Written by Thomas
Over the last decades, technology has vastly changed society. Though technology has had a positive impact on government service delivery, there have been multiple occasions where governments have used their technological advantages for shadowy purposes, such as mass surveillance and bulk data mining (Brinkhoff, 2017). Security services and intelligence agencies have developed methods to analyse citizens’ digital footprint under the guise of safety, but are these methods justified, and what are the implications?
This essay discusses the alleged mass data mining by intelligence agencies in the Netherlands. This subject is relevant because of the outcome of a referendum held in 2017, in which new legislation providing intelligence services with extra powers was rejected. One of the roles of any government is to provide safety, and with intelligence agencies not being able to analyse all digital data, this task is made much more difficult. The balance between privacy and safety is one of the key points governments struggle to find a clear answer to (Bellanova et al., 2017).
To be able to determine the implications of large-scale data mining, it is important to have an idea about what data mining is. According to Brinkhoff (2017):
The term Big Data refers to the phenomenon of an ever larger and increasingly complex number of digital data and data files that keep growing in scope continuously and exponentially. It is a known fact that worldwide different intelligence agencies employ automated data analysis, known as data mining, on data and data files to understand Big Data (p. 1).
Since the increased access to the internet and the rise of social media, people spend more time online. According to Baccarella et al. (2018), this may seem harmless, but many social media users do not fully understand the implications of spending time online. Big-tech companies such as Facebook, Google, and Amazon collect massive amounts of data from their users, and most users do not know where the data is stored and what companies use it for. Intelligence and security services have become notably interested in this data. For example, the British Government Communications Headquarters (GCHQ) has used a so-called “data vacuum cleaner” to create a profile of all internet users in the world, and identify and investigate (possible) suspects (Brinkhoff, 2017).
When these methods became public after Edward Snowden leaked classified documents, it was deemed highly controversial. The documents revealed how different intelligence agencies in the world had similar data-mining programs, including those in the Netherlands (Gallagher, 2015). After questions from Parliament, it turned out that the Dutch general intelligence service, the AIVD, had access to data collected by the National Security Agency (NSA) in the United States. Not only did they have access to specific phones or internet addresses, but the NSA had unlimited access to all internet and phone communications in Europe. According to Brinkhoff (2017):
The Snowden case and the revelations about GCHQ have been a catalyst for the discussion on mass surveillance with a view to Big Data data mining. Central to this discussion is the tension between the protection of the right to privacy as set out in the first paragraph of Article 8 ECHR and the danger of abuse (p. 8).
For the first time, the public gained knowledge of what government agencies did with their data. All over the world, Parliaments and distressed citizens started looking for answers, often referring to a so-called “surveillance State” (Vogel, 2014; van Raak, 2015; European Parliament, 2015). Since the 9/11 terrorist attacks, many countries introduced legislation to make it possible to gather data from their citizens to prevent terrorist attacks. The extent to which this is possible is often not publicly known. Because data mining generally does not stop at national borders, it is difficult to hold someone accountable. This can lead to even more refined ways of operating by intelligence agencies to obtain the information that is deemed necessary (Lahneman, 2010).
Implications of data mining
Since Edward Snowden leaked documents regarding mass data mining by the NSA, citizens became more worried about the implications. According to Hu (2017), society enters an era where technology has advanced to an extent in which (biometric) data could lead to the introduction of a high-tech digitised biometric security card. What are the technological and societal implications of using such data, and more importantly, how can governments guarantee rights such as privacy?
To collect data on a massive scale such as the NSA and GCHQ did, governments need to have a strong lead in technological development. With the emergence of big tech companies, intelligence agencies had to adapt new strategies to analyse all data. Former Director of National Intelligence, Dan Coats, argued that: “the transformation of the American intelligence community must be a revolution rather than an evolution” (Hershkovitz, 2019). The amount of data social media companies collect from their users is particularly useful for intelligence agencies, and it is publicly known that there are public-private collaborations between tech companies and intelligence agencies. According to Davey Winder (2020), the CIA owned an encryption company allowing the agency to spy on more than 100 foreign governments. A more recent example is that of the Israeli private company NSO group, which developed software that allows governments to hack personal phones. This software was also acquired by the Dutch government and used by their intelligence services (Modderkolk, 2022).
Because intelligence agencies work together with private companies or encourage companies to not fix so-called backdoors, the power of intelligence services has become more prominent (Smith, 2020). Not only can tech companies not assure that user data is safe, but they actively work together with intelligence agencies. This means that citizens no longer know what happens with their data and who is accountable in the case of data leaks (Eskens et al. 2015).
Moreover, the work of surveillance agencies in this technological era also has an impact on society. Countries in which governments collect lots of data are sometimes referred to as ‘surveillance states’ or ‘Orwellian states’, referring to the societal condition imagined by George Orwell in his book 1984 (Orwell, 1949). One example in the Netherlands is the fact that it is legal to wiretap a phone without a warrant (Reidenberg, 2014). According to research from the European Digital Rights association in 2004, the Netherlands carries out the most wiretaps per capita. This could have implications for Dutch citizens since there are no judges involved, and therefore relies exclusively on ex-post oversight.
Data of innocent civilians may be affected and therefore privacy rights are not guaranteed. As mentioned before, one of the main tasks of governments is to provide security for their citizens. In the Netherlands, the National Coordinator for Terrorism and Safety (NCTV) is responsible for the protection of all processes that are vital to society. Because this institution has great responsibilities, it needs to utilise methods that are not publicly available. In 2017, the Dutch state held a non-binding referendum about the Dutch intelligence and security services act. The proposed law would provide extra powers for Dutch intelligence services. For example, it would become possible to wiretap a whole area instead of an individual and share data with other intelligence agencies. According to the former Director-General of the Dutch intelligence service, the Dutch government could no longer ensure national safety without the extra powers (Bertholee, 2018). The outcome of the referendum was a no, leaving Dutch intelligence services relying on a law from 2002, a time when mobile phones and personal computers were almost non-existent.
The debate shows that data mining has several implications for technology and society. There is a thin line between guaranteeing safety and abandoning privacy rights (Mell, 2002; Bignami & Resta, 2017). Logically, there are cases where national security has priority over privacy rights. However, how can these rights be guaranteed when an individual, a whole neighbourhood, or even an entire country is being watched? The Dutch perspective on this started to shift after the 9/11 terrorist attacks and became more prominent in 2011 when a few Dutch citizens started to travel to Syria to fight for the Islamic State (Canavar et al., 2020). The most pressing issue is how governments can find a balance between guaranteeing security and still acting within the law.
Finding the right balance
For most experts, it is impossible to objectively determine when a person’s rights can be overruled to ensure national security. In 2013, the Dutch government appointed a special state committee to assess existing laws and make recommendations about improvements (Eijkman et al., 2018). The report recommended the introduction of new methods such as hacking and the bulk collection of data from wired networks. Implementing these methods would lead to increased efficiency for intelligence services. On the other hand, more restrictions on the processing of the data were recommended. The committee found that ex-ante oversight according to the Dutch constitution was enough, whereas ex-post oversight would be limited to lawfulness (Dessens, 2013).
Eijkman et al. (2018) state that a technology-neutral approach still has significant risks and could result in benefitting from loopholes and opportunities. The Dessens Committee report and the research done by Eijkman et al. (2018) show that it is nearly impossible to find the right balance in every case. Therefore, oversight of the services is important. The committee recommended close to no oversight, but this was opposed by the newly installed government in 2017. In conclusion, it is hard to find the exact balance that is needed to be able for intelligence services to act accordingly, but within the law. In June 2022, the Dutch newspaper de Volkskrant published an article in which four anonymous sources confirmed that the Dutch intelligence services used the Israeli software Pegasus. The intelligence agency does not want to confirm or deny the use of the software. Still, rumours are at least remarkable since the Dutch government earlier forbade the use of hacking software that was also sold to authoritarian regimes elsewhere in the world (Modderkolk, 2022). Later in 2022, the Dutch Minister of Justice and Security again tried to implement a bill providing more powers to intelligence services, but the Council of State rejected the bill because it was too unclear (Geurts, 2022). In September 2022, this proposed bill led to the resignation of a member of the oversight committee who said the bill was not sincere and meaningless (Wassens, 2022).
With a fast-changing digital environment in the world, it has become harder for governments to ensure national security. Intelligence agencies have developed multiple ways to collect and analyse data of all internet users around the world, but when documents about these programs were leaked by Edward Snowden in 2013, the question of how legal these programs were was raised more often. To find out what the implications of large-scale data mining by intelligence services are, this essay looked at the case of large-scale data mining by Dutch intelligence services.
It can be concluded that there are several technological and social implications. Research has shown that the Dutch police started with a Big Data data-mining program, but that there is no suitable legislation to ensure the rights of citizens. With a proposed new law, Dutch intelligence services would acquire more powers to keep up to date in today’s technological era. The Dutch electorate opposed that law in a referendum. Nevertheless, the Dutch government has decided not to give up on new legislation. Since the referendum, bills have been proposed which include similarities with the bill from 2017. Yet, once again the government has been met with resistance. This time not from the citizens, but from the highest court: The Council of State. It remains to be seen if the Dutch government can keep up in this digitalized era while searching for a solution.