UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
According to Article 13.1 of the Telecommunications Act (the TCA), providers of public telecommunications networks and publicly available telecommunications services (service providers) will only make their telecommunications networks and services available to users if these can be wiretapped. Rules may be set by or follow a general administrative order regarding the technical susceptibility to tapping of public telecommunications networks and publicly available telecommunications services.
The TCA requires public telecommunications service providers to set up and maintain a reasonable interception capability in their networks. This includes being able to implement an interception after having received an interception warrant.
Note that the service provider will bear the costs of the investment, exploitation and maintenance of the interception capabilities.
In addition, failure to comply with an interception warrant is a criminal offence (Article 184 of the Dutch Criminal Code (Wetboek van Strafrecht or DCC)).
DUTCH CODE OF CRIMINAL PROCEDURE
Article 13.2 of the TCA obliges providers of public telecommunications networks to cooperate with the enforcement of an administrative order according to the Dutch Code of Criminal Procedure (Wetboek van Strafvordering or DCCP) or consent according to the Intelligence and Security Services Act 2002 (Wet op de inlichtingen- en veiligheidsdiensten 2002 or ISSA) over the tapping or recording of communications that takes place via their telecommunications networks, or for the communications handled by them. Service providers are required to take all reasonable practical steps requested by the relevant authority to comply with an interception warrant.
It follows from Articles 126(m) (serious crime), 126(t) (planned organised crime) and 126(zg) (indications of terrorist crime) of the DCCP that a supervisory judge can issue an interception warrant where the public prosecutor believes it is necessary for the investigation of criminal cases.
The Minister of Interior and Kingdom Relations may, furthermore, authorise interception by the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst or AIVD) and the Minister of Defence may authorise interception by the Military Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst or MIVD) according to Article 25 of the ISSA. Interception by the MIVD outside military territory also requires the authorisation of the Minister of Interior Affairs.
It should be noted that illegal interception is a criminal offence (Article 139c of the DCC) which can lead to a penalty of maximum EUR82,000.
Disclosure of Communications Data
The TCA requires service providers to store traffic data. This data would include the location of the cell of origin.
Article 13.4 of the TCA states that the service provider is obliged to provide the data requested on the basis of Articles 126(n), 126(na), 126(u) and 126(ua) of the DCCP.
Moreover, the service provider is obliged to disclose data to the AIVD and MIVD on the basis of Article 28 of the ISSA. The ISSA also includes an obligation to cooperate in decrypting the data.
The service provider is obliged to retain and/or provide location data, traffic data and data which can identify the user of the telecommunications network (Article 13.2(a) of the TCA and Articles 126(ng), 126(ug) and 126(zh) of the DCCP. Generally, the content of customer communications is not stored. However, Articles 126(ng), 126(ud) and 126(ug) of the DCCP state that a provider can be obliged to provide stored data when it can reasonably be expected that it has access to such data. In addition, the service provider can be obliged to cooperate in the decryption of the data (Articles 126(nh) and 126(uh) of the DCCP).
Article 13.2(a) of the TCA states that the service provider is obliged to retain certain information. According to Article 13.2(b) of the TCA, the service provider is obliged to cooperate with an order on the basis of Articles 126(hh), 126(ii), 126(nc)–126(ni) and 126(uc)–126(ui) of the DCCP, and to disclose such information to the law enforcement agency.
National Security and Emergency Powers
In exceptional circumstances connected with the enforcement of international rules of law, international relations or war, the Minister of Economic Affairs may issue instructions, in agreement with the Minister of Foreign Affairs, to providers of public telecommunications networks and publicly available telecommunications services regarding the provision of telecommunications from and to other countries. In agreement with the Minister of Security and Justice, the Minister of Economic Affairs may also issue instructions to such providers regarding the use of messages from government bodies to warn the public of impending disasters or emergencies (Article 14.1 of the TCA).
In addition, under Article 14.4 of the TCA (which at the time of writing has not yet entered into force) and in the event of the necessary exceptional circumstances, the Minister of Economic Affairs will be able to give instructions to service providers concerning the maintenance and exploitation or use of their public telecommunications networks. In the case of a war, the Minister of Economic Affairs may only give such instructions in agreement with the Minister of Defence (Article 14.3 of the TCA). According to Article 14.2 of the TCA, Article 14.4 of the TCA may only enter into force in exceptional circumstances, by Royal Decree and on the recommendation of the Prime Minister.
Oversight of the Use of Powers
Instructions given by the Minister of Economic Affairs cannot be appealed and the authorisation of a supervisory judge must be obtained in respect of the investigations of criminal cases.
SHUT-DOWN OF NETWORK AND SERVICES
Under Article 14.4 of the Telecommunications Act (TCA), in exceptional circumstances (usually war, terrorism, natural disaster, etc), the Minister of Economic Affairs may require network providers such as Vodafone to maintain, market or use their telecommunications networks in line with his or her instructions. Although it is not explicitly stated in the TCA, the Minster might be able to instruct Vodafone to shut down its entire network or a particular service.
BLOCKING OF URLS & IP ADDRESSES
As set out above, Article 14.4 of the TCA gives the Minister of Economic Affairs wide powers in exceptional circumstances. Although it is not explicitly stated in the TCA, it cannot be excluded that the Minster might instruct Vodafone to block URLs or IP addresses.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
As set out above, Article 14.4 of the TCA gives the Minister of Economic Affairs wide powers in exceptional circumstances. Although it is not explicitly stated in the TCA, the nature of the powers given to the Minister could effectively extend to taking control of Vodafone’s network.
Oversight of the Use of Powers (Censorship-related)
Instructions given by the Minister of Economic Affairs under Article 14.4 of the TCA cannot be appealed.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. Article 13.2 of the TCA contains an obligation to cooperate with decrypting (with reference to Articles 126m (severe infringement of the legal order) and 126t of the DCCP).
Article 13.2b of the TCA also contains an obligation to cooperate with decryption (with reference to Articles 126nh (fairly serious crime), 126uh (planned serious organised crime) and126zp (indications of terrorist crime) of the DCCP. Moreover, Article 2(e) of the Decision of Interception of Public Communication Networks and Services (Besluit aftappen openbare communicatienetwerken en -diensten, DIPC) contains an obligation to disclose data without cryptography.
According to Article 25 of the ISSA, anyone who knows how to remove the encryption of conversations, telecommunications or data transfer is obliged to provide all necessary cooperation in order to decrypt such communications.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
According to Article 13.2 of the TCA (with reference to Articles 126m and 126t of the DCCP) and Article 13.2b of the TCA (with reference to Articles 126nh, 126uh and 126zp of the DCCP), a provider may be ordered to cooperate in the decryption or to make its knowledge of the encryption available, if there are good grounds to suspect that it has knowledge of the way the data is encrypted. According to Article 25 of the ISS, ‘anyone’ who has knowledge of the way of removing the encryption of conversations, telecommunications or data transfer, is obliged to provide all necessary cooperation in order to decrypt such communications.
Given this broad wording, it may be that if telecommunications operators are able to provide equipment interference or if it is technically possible for them to interfere with the set-up of encryption and the subsequent communications in such a way that they gain access to the cleartext data, they could be ordered to decrypt the data.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
No. According to Article 13.1 of the TCA, providers of public telecommunications networks and publicly available telecommunications services will only make their telecommunications networks and services available to users if these can be wiretapped.
According to Articles 13.2 and 13.2b of the TCA, Article 25 of the ISS and Article 2(e) of the DIPC, a service provider has to disclose data without the encryption it has applied, or must cooperate with the decryption or make its knowledge regarding the encryption available, if there are good grounds to suspect that it has knowledge of the way in which data is encrypted.
If the software provided by a telecommunications operator enables customers themselves to encrypt their communications and the telecommunications operator is not able to decrypt the data or has no knowledge of the way in which the data is encrypted, we take the view that a telecommunications operator could face a challenge under Article 13.1 of the TCA.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
In the research, Vodafone has not found any examples of the Dutch government using legislation, other than the legislation mentioned above, to demand access to data protected by encryption.