The AIVD and the MIVD have the legal (investigatory) power to “hack”, that is, to break into computer systems. The CTIVD has investigated whether the AIVD and the MIVD have exercised their hacking power lawfully and with due care. The CTIVD review report was published in April 2017. The English translation of the report was made available in October 2017.
In this Review report, the CTIVD finds that the AIVD and the MIVD in general use this power in a well-considered manner. Hacking is found to be an effective power: in most cases, it produced results that were in the interest of national security and could not have been obtained in any other way.
In the vast majority of the dozens of hacking operations reviewed that were conducted in 2015, the AIVD and the MIVD acted in accordance with the law. Overall, the services are aware of the seriousness of the interference with the rights and interests of the parties involved associated with the use of the hacking power. This first and foremost concerns the right to protection of privacy, but also the importance of safeguarding the integrity of IT systems.
However, shortcomings have been identified with respect to certain procedures. The most important of these is the structural failure by the services to destroy data at times they are obliged to do so.In addition, both services still fail to observe (non-statutory) retention periods for unevaluated data copied and stored during a hack, despite having promised the House of Representatives that they would do so. They also fail to destroy data that is found to be not relevant and data that has been unjustly processed. These omissions by the services are unlawful.
Shortcomings have also been identified concerning unknown vulnerabilities, the so-called “zero days”.
In their reaction to the review report the ministers of the Interior and of Defense have concurred with the conclusions drawn by the CTIVD and have adopted her recommendations.