Dutch proposal to search and destroy foreign computers

By EDRi · October 24, 2012

This article is also available in:
Deutsch: [Niederlande: Vorstoß zur Suche und Zerstörung fremder Computer |]

On 15 October 2012, the Dutch Ministry of Justice and Security proposed
powers for the police to break into computers, install spyware, search
computers and destroy data. These powers would extend to computers
located outside the Netherlands. EDRi member Bits of Freedom warns for
the unacceptable risks to cybersecurity and calls on other countries to
strongly oppose the proposal.

The proposal would grant powers to the Dutch police to break into
computers, as well as mobile phones, via the internet in order to:
– install spyware, allowing the police to overtake the computer;
– search data on the computer, including data on computers located in
other countries; and
– destroy data on the computer, including data on computers located in
other countries.

If the location of the computer cannot be determined, for example in the
case of Tor-hidden services, the police is not required to submit a
request for legal assistance to another country before breaking in.
Under the current text, it is uncertain whether a legal assistance
request would be legally required, or merely preferred, if the location
of the computer is known. The exercise of these powers requires a
warrant from a Dutch court.

This proposal poses unacceptable risks. If the Dutch government gets the
power to break into foreign computers, this gives other governments the
basis to break into Dutch computers which infringe the laws of their
country. The end result could be less security for all computer users,
instead of more. This is even more true with regard to the power to
destroy data on foreign computers; it is likely that other governments
would be very interested in using such a power against Dutch interests.

Furthermore, providing the government the power to break into computers
provides a perverse incentive to keep information security weak.
Millions of computers could remain badly secured because the government
does not have an incentive to publish vulnerabilities quickly because it
needs to exploit these vulnerabilities for enforcement purposes.

In addition, spyware is difficult to control. Research from the
EDRi member Chaos Computer Club demonstrates that, even though spyware
from the German police was intended to be used to intercept only Skype
calls, it could in practice be extended to take over the entire
computer. In addition, the spyware itself could be remotely hacked by
criminals as well, allowing them to take over the computer of a suspect.

The risks above do not even touch on the privacy-issues yet. Breaking
into a computer infringes the privacy not only of the suspect, but of
all non-suspects whose data is also on the computer. And, somewhat
related to this, the value of evidence gathered via these methods is at
the least less obvious and will be harder to assess in court. The
digital nature of the investigation makes it harder to prove that
evidence was not fabricated or perhaps destroyed by the police.

A legislative text implementing the highly controversial proposal will
be introduced to the Parliament in the coming months. The law does not
only concern the Netherlands: it concerns all countries whose
IT-infrastructure may be affected. Bits of Freedom therefore calls on
other countries to oppose the proposal. Laws like these make the
internet a more dangerous place.

Dutch Proposal (only in Dutch, 15.10.2012)

CCC research on German police spyware (26.10.2011)

EDRi-gram: German police accused of using a Trojan backdoor for
interceptions (19.10.2011)

(Contribution by Ot van Daalen – EDRi member Bits of Freedom – Netherlands)