Rooij
Onepoint NL

Dr. ing. Sven Kiljan

Vladimir Bondarev, B.Eng
R & D SW Designer

Henk Bouman
Information Security Management student

Mara Paun, LLM
Tilburg University

Claudia Quelle
Tilburg Institute for Law, Technology and Society (TILT)

Ancilla van de Leest
Privacy Expert

Tom Bakker
Independent Information Security professional

William Binney
a former Technical Director at NSA

Prof.dr. Jos de Mul
Professor of Philosophic Anthropology
Erasmus University Rotterdam

Anton Tomas

Ir. Lex Borger

Ir. Christine van Vredendaal
Eindhoven University of Technology

Dr. Matthijs Pontier
Pirate party

ing. Vincent S. Breider
Security Advisor, Ethical Hacker
ITsec Security Services bv.

ing. Edwin Gozeling
Advisor, Ethical Hacker
ITsec Security Services bv.

Prof. dr. Dr. Sandro Etale
Eindhoven University of Technology

Elena Plotnikova

Pete Herzog
ISECOM – Institute for Security and Open Methodologies

Johan den Hartog
Security Specialist

Ir. Erik-Jan Bos
JIB Consult BV

Tineke Belder
10 Training & Coaching

Dr. Marijn Pool
Owner MPMD

Dr. Gjenna Stippel

Nico Pattinasarany

Aris Lambrianidis

Hans-Peter Ligthart

ing. Dennis van Warmerdam
Advisor, Ethical Hacker
ITsec Security Services bv.

Gerdriaan Mulder
Limesco BV
Radboud University Nijmegen

Version: Last changed 2018.03.21. First version 2018.03.17.”





Leave a Reply

Your email address will not be published.