In May 2013, the Dutch government proposed legislation — specifically this document (.pdf, in Dutch) — that would grant Dutch law enforcement the power to break into “automated works” (computers, smartphones, etc.), for instance using FinFisher. The Dutch intelligence agencies already have that power since 2002. The Dutch LE agencies do not. But lack of legal authority notwithstanding, some hacking by Dutch police has been seen in practice: for instance to take down Bredolab (2010) and to fight child porn on Tor (2011). This is confirmed by the finding that the Dutch police indeed has currently active FinFisher licenses; and by yesterday’s answers (in Dutch) to Parliamentary questions on this topic (h/t @rejozenger).
The proposed legislation is flawed, as is apparent from the contributions to the public consultation that closed in July 2013, and from this post by Bits of Freedom. The legislation also proposes granting the law enforcement the authority to force suspects of certain crimes (such as terrorism & child porn) to decrypt their data, under penalty of three years imprisonment or a fine of the fourth category (some 20k euro). Prior to the proposal, professor Bert-Jaap Koops was commissioned by the Dutch govt to carry out a study (.pdf, 2012, in Dutch) of infringement on nemo tenetur (the right not to self-incriminate) in other countries. Koops established three possible ways forward; the Dutch govt chose the toughest of the three.
In February 2014, Dutch Data Protection Authority (CBP) published (.pdf) a critical advice that addresses issues concerning necessity and proportionality of the proposed hacking power. The CBP recommends the government to not submit the proposal to Parliament in its current form. The report contains a few considerations that are interesting also to anyone unfamiliar with the proposal or even Dutch law.
Here is my translation of the interesting parts from the CBP’s advice (TL;DR: the proposal is insufficiently substantiated; there are flaws concerning necessity and proportionality):
1.4 Review of necessity, proportionality and subsidiarity
With regard to the need to demonstrate necessity, the proposal argues on the basis of the technological developments that existing investigative powers are insufficient and necessitate more power. Although it is argued that law enforcement is in urgent need of this new power, and some scenarios are brought forward that existing powers provide no solace, insufficient concrete evidence is provided that demonstrates an urgent need for society to introduce these infringing measures. The considerations underlying the proposed powers are indeed largely based on a number of concrete scenarios, but those do not in itself sufficiently justify granting new powers. The urgency referred to in Article 8 of the ECHR also requires an independent contemplation and substantiation that transcends casuistry. The necessity (“pressing social need”) for the introduction of this new authority should be established conclusively in objective terms, and is currently insufficiently substantiated. The Dutch Data Protection Agency recommends including the missing considerations. Furthermore, the CBP considers the following.
Insufficient distinction is made between encryption of files and data by suspects, encryption of communication flows in transit, and the fact that people store data elsewhere, in the cloud. This distinction is essential to determine to what extent the power is necessary, and whether no other means exist to achieve the same goal that make a lesser infringement on privacy of those involved. In the Netherlands, all providers of public electronic communication networks and services are required to provide decrypts of communication they themselves encrypt. In case an investigation requires urgent access to data that are managed by foreign providers such as Google, Skype or Facebook, it is insufficiently substantiated that these data would not cooperate with legal requests. The fact that they have or can provide access to the decrypted content of email and files on their servers, or can be asked to cooperate with intercepting the communication of a specific suspect. In case the suspect has encrypted data himself using software such as PGP or TrueCrypt, the investigators could use existing authorities, or use the proposed authority to force the suspect to decrypt the data. The necessity of exercising the power of breaking into computers is insufficiently substantiated, considering the size and severity of the privacy infringement it produces. Considering the use of Tor networks to encrypt communication in transit, it needs to be substantiated why other often-used methods of fighting serious crime are not effective (the requirement of subsidiarity).
When fighting botnets, scenarios are conceivable that command-and-control servers are located abroad, or that their location cannot be determined. In those cases, the existing powers do not suffice, and making the systems inaccessible through remote intrusion of an automated work may offer a solution. Also in case of specific scenarion, for instance an ongoing DDoS attack on a bank or another essential service, it is conceivable that this combination of powers can offer a solution. Also in case of bulletproof hosting providers, other means are insufficient. However, the reasoning that insufficient means are available in the case of bulletproof hosting providers, does not warrant the conclusion that law enforcement needs to have access to all data stored in the cloud.
Concerning proportionality, the proposal ignores the size of the privacy infringement that will result from the introduction of this power. That infringement concerns the large amount and the nature of the personal data on the one hand, and on the other hand the large circle of persons whose right to privacy is infringed upon. The mandatory consideration of whether the severity of the privacy infringement is proportional to the objectives sought is missing in the proposal. According to the proposal, the power to carry out investigation in an automated work can only be used for the objectives mentioned under a to e. The objective under a (establishing the presence of data or determining the identity or location of the automated work or the user) is characterized as non-far-reaching, but once access has been obtained, the result will be far-reaching, and law enforcement has unlimited access to all available digital data. That also holds for the other objectives. After access is obtained through the use of spyware, that access cannot be restricted to the objectives stated in the warrant. This is not only disproportional, but also results in excessive processing of police data (Article 3, second paragraph, Police Data Act).
Given the extent of the power and the severity of the privacy infringement, the use of the power must have strict safeguards. The proposal provides several safeguards, including a clause that restricts the use of the power to suspects of crimes of a certain severity, the clause that the power can only be used for specific objectives, the mandatory specification of the grounds for the warrant, and the requirement of prior approval from the prosecutor by the magistrate. In addition to these safeguards, the CBP also considers the following safeguards to be essential.
Controls and logging
An important safeguard is the verifiability of the exercise of the power throughout the entire process, from requesting approval to using the power. Article 4, third paragraph of the Police Data Act, requires that adequate technical and organizational measures are taken, requires that a comprehensive auditing system be set up for accountability during the entire process. In addition, knowledge of and insight into the used software is necessary. Quality and reliability, as well as possibly hidden vulnerabilities must be subject of constant evaluation. Besides the “regular” journaling and reporting, logging is important. Considering logging, it is argued that at all times it can be checked what technical actions were taken, such that at a later moment there can be no doubt about the nature and consequences of the actions that have been taken .
However, logging can as of yet not always result in showing all relevant actions . It als holds that useful logging requires that the precise way in which the software works must be known, including the source code.
Legal protection; criminal system
This new power is placed in Title IV concerning any special coercive measures. These coercive measures are characterized by a certain knowability of its application to the person involved. The proposed power, on the contrary, is characterized by covert application, and therefore undeniable has the character of a special investigatory power. The special investigatory powers are placed in separate titles in the Code of Criminal Procedure, since the introduction of this system in 2000 by the Special Investigation Powers Act. The basic principle of this law is that investigation powers that carry a large risk to the integrity and verifiability of the investigation, or infringe upon fundamental rights of citizens, require a specific basis in the Code of Criminal Procedure. The interests and fundamental rights at stake require this. The title of general provisions that applies to all special investigatory powers contains specific safeguards that — at least partially — are withheld by the proposed placement in the title of coercive means.
Notification of individuals, oversight and review of effectiveness
Notification afterwards to the individual is, also considering the flawed current practice in which the mandatory notification often does note take place, a scant safeguard for the required accountability of use of the power. Taking into account the implications of the exercise of the power, it is also recommended that the proposal provides a control instrument, that allows direct and effective oversight on the way the power is used, among others through means of a requirement to regularly provide statistics and overviews. In this regards, the inclusion of a sunset clause is indispensable.
We are yet to see what the government will do with this advice. The government submitted its proposal to the Dutch Council of State for (other) advice. After that, it may or may not be submitted to Parliament.