On my resignation as regulator of the Dutch intelligence and security services

I’ve seen some mediocre automated translations of my Dutch language resignation statement go round. To prevent any confusion, please find the story here in English:

Until today I was one of the three members of the board that checks warrants for the Dutch intelligence and security services. This board is called “Toetsingscommissie Inzet Bevoegdheden” or TIB.

If either of the civil or the military intelligence and security services of The Netherlands want to use their lawful intercept, SIGINT or hacking (& some other) legal powers, they have to first convince their own jurists, then their ministry and finally the TIB. The TIB then studies if the warrant is legal, and that decision is binding.

To further international transparency, the TIB also publishes its annual report in English.

When I joined the regulatory commission, I was very happy to find that the Dutch intelligence and security services were doing precisely the kinds of things you’d expect such services to do. I also found that our regulatory mechanisms worked as intended - if anything was found to be amiss, the services would actually stop doing that. If the ex-ante regulator (ie, my board) ruled a permission to do something was unlawful, it would indeed not happen. I think it is important to affirm this in public.

Over the past two years however there have been several attempts to change or amend the Dutch intelligence law (English language translation).

The most recent attempt has now cleared several legislative hurdles and looks set to be passed by parliament.

Under this new law, my specific role (technical risk analysis) would mostly be eliminated. In addition, the Dutch SIGINT (bulk interception) powers would be stripped of a lot of regulatory requirements. Furthermore, there are new powers, like using algorithmic analysis on bulk intercepted data, without a requirement to get external approval. Finally, significant parts of the oversight would move from up front (’ex ante’) to ongoing or afterwards (’ex post’).

Doing upfront authorization of powers is relatively efficient, and is also pleasingly self regulating. If an agency overloads or confuses its ex ante regulator, they simply won’t get permission to do things. This provides a strong incentive for clear and concise requests to the regulator.

A regulator that has to investigate ongoing affairs however is in a different position. It can easily become overloaded, especially if it is unable to recruit sufficient (technical) experts. In the current labor market, it is unlikely that a regulator will be able to swiftly recruit sufficient numbers of highly skilled computer experts able to do ongoing investigations of sophisticated hacking campaigns and bulk interception projects. An overloaded regulator does not provide good coverage. It is also vulnerable to starve the beast tactics.

Once it became clear the intended law would likely pass parliament, I knew I would have to resign anyhow, since I don’t agree with the new expanded powers and the changes in oversight.

As a member of the regulatory board, I could not share my worries about the new law. The regulatory board itself is staffed with excellent people, but by design, the board only operates within the existing law. It is not responsible for formulating or even criticizing any new laws.

Instead of waiting out the likely passing of the new law, I’ve decided to leave now.

This enables me to speak my mind on what is wrong with the new law. It may not help, but at least it is better than watching democratic backtracking in silence.

It has been a great honor to have been part of the regulatory powers board. Its staff and members are an impressive bunch, and I wish them the best of luck with their ongoing and important work.

On a final note, if anyone is looking for a government regulator with a proven track record of resigning when things go wrong, know that I’m available.