The Dutch Military Intelligence and Security Service (MIVD) illegally shared data with foreign services and hacked Web forums without ministerial approval, according to a report made at the request of the Dutch House of Representatives.
Although it is allowed to share data in bulk with other countries under existing partnerships, the MIVD illegally provided selected signal intelligence (SIGINT) data without permission of the relevant minister, according to the report, published late Tuesday.
SIGINT data is collected by intercepting signals in bulk, for instance by gathering information of communication between satellites. This way of intercepting communications is used to gather metadata as well as the content of the communication itself, according to the report.
The Dutch House of Representatives requested the information from the Dutch Review Committee for the Intelligence and Security Services (CTIVD), following concerns about surveillance by the U.S. National Security Agency (NSA).
The committee is an independent body consisting of three people that are appointed by Royal Decree on the recommendation of the relevant ministers, after being nominated by the House of Representatives.
The committee did not immediately respond to a request for comment, but Harm Brouwer, the committee's chairman, told Dutch public broadcaster NOS that the MIVD did not ask for permission to share a selection of the gathered SIGINT data. And "every illegal act by intelligence services is too much," he added.
The committee did not provide information on the selected information which was shared. It did also not disclose which foreign intelligence service received the selected data.
However, two new documents provided by NSA leaker Edward Snowden showed that the Netherlands intercepts vast amounts of Somali telephone traffic which it shares with the NSA, Dutch newspaper NRC Handelsblad reported on Saturday.
The telephone traffic was intercepted by the Dutch National Sigint Organisation (NSO), an alliance between the two Dutch intelligence services- General Intelligence and Security Service of the Netherlands (AIVD) and MIVD, according to the newspaper report. While the Dutch use the information to combat pirates operating off the Somali coast, the U.S. may be using the information to target terrorism suspects with armed drones, according to the newspaper.
The review committee found that both MIVD and the AIVD generally adhere to the law and did not indiscriminately intercept cable-based communications. But besides illegally sharing a selection of SIGINT data, it found other illegal intelligence activities by the agencies.
The AIVD for instance hacked Web forums where extremists reportedly exchange information without providing good reason for the hacks and without the proper permission needed from the minister, according to the report. As a result, personal data was collected from people that were not targets, according to the committee.
In order to prevent this from happening, the committee recommended the creation of additional safeguards.
The government accepted the suggestions and has introduced procedures and measures with regard to the hacking powers of the intelligence services, the Minister of the Interior and the Minister of Defense wrote in a letter responding to the report.
The process for sharing a selection of SIGINT information with foreign services will also be altered, they wrote.
The defense ministry, which runs the MIVD, did not immediately comment.
The Review Committee for the Intelligence and Security Services is still reviewing the AIVD's activities on social media, and a report on that is expected to be finished in April. The committee is also working on a more thorough review of the collaboration between Dutch intelligence services and foreign partners, which expected to be finished in May, Brouwer told the NOS.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org