The hacking law with its own backdoor
In the past few years, Dutch EDRi member Bits of Freedom has put a lot of effort into trying to stop the Dutch hacking proposal. The proposal would grant Dutch law enforcement agencies the authority to remotely access electronic devices. In December 2016, the law was passed in Dutch Parliament. Sadly, without the improvements that the law desperately needed.
The legislative process
The plans for this bill became public in 2012. In June 2013, a bill was launched for public consultation. After that, things settled down for quite a while, until December 2015, when the bill was sent to Parliament. After a public hearing and a very short time frame for the political parties to give their opinion and submit their questions, it got quiet again in February 2016.
Too quiet for the VVD (liberals) and the CDA (Christian democrats). They repeatedly inquired why the answers to their questions took so long and demanded a swift process. They also put the bill on a fast track in Parliament – even without their questions answered by the government.
The answers finally came in November 2016, in a 134-page report. In many ways, this created more confusion rather than answered any questions. It was no surprise that procedural mechanisms were used by the coalition of PvdA (social democrats) and the VVD (liberals) to push ahead with the vote on the bill, pushing aside requests from the opposition to get clarification on the report.
On 13 December 2016, the Parliament debated the bill. A week later, on 20 December, they voted in favour of adopting the proposed bill. It will now be debated in the Senate.
The law will allow law enforcement agencies to hack into any electronic device. These devices may or may not be connected to the internet. After accessing the device – and based on the court order – they are allowed to, for example, search the device, to activate applications (including webcams and microphones), to copy or delete data. Law enforcement agencies are allowed, after a court order, to access these devices through several means, including the use of vulnerabilities.
Bits of Freedom campaigned hard to get the point across that the use of not publicly known vulnerabilities to access devices of suspects would leave innocent users of the same type of devices vulnerable to the illicit exploitation of those same vulnerabilities, and might ultimately lead to more cybercrime. Using vulnerabilities to try to reduce cybercrime could have the opposite effect. This point was understood by some parties, but not by all (such as the VVD and CDA that continue to support the proposal). The debate mostly revolved around the use of vulnerabilities.
The backdoor in the law
In the law, as passed in the Parliament, law enforcement authorities are allowed to exploit known vulnerabilities. They are also allowed to use vulnerabilities that are not publicly known. They are not allowed to buy unknown vulnerabilities, but they are allowed to buy hacking software. This class of software is known for using unknown vulnerabilities. This means that the prohibition of buying unknown vulnerabilities is easily circumvented. The law, therefore, has its own backdoor.
The coalition did amend the bill on a very important point: after using the unknown vulnerability, the creator of the vulnerable software has to be notified. But in cases where these unknown vulnerabilities are exploited via governmental malware, the police either is not aware of the vulnerability (and thus cannot notify) or is bound to non-disclosure agreements (and thus are not allowed to notify). Consequently, law enforcement agencies will either break the law or break their contract.
Although a lot of time passed between the first draft of the bill and the approval by the Parliament, the crucial part of the Parliamentary process was rushed. The questions and issues raised by the Parliament have not been adequately answered by the government. The ruling coalition has rejected multiple requests by the opposition to clarify the law and its meaning.
Probably the most painful conclusion of this three-year-governmental-hacking campaign is that as a result we now have sub-standard legislation. Bits of Freedom could have accepted a hacking law if the law actually provided adequate technological safeguards, excluded the use of vulnerabilities that are not publicly known, and created clear and foreseeable rules and consequences. On paper, the law looks quite alright. But after careful consideration, it’s clear that in reality, it will have serious consequences.
There are also positive notes. The debate was relatively informed and most Members of Parliament seemed aware of the possible negative outcomes of using unknown vulnerabilities. This means that there is still a chance in the Senate: there still is a possibility to get more clarifications, restrictions and maybe even a rejection. The fight is not over yet – and we have our work cut out for us.
Parliament decides in favour of law full of backdoors (in Dutch only, 20.12.2016)
Police wants to hack back (in Dutch only, 12.12.2016)
Bits of Freedom campaign-site
Dutch parliament approves bill to hack criminal suspects (21.12.2016)
EDRi: Dutch police wants to hack their citizens’ devices (08.05.2013)
(Contribution by Ton Siedsma, EDRi member Bits of Freedom, the Netherlands)