8 June 2001


Date: Fri, 8 Jun 2001 17:58:31 +0200 (MET DST)
From: Paul Wouters <paul@xtdnet.nl>
To: <jya@pipeline.com>
Subject: [Hal-tap] Update Dutch tapping laws :( (fwd)

In a publication yesterday the government confirmed that it prefers that all technical details regarding Dutch mandatory tapping requirements remain confidential.

In that light, the goverment might (though I think it is extremely unlikely) request that I take down some documents, esp these two:

Transport of Intercepted IP Traffic (TIIT v0.1.2.)
The Netherlands Ministry of Justice, et al

http://www.opentap.org/documents/TIIT-v0.1.2.pdf

Cryptome mirror: http://cryptome.org/TIIT-v0.1.2.pdf (40 pages, 313KB)

WAI/GT/FuncSpecs V1.0.1 (2000-06)
Functional specifications for lawful interception of Internet traffic in The Netherlands

http://www.opentap.org/documents/101WAI-GT-FuncspecV1.0.1.doc

Cryptome mirror: http://cryptome.org/101WAI-GT-FuncspecV1.0.1.doc (13 pages, 67KB)

HTML version: http://cryptome.org/nl-tap-specs.htm

Paul Wouters

---------- Forwarded message ----------

Date: Fri, 8 Jun 2001 17:42:56 +0200 (MET DST)
From: Paul Wouters <paul@xtdnet.nl>
To: hal-tap@hal2001.org
Subject: [Hal-tap] Update Dutch tapping laws :(

[ This document is published under the Free Documentation Licence version 1.1 or higher. A copy of this licence can be obtained at http://www.gnu.org/copyleft/fdl.html ]

My interpretation of "Regeling aftappen openbare telecommunicatie-netwerken en-diensten"

By Paul Wouters

Thanks to "great" lobbying of the NAO (www.nlip.nl/nao/) the temporary laws have now become obsolete, and will be replaced by a new law effective June 15, which mainly just dictates that all temporary "baking off" are deemed unneccessary, and the Telecommunication laws can come into effect with full force to ensure we comply with not only EU directives, but also some additional Dutch national directives.

For Dutch readers:

http://www.nlip.nl/nao/SC29553.pdf

A very scary and (IMHO) wrong summary can be found (again in Dutch) at:

http://www.nlip.nl/nao/sc107p7.jpg

The implications are scary. All reservations with respect to Internet have apparently been resolved, because:

"Uitbreiding van de reikwijdtje van de regeling tot internet is mogelijk geworden doordat de Werkgrouep Aftappen Internet (WAI), waarin vertegenwoordigers van aanbieders van internetdiensten en van de overheid participeren, medio 2000 tot de afrondeing is gekomen van het geheel van technische en functionele specificaties waaraan de system van de aanbieders van internetdiesnten in het kader van de aftapbaarheidseis ex. artikel 13.1 Tw dienen te voldoen."

[ government and ISP's and suppliers of tapping machines have resolved all outstanding technical issues of these systems ]

This is esp. surprising because the NAO, part of WAI, through Mr. Bakker of the political party D'66 in this year had asked the government questions regarding these precise issues. As far as I know (I have officially been thrown out of the NAO because I've published some of their material, so neither NAO nor NLIP politics are openly or publicly known to me) there have been no satisfactory answers to these questions (though anyone having more up to date information without an NDA is welcome to share this with me and the world).

Other interesting tidbits is that this one-day-old document states that GPRS (the precurser of UMTS) is "expected to be rolled out in the NL at the end of 2000". With the main Telco (KPN, 35% owned by the Dutch government) in severe financial problems and on the verge of a bankrupcy, UMTS seems further away then ever.

It confirms that all new telecommunication services need to be tappable, so the Siemens phones are now effectively illegal to sell as product or service, as well as other forms of cryptophones which the government cannot tap. For instance offering a new service with undecryptable email or SMS is now illegal.

Another item is the maximum amount (and costs) of taps. There used to be a percentage maximum, so a provider of a service had a hard limit of how many taps the government could ask of them. This limitation has now been removed, and replaced with "as many taps as needed to comply with the law", basicly meaning 100% if the government so wishes it. This is phrased to be an "extra liberty" of the provider.

Another change is the implementation of the January 1995-passed EU resolution regarding lawful interception, and some changes to better "protect the privacy" of the citizens such as demanded by EU regulations, and the assurance that any violation thereof is justified for the sake of national security.

Though the law is no longer temporary, to facilitate the EU there was a need to put certain regulations in permanent law, changes to the technical tapping specifications as a result of emerging ETSI standards, or new cryptographic developments (read: AES) are to be expected, and the current and new specifications are not meant to endorse any specific vendor. All current taps are not effected by these law changes.

These changes have been reported to the EU on January 3rd 2001, notification number 2000/0734/NL. (If anyone has a copy of this, please contact me)

According to the publication in the Dutch Staatscourant, the EC had a few remarks, which our government has "responded to" in May 2001. Again, I don't know of any response but the response of the Staatssecretaris that said they would respond soon, but again, I'm suffering an information blockage by NAO/NLIP. Again, if anyone has this information, please contact me.

The conclusion of the government is that these law changes ensure "more flexibility and better effeciency to comply to the tapping obligations". Due to some "national statutes for criminal proceedings", the Dutch government "needs to dictate a few more technical measures" and the Dutch government no longer needs to engage in "bilateral discussion" regarding any tap. Providers just have to comply with all current laws, without the temporary exemptions or discussions/negotiations.

All types of caller-ID on all mobile services need to be available upon demand (and one can wait for the same to happen with IP numbers in the future, since the government already officially treats an IP number as a "physical communication device").

Internet (service) providers need to ensure they can start a tap immediately if presented with account name or  email address (See the XML section of the TIIT as well) of the "target" (Remember, a target is officially "a suspect of a serious crime, or offense that might threaten national order or security).

The government realises that ISP's do not always know who their user is (think of Internet cafe's) and simply states that those ISP's have a responsibility to be able to comply with the law. How the government can ask this, imagine a user using Hotmail from an Internet cafe, so no email address or account name is known (esp if using SSL/TLS) is hidden in their definition of "account name", which includes any uniquely identifying mark of a user (eg cable modem connection, MAC-address, IP number, etc). This of course very much complicates the "immediate tapping" that providers have to start upon being presented with a "account name" which suddenly becomes a very vague concept. Can it include "The person who just contacted server18.hotmail.com?".

Next comes an interesting compromise of the government where it states that providers don't need to tap "all routine communication between network devices", such as "signals between end-stations and base-stations of a mobile phone". This opens up the way for hidden communication, as has been seen over and over on the Internet (hidden information in DNS queries and answers, in ICMP echo packets etc).

A clarification of "end-user" is made. A corporate entity is also an end-user, so tapping an entire company because one user is suspected now is possible as well (compared to where a block of houses cannot be tapped because one person within the neighbourhood is suspected). Worse. it also includes "whoever is really using the telecommunication service)

Next, another worrying part. Not all the technical demands will be put into law because the government "prefers that these technical procedures remain confidential". A better reason is also mentioned, the technology changes too quickly, and would require too many minor law changes. However, we do notice a policy of "you better do what you think we want or need" attitude, which is dangerous and will lead to overenthousiastic tapping capabilities to ensure the government gets what it demands (which in itself gives the government the excuse to demand 'what is already readily available').

However, "we" are saved. The government must talk with the industry. Apart from my skepticism, the talks of the government with the industry (NAO and NLIP) resulted in nothing, all suggestions and recommendations of NAO were disregarded in January 2001. It's even put explicitly in the law that the government has the final say about new technical procedures.

Finally, a catch-all phrase is added that the government can demand different things in different situations (and each situation is of course different) to ensure the safely and reliability of interception and interception data. It is "safer" not to put these demands and needs in procedures. An obligation to talk to the provider has been added (but ofcourse, this doesn't mean the provider has much of a say in what happens).

And of course, the most important question, "who needs to be tappable with respect to Internet products and services" is explained in fine print at the end of this publication in a way that escapes my comphrehension:

"Where in this [publication] we mention 'providers of Internet services', we mean providers of Internet, as well as providers of services for Internet access".

Relevant documents will be published on www.opentap.org. [see Opentap URLs above and Cryptome mirrors]

I hope to see you all at Hal2001 (www.hal2001.org) at the tapping workshop,

Paul Wouters

--

_______________________________________________

Hal-tap mailing list
Hal-tap@hal2001.org
http://www.hal2001.org/mailman/listinfo/hal-tap