Cyber forensicsDutch law enforcement wants the authority to hack foreign computers

The Dutch government plans to give Dutch law enforcement services the ability to hack into computers – not only in the Netherlands, but also those located in other countries – for the purpose of discovering and gathering evidence in cybercrime investigations.

Ivo Opstelten, the Dutch minister of security and justice, described the government’s proposed bill in a letter sent to the lower house of the Dutch parliament last week.

CIO reports that the investigative abilities that Dutch police and other agencies would gain include installing software to monitor activity on a computer, search it for evidence, and destroy files and illegal content during searches.

If a Dutch law enforcement agency determines that a computer it wants to hack is in a foreign country, it must ask assistance from the authorities in that country. Also, authorities would only be able to conduct searches when investigating crimes that carry a maximum sentence of four years or more, and they would need a judge to sign off on the search. All searches would be recorded and accessible for further review

In the letter, Opstelten gave details about a specific case in which investigators from the Dutch National Police infiltrated Web sites that hosted child pornography, but the location of the computers could not be determined.

Ot van Daalen the director of Dutch digital rights organization Bits of Freedom says this legislation is not the solution to the crime problem the police is trying to address.

“First of all, allowing police investigators to hack computers in other countries might encourage other governments to introduce similar legislation, but not necessarily with the same limitations,” van Daalen told CIO. “This could escalate into a digital arms race.”

According to van Daalen, the legislation would give governments an incentive to keep software weaknesses secret in order to exploit them when hacking  systems being used by cybercriminals.

“There’s no doubt that there’s already a growing (and disquieting) market in the for-fee disclosure and exploitation of vulnerabilities, and this proposal could certainly further legitimize it: the possible advantages in terms of action against criminals (leaving aside ethical objections) have to be balanced against the likely, deleterious effects on the community of Internet users as a whole,” David Harley, a senior research fellow at antivirus vendor ESET, told CIO in an e-mail.

Both Harley and van Daalen worry that this legislation could have negative consequences.

 “It’s not possible to guarantee that the effects of these measures will be restricted to criminal elements: if the proposal succeeds in its present form, collateral damage in terms of the application of monitoring and attack technologies could be worldwide,” Harley said.

“Is it really feasible to take this approach effectively without breaching the sovereignty of other states? Even if agreement could be reached with other states on international legislation, does this proposal take into account the quid pro quo of giving foreign agencies such sweeping rights of access to the systems of its own citizens?” Harley asked. “It seems to me that there’s a parallel here with the fact that many in the U.S. seem quite happy with alleged cyber-espionage and sabotage against Iran yet show surprise and discontent that those claims have been used as justification for similar action by other nations.”