Dutch digital investigation: Pushing the boundaries of legality
The Dutch court is currently considering the case against Naoufal F, in which the police made use of several advanced digital investigation methods that challenge the boundaries of the law.
A key issue in the case is the way in which the police gained access to and analysed the secure communication of suspects. Inez Weski, the lawyer of multiple suspects in this case, claims that in the process, the police violated so many rules that the trial must be stopped. The judge is of a different opinion. However, that doesn’t mean this will be the end of the discussion.
As part of the investigation into (failed) assassinations, the police discovered individuals under investigation were using the Dutch company Ennetcom’s PGP-phones and communication network. One of them was Naoufal F. The communication was secured with PGP, a commonly used encryption method. To read this encrypted information, the police either needed to have the key, or to bypass the encryption, for example by hacking.
The police confiscated one of Ennetcom’s Canadian servers and made a copy of the data in it. Besides the encrypted information, the server apparently contained the PGP-keys with which the encrypted communication was secured. The communication could thus be decrypted and read. The police also succeeded in reading the communications that was stored on the PGP-phones.
The police then used Hansken, a forensic search engine developed by the Dutch Forensic Institute (NFI), to search all the gathered information.
The question is if the police were allowed to do this. First, Weski compares the confiscating of the server with casting a dragnet over a communications network. According to Weski, a great deal of communications of unsuspected persons has been unjustly gathered. She claims Ennetcom offered a perfectly legal service that, although it might also have been used by criminals, was used by companies, governments and innocent citizens. Therefore, the server should never have been confiscated in this manner. A striking detail is that, according to Weski, the PGP-keys were not on the server at all, but they were stored by another company. If that turns out to be true, that might change the case significantly.
In addition, Weski believes the Hansken forensic search engine used in the investigation is, in itself, an “extralegal” investigation tool that should not have been used – extralegal meaning that there is no definition of such investigation tool in law. There are occasions when the use of an extralegal tool is allowed, for example, if there is no major violation of the rights of a suspect, and if the use does not pose a risk for the integrity and manageability of the investigation. However, Weski believes Hansken does not meet these requirements.
Weski wanted the trial stopped due to grave errors and problems in the investigation, and asked for the case to be ruled inadmissible. The police obviously disagree, as does the Public Prosecution Service. The judge ruled that the trial can continue.
This case shows yet again that the police increasingly and more easily gain access to large amounts of information – first of all because there is simply being more data available. Secondly, by using more advanced analysis techniques, more and more information can be extracted from the available data. Information that in itself might seem unimportant, can become valuable when combined with other information. This results in more intrusive analysis of personal data.
It also causes the nature of the police’s work to change fundamentally, because the emphasis lies even more on automated data processing. In this case, both components come together: there is a server available with a huge amount of information, and an advanced analysis tool is available for searching that data.
The Dutch Code of Criminal Procedure is no longer aligned with digital developments. The Ministry of Security and Justice has launched a concept proposal that will be able to face the “new” challenges of digitalisation, and that is meant to replace the current Code.
However, also the concept proposal falls short in providing answers to the problems that surface in the case against Naoufal F. For instance, a better oversight of digital investigation is needed. It is also necessary to re-think the gathering of large datasets that include data of innocent citizens. Finally, there should be better rules concerning the analysis of that data. The new law for the secret services includes a separate rule for analysis of data. That is not the case in the new law for the police. Why should less stringent rules apply?
Does digital investigation fit the confines of the law? (only in Dutch, 30.08.2017)
Case against Naoufal F. trial case for justice (only in Dutch, 29.08.2017)
(Contribution by Ton Siedsma, EDRi member Bits of Freedom, the Netherlands; Translation: Ludwine Dekker)