The Dutch security services AIVD and MIVD are ‘unhappy’ with their new regulator, set up last year after both agencies were given sweeping powers to tap phone and internet connections, the Volkskrant said on Thursday.

Sources told the paper that the two services – one civilian and one military – say the TIB – which checks applications for hacks – is too assertive in its approach and is hampering their work.

TIB chairwoman Mariette Moussault told the paper that the issue is ‘a subject for discussion’ but that the agencies must be kept a close eye on, and accept limits to what they can do.

The TIB was set up in May 2018 when new legislation came into force, requiring the security services to seek prior approval for hacking.

In particular, requests to carry out bulk hacks involving information about hundreds of thousands of people in the hunt for one or two are liable to face tough questions by the TIB, the paper said.

Last year, for example, the TIB rejected a request to carry out a bulk hack on KPN clients, the paper said.

The TIB is also proactive when applications are made to share information with other countries’ security services.

Breaking the law

The main security service watchdog CTIVD said in June that both agencies are still breaking the new laws on electronic surveillance. In particular the MIVD military security service is still failing to meet the requirements on privacy, partly down to IT problems, the CTIVD said.

Nevertheless, advances have been made since the CTIVD’s first report, which was highly critical of both services, the agency said.

‘Most of the high risk items identified in the first report have been reduced to low or average risk since December 2018,’ the watchdog said. ‘The AIVD and MIVD are not there yet, and still have a lot to do in the coming period.’