The Dutch digital rights organization, Bits of Freedom, showcases their ongoing work on advocating for transparency when law enforcement agencies request user data from companies.
Bits of Freedom, a Dutch digital rights organization that focuses on privacy and communications freedom in the digital age
Amsterdam, the Netherlands
Bits of Freedom (BOF) works to demand transparency when Dutch companies, like internet services providers, receive data requests from Dutch law enforcement agencies. BOF uses different tactics to ensure companies—many of whom are unsure of the legality of publishing transparency reports—understand the laws surrounding such practices.
Law enforcement agencies’ policies surrounding the publishing of transparency reports must be accountable and verifiable. BOF publicly asked the government to clarify the legality of publishing such reports so that companies would be encouraged, not worried, to publish them. After dragging their feet, the Dutch government dubiously stated that publishing transparency reports is not technically illegal, but it would strongly advise against it. To tackle this issue, BOF asked a renowned law firm to write a legal opinion on the Dutch government’s response and their analysis was very clear: companies are allowed to publish these kinds of reports under Dutch laws when it comes to reports on requests from law enforcement agencies. As such, BOF is currently working to convince more companies to publish reports.
BOF’s work is ongoing; the organization tends to use many different approaches at once when tackling the issue of transparency. Within the transparency dossier, BOF makes Freedom of Information Act requests to the government to determine a baseline—seeking documents that display the number of requests it has made to social networks, the number of rejections it has received, the reasons for said rejections and, amongst other things, the policy on requesting data.
At the same time, BOF extensively discusses their work with members of parliament, extensively explaining transparency issues and providing background information, since it is they who can ask written or verbal questions to the government. Some members of parliament have, in turn, been very vocal on the issue of transparency, criticizing the government over their murky position on the legality of publishing these reports.
BOF also sends large companies letters asking them to publish reports, and in the past, has provided them with legal advice. BOF partnered with a law firm that supported their mission and goals and worked pro bono to provide legal analysis on the possibility of companies publishing transparency reports.
Additionally, BOF makes an effort to explain the issues at hand to the larger public by participating in debates and publishing on their website. The organization has garnered media attention by doing FOIA requests. In addition to asking law enforcement agencies for statistics, BOF also asks the Justice Department for the policy-making process on publishing statistics. A few blunt denials to those requests and some information that was made public by accident made headlines. Concurrently, the members of parliament who have been on their side asking key questions to the government attract media attention as well.
To encourage more companies to publish transparency reports, BOF looked into the transparency of the use of more specific tools like IMSI-catchers and stealth-SMS. After a FOIA request and the leaking of an internal policy document, BOF discovered there were no rules governing the use of stealth-SMS and the internal policy was dramatically lacking safeguards. This made headlines and now the drafting of a new policy has been forced (which, of course, will endure another FOIA request).
Many of the companies with which BOF has worked feel as though transparency is not just a responsibility towards their customers, but that it is also a unique selling point to them or to surrounding companies. For example, LeaseWeb was the first Dutch company to release a transparency report and other companies, such as the Réseaux IP Européens Network Coordination Centre (RIPE NCC), have also started releasing their own reports. At other times, a public campaign is needed to force the government or companies into some direction.
While BOF continues to fight for more transparency, the Dutch government has made a proposal to limit the types of data requests that require notification after an investigation has ended. Under current law, the public prosecutor is required to, when the investigations are finished, inform the user that his or her data, like traffic data, has been requested. The reason for this provision in law is that someone may take the public prosecutor to court and have a judgment on the legality of the request.
The new proposal limits the notification requirement considerably. A bit simplified: when requesting traffic data, notification would not have to be given (however for more privacy-impacted powers, like wiretapping, it would still have to be). As a result, under the new law, people won’t know when the police have looked up their traffic data and thus cannot challenge the legitimacy of the request. BOF published a position paper on this matter and has been explaining the government’s proposal to many members of parliament in an effort to advocate for change.
Be creative: Use all of the tools you have at your disposal. You may be used to a certain approach (e.g. Freedom of Information Act requests), but sometimes implementing an alternative method works better.
Keep an open mind: You may be able to build a sustainable and more informal relationship with government officials and get them to understand and support your point of view. Similarly, companies don’t necessarily have to be your opponent, they can be stakeholders on your side.