Dutch Police Hacking Back – A Privacy Violation Waiting To Happen?

Here in the Netherlands, we’ve seen a proposal for new legislation regarding Cybercrime pop up occasionally for well over a year now. It is coming up for a formal vote by the Senate (Eerste Kamer) on October 7th and was topic for debate on the 24th of September.

The proposed law “Wet Computercriminaliteit III” in Dutch, which translates to the Law on Computercrime III, appears to have some kind of personal note for the Dutch Minister of Security & Justice Ivo Opstelten.

That is, if you take into consideration that many consider it to be an ill-defined law full of poorly understood ideas that can have severe unintended consequences (most notably violating the privacy of innocent civilians), which has been bashed by virtually all sides except Law Enforcement, but still keeps making its reappearance. Even though the general opinion was negative, it was amended slightly before stealthily being put up for a vote of Congress just before the summer recess this year.

This method is sometimes used by Dutch politicians when they wish to slip it in unnoticed. Whether that is the case here, or whether it has indeed worked towards easing the political path remains to be seen. Regardless, this topic has drawn much attention in the Netherlands.

The Computercrime law in question covers a relatively broad spectrum. In a few points the law enables Police to:

  • Remotely investigate computers belonging to criminals, allowing them to copy data or make it inaccessible;
  • Hack into a system if it is unknown where a targeted system is located, while taking notice of international law (please note that this is not the same as ADHERING to international law);
  • Tap or observe communications, but this requires a judge to sign off;
  • Listen in on Skype calls;
  • Prosecuting people for providing access to stolen data, equal to Fencing stolen property;
  • Force a suspect to decrypt encrypted data – refusal to decrypt can lead to a prison sentence of no more than 3 years.

While translated, these bullet points -in my opinion- reflect the way the proposal was worded. Immediately I had some questions. Here are a few:

  • Remotely investigate systems belonging to criminals – Does this mean that if you’ve ever been convicted, they can access your system whenever they like? Or do they mean SUSPECTS? Also, see my later point on having a judge signing off.
  • Hacking into systems of unknown location while taking notice of international law – Aren’t we required to ADHERE to international law instead of simply taking notice? I should try this excuse to get out of a speeding ticket!
  • Tap or observe communications – This is the only specific point that especially mentions it needs a judge to sign off on. That is strange. It seems to me that tapping and/or observing is, when compared to actually breaking and entering into a system, the lesser power.
    Why is it not stated that hacking into a system requires a judge to sign off? Given the generally careful wording of articles of law, I can only surmise that this absence means that the actual hacking into a system does NOT require a judge to sign off first.
  • Listen in on Skype calls – How about any other kind of sort-of-encrypted voice communication application? Skype is popular now, but which application will be popular in the future? This point seems to limit itself unnecessarily. Also, does this fall under tapping or observing communications, which means it requires a judge to sign off?
  • Equating fencing with providing access to stolen data – This might be (mis)used to criminally prosecute people who share ‘warez’ with their Torrent client. In the almost erratic behavior we have been seeing from BREIN (the Dutch equivalent of the RIAA / MPAA) and its head honcho Tim Kuik, we already know their lobbyists will be foaming at the mouth on this item.Bad news for the Warez community, to be sure. But with all the already controversial items, why was this put in? It would be nice if a plausible case (preferably more!) was given where this item is useful that is NOT linked to the Netherlands becoming a stooge for the (largely American) Music & Video industry.
  • Forcing suspects to decrypt encrypted data – This is in special response to several child pornography cases where suspects had strongly encrypted content on their systems that Law Enforcement officers could not break. Looking at it from that perspective, it is understandable that this is to be desired.However, child pornography is NOT the only reason why anyone would want an encrypted folder. I personally use encrypted containers to store my company’s valuable data in, and I would certainly recommend it for anyone. What are the environmentals of putting this item into practice? And by that, I mean I would appreciate a list of the type of cases where judges will be using this law.Most people will agree with using this in cases against child pornography, but it would be an entirely different matter in cases of, say, intellectual property rights of a company. In any case, I would bet that any really guilty child pornographer would prefer 3 years jail time over a full sentence for child pornography. Especially after the way these folks are (understandably) treated by the general populace once their identities are known. In other words: isn’t this item a bit useless to use against hardcore criminals?

Opstelten versus the Community
A few months ago I shared a stage at Nyenrode Business University with, among others, Wil van Gemert (the Dutch National Counterterrorism Coordinator at the NCTV) and Ronald Prins (Fox-IT). Mr van Gemert, who has long worked for the Dutch police before being promoted to his current position, was the only speaker who unequivocally supported this law. All the other speakers, stemming from industries such as Finance, Technology and Education, opposed for a variety of reasons.

We all understood perfectly well that times have changed, and that the police must be able to change with it if we expect them to protect us from criminal behavior. That is not the issue I have with these plans. The issue is how to prevent misuse of this power, and given the many examples we can cite from, this is not a minor consideration that is easily dismissed.

Police officers are human beings too, and they too will bring their personal lives to the job. What is to stop an officer from cracking open the mailbox of a loved one suspected of cheating? Why is it so unclear whether a judge is required to sign off on an action versus the police making a judgment call?

The questions are also of a practical nature: HOW are the police going to crack systems? What software will they use? Will they make use of the same vulnerabilities known to the criminal industry, or will they somehow develop their own backdoors? Will we ever know? If they discover new vulnerabilities, will they still inform us of their existence or keep them under wraps just to ensure their own capability of gaining access? Will they strike deals with software giants such as Microsoft to get a backdoor?

The most critical questions for me have everything to do with prevention of misuse. Who can perform what action, under what circumstances? And who will make sure they cannot do it under other circumstances?

Who will check whether the police have complied with the regulations and limitations we impose on this law? What will be the consequence for a police officer or official when he or she violates them? How plausible will enforcement and auditing still be if the only result is a minor slap on the wrist?

Bart Jacobs, a well known Dutch professor who teaches and researches information security at the Radbout University in the Netherlands, also made clear his reservations about this law. When asked, he had these questions:

How can I know the police didn’t change anything on my system if I am a suspect? Can I ever prove the police didn’t change anything? Or that they have? Can you EVER know?

Please note that I am translating and paraphrasing somewhat. Other observations he made were interesting to share: “When creating the law on tapping phones, the government promised it would be sparsely used. Now, we are one of the most-tapped nations in the world.”  And  “The police are acting like their backs are against the wall. They are framing the debate in a “poor me” fashion to garner sympathy.” It is clear from these remarks that Professor Jacobs is not a fan of this new law.

There are many questions that need to be answered before implementing such an article of law. Naturally I understand that the current wording and phrasing is not what will end up in Dutch law, but all above points should be given due consideration. Cyber crime has brought us considerable change with regards to criminal activity, and the laws we currently have may not be sufficient. But knee-jerk reactions make bad laws and if we are to really deal with cybercrime, we must have good and solid laws that ensure citizen safety (and privacy!) without compromising Justice.