UPDATE 2015-12-22: and here they are: the new cybercrime bill and MoU (in Dutch) as submitted by the cabinet to the House. Notably, the cabinet cancelled compelled decryption because of the right not to self-incriminate (nemo tenetur principle). Thus, the final bill, that will be discussed in the House, does not contain a power for LE to compel suspects of certain “very serious criminal offenses” to decrypt their data under penalty three years imprisonment or a fine of up to ~20k euro.
UPDATE 2015-06-11: it is reported that the cabinet will submit the proposal after the parliamentary summer break of 2015, which ends on August 31st 2015.
UPDATE 2012-10-18: legal expert Jan-Jaap Oerlemans blogged about the cross-border remote search that is proposed in this letter. Recommended read!
On October 15th 2012, the Dutch Minister of Security & Justice (Ivo Opstelten) sent this letter (.pdf in Dutch) to the Dutch parliament expressing intentions to draft new cybercrime legislation in the Netherlands.
Below is my Dutch-to-English translation of the entire letter. Hyperlinks and parts between  are mine (note: the parts between () are from the original letter). I translated as neutral/objective as I could. I welcome your corrections/improvements at koot at cyberwar dot nl.
WARNING: this is an unofficial translation.
Date: October 15th 2012
Subject: Cybercrime legislation
By submitting this letter I fulfill my promise to send a message to you, the Parliament, concerning the inventory I made of necessary, new criminal investigative powers on the internet.
This letter proposes, within the framework of the rule of law, proportionality, subsidiarity and respect for the privacy of citizens, legislative elaborations of a number of issues to strengthen the powers in the investigation and prosecution of cybercrime. The aim of this new legislation is to tune the legal framework to the needs brought forward by the services that are responsible for the investigation and prosecution of cybercrime. Based on practical experiences and wishes, such as appeared in the recent Cyber Security Assessments Netherlands [aka Cyber Security Report] of 2011 [.pdf, English] and 2012 [.pdf, English] and my letter of December 23rd 2011 to you, the Parliament, about the legal framework for cybersecurity, this concerns the following topics:
- Remote entry of automated works (=computers) and the placement of technical means (such as software) for the purpose of investigation of severe forms of cybercrime;
- Remote search of data that is accessible from an automated work (=computer), regardless of the location of the automated work on which the data is stored and taking into consideration agreements and rules of international legal assistance;
- Remotely making data inaccessible that is accessible from an automated work (=computer), regardless of the [geographical] location of the automated work on which the data is stored and taking into consideration agreements and rules of international legal assistance;
- Criminalization of the trade in stolen (digital) data.
The structure of this letter is as follows: first, several introductory remarks are made (paragraph 1), then, the above topics are elaborated (paragraph 2). Next, conditions for the exercise of these investigative powers are discussed (paragraph 3) and international developments are outlined (paragraph 4). Finally, I indicate what next steps are being discussed (paragraph 5).
1. Introductory remarks
IT applications play an increasingly important role in daily life. The current situation is that the number of cybercrimes is increasing and the capacity, knowledge and experience within the criminal justice system does not keep pace. Our national and international possibilities to act against it are further decreasing as result of the cross-border nature and the emergence of so-called cloud computing. It also appears that the industrial self-regulation malfunctions and that offenses that could be prevented through better and earlier technical measures often still occur. A burning issue is that it has become very complicated to trace criminal activity on the Internet because it is relatively easy for criminals to prevent their digital tracks from being monitored, for example by the use of software to encrypt data and delete the communication paths. The investigations of the High Tech Crime Team [THTC] of the National Police Services Agency [KLPD] confirm this. In the investigation of child pornography on the Tor network, the team found that through the use of this network it is possible to view, download or upload child pornography images on to servers, without the identity of the suspect being visible. Furthermore, in several places, including the servers that were found, encryption was used. In another investigation of a large botnet that was being used to commit many crimes, the THTC found that the owner of the botnet could move his data around the world easily and very fast using a few keystrokes on his computer, which severely hindered or rendered impossible figuring out where the data was located on servers. I believe that this kind of countermeasures of suspects against investigation ought not to be successful. Crimes that are committed must be detected and perpetrators must be prosecuted. Society expects this from the government.
Data of which it cannot be established where they are geographically located
The police and Public Prosecution Service expressed their practical need for broadening of legal possibilities to act, so that the desired and agreed-upon investigative and prosecution performance can be delivered. The police currently attempts to compensate the narrow legal possibilities to investigate on the internet. For example, the police has copied the content of the servers on the aforementioned Tor network containing images of severe sexual abuse of children and then destroyed it or rendered it inaccessible. At that time, the exact location of the servers could not be determined with certainty because the communication path had been obscured. The result of this approach in this case is that the copied data can now be used for (internationally) investigation and that access to those images is no longer possible via these servers. In this specific example, the Public Prosecution Service and the police made a decision in favor of acting against child pornography on the internet. A similar decision will need to be made in the future in acting against, for example, botnets. I believe that updating of legislation that provides the police and Public Prosecution Service a solid base to perform their necessary work in investigation and prosecution on the internet is necessary.
Mobile internet use
The current investigative powers for acting against cybercrime largely assume that computers have a fixed location and that digital data is stored on a single, individual computer. Meanwhile, the digital world has significantly changed. Because of that, these powers are no longer sufficient. In this context, the possibilities of modern mobile computers, such as smartphones and increasingly tablets, and the ways in which they are used, can be pointed out. These new forms of mobile computers can be continuously connected to the internet and be used for many forms of cybercrime. In addition, they are frequently used by criminals for their collaborative communication. Obfuscation of this communication is increasingly seen. In part due to the use of cloud computing, it will be increasingly difficult for investigators to figure out where the data of a certain smartphone or tablet is located at a certain time, while remaining uncertain about how long the data will remain stored there and thereby traceable. I believe that the investigative powers for acting against cybercrime ought to be designed so that these are practical and effective in the current digital world of mobile equipment and cloud computing. For the possibilities of digital investigation, it should not matter where an automated work is located at the time of carrying out the desirable investigative actions. According to international law, (digital) investigative actions on foreign terrain can onlytake place via international legal assistance. But as shown by the above examples, it will not always be possible to determine where data is located. If that is the case, the police and Public Prosecution Service must be able to continue their investigation under the conditions outlined below.
2. Elaboration of the aforementioned proposed legislation
Below, the proposed legislation that I announced above will be explained further.
2.1. Remote entry of automated works (=computers) and the placement of technical means (such as software) for the purpose of investigation of severe forms of cybercrime.
Paragraph 1 described the development toward more mobile Internet usage. It also raised the increasing use of encryption on computers. Police and the Public Prosecution Service indicate that various forms of crime exist that are hidden from their sight because they do not have the power to invade a computer. Article 125i of the Dutch Code of Criminal Procedure offer a framework for the power to search a place to record data that are stored or recorded at that place on a data carrier. From parliamentary history it can be inferred that it is not permitted that an automated work is penetrated remotely for the purpose of investigation of serious forms of cybercrime. This concerns both remote entering for the purpose of wiretapping confidential communication and remote entering for the purpose of searching an automated work. In order to get access to this data for the purpose of investigation of serious forms of cybercrime, it is necessary that software can be secretly installed that allows the encryption of the data to be undone or circumvented.
Partly in the light of technological developments, a statutory power should be established for remotely penetrating an automated work, concerning the above purposes. The changed circumstances warrant the inclusion in the Dutch Code of Criminal Procedure of a specific power to remote intrusion of an automated work for the investigation of serious forms of cybercrime.
2.2. Remote search of data that is accessible from an automated work (=computer), regardless of the location of the automated work on which the data is stored and taking into consideration agreements and rules of international legal assistance.
In paragraph 1 I provided the example of a botnet where the criminal was able to move his data around the world very fast. This is increasingly common. Criminals know that police is attempting to access their networks and data and take measures against that. Usually, the data are moved around the internet (globally) very fast or the paths to the data are changed. Criminal groups also often take measure to detect whether third-parties, including the police, are attempting to access their files. When they detect such signals or suspect this they move their files as fast as possible and don’t hesitate to act against intruders using digital means. These technological development make it difficult to determine the location of the stored data and that the location changes often. Where data used to be stored on one’s own computer or on a separate data carrier, data is now stored via the internet on a foreign server or in the cloud. Starting point is that power for criminal investigation can only be exercised on one’s own territory. To carry out investigative actions on the territory of another state, international legal assistance is required. The reverse also applies: if a foreign state wants to carry out investigative actions on Dutch territory, they also require official legal assistance (article 552h in the Dutch Code of Criminal Procedure). However, the time delay incurred by this often works against the investigation an limits the effectiveness of official legal assistance.
The Cybercrime Convention of the Council of Europe has a provision on remote access to computer data regardless of the location of that data (article 32). This access is limited to publicly accessible data and other data on the condition of consent of the rightful claimant. The Cybercrime Convention does not have provisions on the gathering of data that are not publicly accessible without consent of the rightful claimant, meaning the official legal assistance is required. But, as argued above, in the remote search of computers it is in practice not always possible to determine the location of the data. A request for official legal assistance is impossible in that case. From the perspective of effective investigations it is of vital importance that data can be retrieved regardless of the location where they are stored. Therefore, the police and the Public Prosecution Service insisted on relevant legislation. In the legislation that I have in mind, I use the following principles. If knowledge is available about the location of the data, and the data are located on a foreign server, a request for legal assistance is designated. If there is no knowledge about the location of stored data, they should for the purpose of obtaining evidence be able to be searched and taken over.
The Belgian Code of Criminal Procedure also stipulates that during the search of an automated work, data can be taken over. When it turns out that the data are not loacted on Belgian territory, the data are only copied and the foreign state is notified.
2.3. Remotely making data inaccessible that is accessible from an automated work (=computer), regardless of the [geographical] location of the automated work on which the data is stored and taking into consideration agreements and rules of international legal assistance.
A special aspect is the possibility of rendering data that is found during remote search of an automated work inaccessible. In the Netherlands, the possibility currently exists that, when a place is entered to record data that is stored on data carrier at that place, and when the data is or is used for committing a crime (such as child porn), the data are rendered inaccessible to end the crime (article 125o of the Dutch Code of Criminal Procedure). Following that, it is desirable that during introduction of the power to remotely intrude an automated work, also a power is created to render such data inaccessible. After all, it is possible that during a remote search, child porn is found. This was the case during the aforementioned investigation that the THTC carried out on child pornographic images on servers in the Tor-network, where the police found very harmful pornographic material that was stored in encrypted form on a server. In absence of knowledge about the location of the storage of data, it is impossible to search for legal assistance. Nobody can be addressed in that case, while the crime continuous. The severity of the crimes can require that the data are immediately rendered inaccessible. This can entail that the data is erased. I therefore believe it is desirable to establish a legal power to render inaccessible or erase data that are found during remote searches of an automated work, modelled such as the provisions of article 125o of the Dutch Code of Criminal Procedure. Here, again, it applies that if knowledge is available about the location of the data, a request for legal assistance must be addressed to the authorities of the foreign state.
2.4. Criminalization of the trade in stolen (digital) data.
Offenses are committed on the internet where data is gathered, via hacking or other means, that are of interest to third-parties for the use in crime. Examples of this are personal data in databases that have been compromised and that can then be used to, for example, buy goods on the internet. Also, creditcard data that are gathered via phishing is offered and sold on the internet. Although, in the latter example, the use of this data to make creditcards is already punishable by law, the holding, transferring and buying this data is not punishable. This complicates investigations. The requirement to wait until the data is actually used to commit crimes, implies that it is not possible to act to prevent crimes. That is certainly not reassuring to citizens and in fact a bad signal because this form of trade in stolen items would be permissible in digital form. The trade or selling of such data has developed into a separate form of crime on its own.
That trade of stolen data is currently not punishable, is related to the fact that computer data, based on jurisprudence, can only be considered in specific circumstances to be goods in the meaning of articles 310 and 416 of the Dutch Criminal Code. This is relevant when data is outside the disposal of the holder and represent economical trade value. From this it follows that copying the holder’s data is not punishable because the holder retains disposal of the data. I believe that it is unacceptable for the involved victims that the current legislation results in unwanted gaps in cyberspace and thinkit is desirable to make these offenses punishable.
3. Conditions for exercise of investigative powers
The investigative powers described in paragraphs 2.1 to 2.3 must be surrounded with strict safeguards. The power to search a place to record data that is stored or recorded on storage media, based on article 125i of the Dutch Code of Criminal Procedure, is assigned to both the examining judge, the prosecutor, the assistant public prosecutor and the investigating officer. In various other powers it is specifically provided that the examining judge and the public prosecutor are authorized (for example articles 125la, 125n third paragraph and 125o first paragraph of the Dutch Code of Criminal Procedure). However, given the degree of intrusiveness of the legal powers to remote intrusion of automated work and the installation of technical devices for the detection of serious forms of cybercrime, especially considering the infringement on the right to respect for the privacy of persons, authorization of the examining judge must at all times be obtained prior to the use of the power. Also, the power can only be exercised in cases of suspected offenses of a certain gravity, for example offenses for which custody is provided or that carry a maximum imprisonment of four years or more.
Furthermore, of course, the general requirement applies that report must be made when this power is exercised. In addition, all transactions occurring during the exercise of these powers are automatically logged and stored and thus always accessible and verifiable afterwards.
4. International developments
I have already informed you that the Netherlands firmly contributes at the international level to the further development of the international framework, especially within the context of the Council of Europe. The Netherlands is both a member of the Convention Committee (of which all Treaty Parties are member) and the Agency (an elected body within the Convention Committee) associated with the Cybercrime Convention of the Council of Europe. In that context, we contribute to the active recruitment of new members of this Convention. Meanwhile, 33 countries acceded to the Convention (of which 17 have ratified), including 2 non-European countries (the United States and Japan). Partly at the instigation of the Netherlands, a debate started in 2010 on the scope of article 32 of the Convention that was mentioned above. I think it is of great importance that any cross-border investigative powers are secured internationally. This is a process that will take many years. The Netherlands will continue to monitor this. I choose to set the improvements to combat cybercrime already in motion in the Netherlands.
5. Next steps
The coming months will be used together with the police, prosecutors and other relevant stakeholders to elaborate further and prepare a draft bill. I am convinced that this catching-up is necessary to strenghten the investigation and prosecution of cybercrime.
The Minister of Security and Justice,