After the referendum on the intelligence bill, the Dutch government amended the law by reducing the storage period of data and some other measures that the people ‘asked’ for. At the same time intentions were announced by experts to look for ways to protect companies from DDoS-attacks. A noble gesture or a way to bypass the law?
Last time I spoke about the government’s ambition to take a more pro-active stance in preventing DDOS-attacks and that they are thinking about new ways to tackle them, for instance by introducing a DDOS-Radar, as suggested by a group of security experts in collaboration with SIDN. The idea is that the radar continuously makes ‘fingerprints’ of potential and active DDoS-sources and shares them with ISP’s and governmental institutions. In addition, the concept of having a “National Anti-DDOS Service” was introduced.
I spoke to a lot of people about this, and then someone suggested something that shocked me, because I hadn’t thought about it that way.
If this radar is created and it makes these fingerprints, isn’t that basically tapping IP-addresses randomly? Something that was highly contested in the Intelligence Bill, which a majority said was flawed, precisely because of the random tapping?
A government’s DDOS?
Besides that, if one of these random IP addresses becomes victim of a DDOS attack and its traffic gets redirected through this National Anti-DDOS Service to be cleaned, doesn’t that mean that the government gets to see that traffic also? And in the future, if the government wishes to tap into some user’s traffic, all they have to do is DDOS that user, so that the user’s traffic will automatically run through the National Anti-DDOS Service – and no one – neither the user, nor their ISP – will know about it?
What happens with the fingerprints? Where will they be stored? You would guess that they want to keep all the data that is collected to prevent any attacks. How long will this data be stored and who is responsible for this?
More importantly, what happens with the IP-addresses that are deemed safe? And what access will governmental institutions have to all the data? Will there be oversight?
Should this radar – let alone the National Anti-DDOS Service – come into effect, then what is the purpose of the intelligence bill? With all its opposition to it, at least it has some judicial safety measures in place to make sure that the government can randomly tap into our data. This radar doesn’t seem to have that. Do we really want that?