[Paul has been tracking Dutch government requirements that ISPs implement covert wiretaps against their customers -- and the technical standards of the equipment that does it -- for a few years. See www.opentap.org. --gnu]
From: Paul Wouters <[EMAIL PROTECTED]> Update tapping in the Netherlands, August 12, 2002 (also available at: http://www.opentap.org/aug12-update.html) Here is a small update on matters in the Netherlands. Mostly the updates focus around the Dutch organisation for ISP's, NLIP's conference talk at Megabit (www.megabit.nl, now apparently already defunct) but some other information that surfaced in the last weeks has been included as well. Some of the internet media has also been mentioning little bits, I assume as a result of asking what NLIP was going to say at megabit, eg: http://www.webwereld.nl/nieuws/12068.phtml http://www.webwereld.nl/nieuws/12102.phtml In short, the new organisation NBIP has seen the light. Webwereld mentions the ISP's that are in the co-operation: ZonNet, Inter NL Net, IntroWeb, PSInet, Internet Access Facilities en Netland Another 7 committed to joining the organisation when it would see the light, according to Van Stam. This means around 14 ISP's will bundle their tapping equipment, in an attempt to make it affordable. A new central organisation to co-ordinate all tapping, the LIO ("Landelijk Interceptie Orgaan") which was planned to take over tapping matters in a few years, has been rushed into existence as a result of "September 11", and is expected to be fully operational before the end of the year. I believe it will handle the tapping warrants, and infrastructure (though the latter might be outsourced, but not to ITO) of the government side of lawful interception (eg T1's and prob. some T2's). All tapping requests, wether from regular police (KLPD), a special department (eg taxoffice "FIOD") or our security service ("AIVD") or the military ("MIVD") should go through the LIO. (I think this means the LIO will operate the T1's, the machines to accept the traffic from the ISP's, and perhaps the T2's, the machines that collect/decrypt the suspects data, for some agencies, eg KLPD, FIOD, but I'd guess not the AIVD/MIVD. DGTP, the "Directoraat Generaal Telecommunicatie en Post" (who now have their own website, http://www.dgtp.nl/) has been moved to a different department as of jul 22nd. formerly part of the "Ministerie van Verkeer en Waterstaat" ('traffic and waterways') it now falls under the "Ministerie van Economische Zaken" ('Economic Affairs') In june 2002, the new version of the WIV law ("Wet op de inlichtingen- en veiligheidsdiensten") came into effect. For some discussion and a link to the lawtext, see: http://www.netkwesties.nl/editie33/artikel2.html In june, the results of the "bake off 1" got formulated in a new version of the tapping specification, TIIT v 0.9.9. This document has not surfaced into the public domain yet. However, a "final" version of the document, version 1.0.0 is expected in september (expected not meaning released). At that point, a third bake off will start, which focusses on the paperwork side of things, including the electronisc paperwork (eg: HI1 in FuncSpec terms). Only three Vendors were part of the current testing/bake off: - - Pine / ENAI - - Accuris (Group 2000) - - SS8 (Formerly ADC) Currently, the following vendor's are also in testing phases: - - IDD (Innovative Design Delft) - - Heynen (with GTEN) - - Aqsacom (with Riser) - - Digivox - - Verint Systems (formerly Comverse Infosys) A new Directive ("Algemene Maatregel van Bestuur") named "Beveiliging gegevens Aftappen") is being written. It will contain the requirement for ISP's to have a "secure FAX" to which the LEA can fax the tap order, along with the NAW (name,address,city) to the LIO and DGTP. Ironically, current law dictates warrants should arrive on CDrom in XML format, but as can be seen from bake off 3, this isn't reality yet. Another interesting item in the Directive is that all ISP's should at least appoint one person as liason to the government regarding tapping. This person will be checked by the BVD (AIVD or whatever you want to call them these days), a so-called "antecedenten onderzoek". Another requirement is to sent the LIO an "Provider ID" neccessary for for the TIIT spec (so the government can see which ISP sent the information). You cannot request a number, you're not assigned a number. You need to make one up, and hope it's not taken, or otherwise come up with a new one. It's inclear to me why they don't just assign ISP's a number. NLIP advices to use your IANA Enterprise Number, but most ISP's probably don't even have one. Buma-Stemra , our local RIAA/MPAA, apparently lost their special rights, and can no longer "order a tap" (I'm not entirely sure how they could order this in the past) Where Telco's have to have a tap operational in 12 hours, there has not been a set time for ISP's yet. It has been defined as "without delay", in article 25 of the new "WIV" law. This applies to "special cases" ("Bijzondere Last"), which needs the permission of the "Minister van Binnelandse Zaken" (National affairs). Misc. items of unconfirmed information and/or rumors There are currently three T1's operational. They are located in Den Haag (The Hague), Bilthoven en Zoetermeer It's still unclear wether Internet Exchanges, and large "non public" (in the legal sense) need to be tappable. Surfnet was on the list of "ISP's" that were notified in a letter from the government reminding them to implement the tapping infrastructure (See: http://www.opentap.org/documents/mintiit.pdf) The matter of wether ISP's/webhosters/colocation facilities need to register with OPTA (central register for Telco's) is still unclear. It seems that law dictates you have to register, but OPTA will refuse to register you. (So "you must, but you can't"). Since being registered with OPTA is still an official requirement to obtain the tapping specification, this matter is important. Also, if OPTA would need to register all ISP's and webhosters, it would currently have less then 5% or so in its register. The NAO has been effectively shut down. The main reason being that it was no longer a "secure" party, after documents appeared on Opentap. It could no longer participate in closed-doors negotiations/discussion. (personal note: I believe those should never have happened closed-doors, esp since NAO suggested to represent all those who were affected by the laws, while in practice it only represented telco's/access providers, and not small ISP's without access networks, or webhosters/resellers) Another reason was that NLIP couldn't justify the time/money spent on NAO (eg maintaining its website). Deloitte & Touche are investigating a financial model for a) internet and b) mobile phone tapping (costs). The government wants one model (personal note: I think they're right, these will become effective one within the next one-two years, see GPRS, UMTS, Imode) The statues of the NBIP are public and can be requested (contact them or NLIP) It seems the ciphers that were allowed in TIIT 0.1.2 have been limited to only RC4 and AES (Rijndael) in version 0.9.9. But that's not a great suprise, as this was clearly the intend of TIIT, but the AES candidate wasn't known at the time of writing). Apparently, the biggest hole in the specificatin, the "email tap" has been resolved. Comments, corrections, information and suggestions are always welcome, Paul Wouters Opentap --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
