Paul Wouters: Update Tapping in the Netherlands

John Gilmore gnu at toad.com
Tue Aug 13 19:57:21 EDT 2002 

[Paul has been tracking Dutch government requirements that ISPs 
implement covert wiretaps against their customers -- and the technical
standards of the equipment that does it -- for a few years.  
See www.opentap.org.  --gnu]

From: Paul Wouters <paul at xtdnet.nl>

Update tapping in the Netherlands, August 12, 2002
(also available at: http://www.opentap.org/aug12-update.html)

Here is a small update on matters in the Netherlands. Mostly the updates
focus around the Dutch organisation for ISP's, NLIP's conference talk at
Megabit (www.megabit.nl, now apparently already defunct) but some other 
information that surfaced in the last weeks has been included as well.

Some of the internet media has also been mentioning little bits, I assume
as a result of asking what NLIP was going to say at megabit, eg:

http://www.webwereld.nl/nieuws/12068.phtml
http://www.webwereld.nl/nieuws/12102.phtml

In short, the new organisation NBIP has seen the light. Webwereld
mentions the ISP's that are in the co-operation: 

ZonNet, Inter NL Net, IntroWeb, PSInet, Internet Access Facilities en Netland

Another 7 committed to joining the organisation when it would see the
light, according to Van Stam. This means around 14 ISP's will bundle their 
tapping equipment, in an attempt to make it affordable.

A new central organisation to co-ordinate all tapping, the LIO ("Landelijk
Interceptie Orgaan") which was planned to take over tapping matters in a
few years, has been rushed into existence as a result of "September 11",
and is expected to be fully operational before the end of the year. I
believe it will handle the tapping warrants, and infrastructure (though
the latter might be outsourced, but not to ITO) of the government side
of lawful interception (eg T1's and prob. some T2's). All tapping requests, 
wether from regular police (KLPD), a special department (eg taxoffice 
"FIOD") or our security service ("AIVD") or the military ("MIVD") should
go through the LIO. (I think this means the LIO will operate the T1's,
the machines to accept the traffic from the ISP's, and perhaps the T2's,
the machines that collect/decrypt the suspects data, for some agencies,
eg KLPD, FIOD, but I'd guess not the AIVD/MIVD.

DGTP, the "Directoraat Generaal Telecommunicatie en Post" (who now have
their own website, http://www.dgtp.nl/) has been moved to a different
department as of jul 22nd. formerly part of the "Ministerie van Verkeer en
Waterstaat" ('traffic and waterways') it now falls under the "Ministerie van
Economische Zaken" ('Economic Affairs')

In june 2002, the new version of the WIV law ("Wet op de inlichtingen- en 
veiligheidsdiensten") came into effect. For some discussion and a link to
the lawtext, see: http://www.netkwesties.nl/editie33/artikel2.html

In june, the results of the "bake off 1" got formulated in a new version
of the tapping specification, TIIT v 0.9.9. This document has not surfaced
into the public domain yet. However, a "final" version of the document,
version 1.0.0 is expected in september (expected not meaning released). At
that point, a third bake off will start, which focusses on the paperwork
side of things, including the electronisc paperwork (eg: HI1 in FuncSpec
terms).

Only three Vendors were part of the current testing/bake off:
- - Pine / ENAI
- - Accuris (Group 2000)
- - SS8 (Formerly ADC)

Currently, the following vendor's are also in testing phases:
- - IDD (Innovative Design Delft)
- - Heynen (with GTEN)
- - Aqsacom (with Riser)
- - Digivox
- - Verint Systems (formerly Comverse Infosys)

A new Directive ("Algemene Maatregel van Bestuur") named "Beveiliging 
gegevens Aftappen") is being written. It will contain the requirement
for ISP's to have a "secure FAX" to which the LEA can fax the tap order,
along with the NAW (name,address,city) to the LIO and DGTP.
Ironically, current law dictates warrants should arrive on CDrom in XML
format, but as can be seen from bake off 3, this isn't reality yet.
Another interesting item in the Directive is that all ISP's should at
least appoint one person as liason to the government regarding tapping.
This person will be checked by the BVD (AIVD or whatever you want to call
them these days), a so-called "antecedenten onderzoek".
Another requirement is to sent the LIO an "Provider ID" neccessary for
for the TIIT spec (so the government can see which ISP sent the information).
You cannot request a number, you're not assigned a number. You need to make
one up, and hope it's not taken, or otherwise come up with a new one. It's
inclear to me why they don't just assign ISP's a number. NLIP advices to
use your IANA Enterprise Number, but most ISP's probably don't even have
one.

Buma-Stemra , our local RIAA/MPAA, apparently lost their special rights,
and can no longer "order a tap" (I'm not entirely sure how they could order
this in the past)

Where Telco's have to have a tap operational in 12 hours, there has not been
a set time for ISP's yet. It has been defined as "without delay", in article
25 of the new "WIV" law. This applies to "special cases" ("Bijzondere Last"),
which needs the permission of the "Minister van Binnelandse Zaken" (National
affairs).

Misc. items of unconfirmed information and/or rumors

There are currently three T1's operational. They are located in Den Haag 
(The Hague), Bilthoven en Zoetermeer 

It's still unclear wether Internet Exchanges, and large "non public" (in
the legal sense) need to be tappable. Surfnet was on the list of "ISP's"
that were notified in a letter from the government reminding them to
implement the tapping infrastructure
(See: http://www.opentap.org/documents/mintiit.pdf)

The matter of wether ISP's/webhosters/colocation facilities need to 
register with OPTA (central register for Telco's) is still unclear. It
seems that law dictates you have to register, but OPTA will refuse to
register you. (So "you must, but you can't"). Since being registered with
OPTA is still an official requirement to obtain the tapping specification,
this matter is important. Also, if OPTA would need to register all ISP's
and webhosters, it would currently have less then 5% or so in its register.

The NAO has been effectively shut down. The main reason being that it was no
longer a "secure" party, after documents appeared on Opentap. It could no
longer participate in closed-doors negotiations/discussion.
(personal note: I believe those should never have happened closed-doors, esp
 since NAO suggested to represent all those who were affected by the laws,
 while in practice it only represented telco's/access providers, and not
 small ISP's without access networks, or webhosters/resellers)
Another reason was that NLIP couldn't justify the time/money spent on 
NAO (eg maintaining its website). 


Deloitte & Touche are investigating a financial model for a) internet and
b) mobile phone tapping (costs). The government wants one model (personal
note: I think they're right, these will become effective one within the
next one-two years, see GPRS, UMTS, Imode)

The statues of the NBIP are public and can be requested (contact them or
NLIP)

It seems the ciphers that were allowed in TIIT 0.1.2 have been limited to
only RC4 and AES (Rijndael) in version 0.9.9. But that's not a great suprise,
as this was clearly the intend of TIIT, but the AES candidate wasn't known 
at the time of writing). Apparently, the biggest hole in the specificatin, 
the "email tap" has been resolved.

Comments, corrections, information and suggestions are always welcome,

Paul Wouters
Opentap

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list