Every night, a lot of our private information is being uploaded to a central database of the government. Regardless of what you think of that, we need to make sure that the government has proper rules for using that database. But it seems that the current rules aren’t that proper, or at least that clear.

Let me be clear, I do not have any problem with eligible collection of information. As ISP, Fusix has been doing it for a long time, and we have created numerous laws to govern this process in the Internet world and also to protect ourselves – civilians – from misuse of the information. If an IP-address can be linked to a person and then it is possible to find a postal address from where for instance child pornography is being upload, I think it is good that the Prosecutor can have this information fairly quickly.

So how does it work? All ISP’s send the information to a secure database, which is governed by the Centraal Informatiepunt Onderzoek Telecommunicatie (CIOT). The police and intelligence services have access to this database. And sometimes, the 112 control rooms can get access as well, but only when there are ‘exigent circumstances’. There are rules that must be followed when authorized personnel accessed the CIOT database. But, as it turns out, some of the rules aren’t that strict.

Unclear rules on authorisation and archiving

At least, that is what Bits of Freedom found out after an investigation into the use of the CIOT database. Through a Freedom of Information Act request, they went through two annual reports of the police regarding the CIOT. What struck me at first, was that in 2016 there were over two million requests for information in the database. But that was not the most important thing.

It turns out that the police isn’t always clear what the rules of using the database exactly are, for instance, when it comes to who is authorized to use the system, what constitutes ‘exigent circumstances’ when 112 control rooms ask for information and how long the police can archive the data and the queries. They sometimes give their own interpretation to it, because the Ministry of Justice and Security has not made all rules unequivocal yet. According to Bits of Freedom, this is happening for few years now.

For ISP’s the rules are clear. There are at least a dozen laws on what information an ISP has to hand over, how often, through which channels and how to secure it. And all ISPs have to do it, because if you do not, you are in violation of the law. It seems that for the police and the Prosecutor’s Office these rules are not as clear. And that is a problem, especially because we are talking about our private information.

In two reports the police does provide some ideas how to improve the situation. They also want the rules to be more clear. If that is not a clear signal to the Ministry, I do not know what is.