UPDATE 2015-12-22: and here they are: the new cybercrime bill and MoU (in Dutch) as submitted by the cabinet to the House. Notably, the cabinet cancelled compelled decryption because of the right not to self-incriminate (nemo tenetur principle). Thus, the final bill, that will be discussed in the House, does not contain a power for LE to compel suspects of certain “very serious criminal offenses” to decrypt their data under penalty three years imprisonment or a fine of up to ~20k euro.
UPDATE 2015-11-27: the cabinet announced today that it submitted the cybercrime bill to the House of Representatives, as part of a series of bills relevant to counterterrorism. The bill should become available in the not-too-distant future; I’ll add the link here. The bill’s status has moved from “Raad van State” (Council of State) to “Tweede Kamer” (House of Representatives). NOS has a report (in Dutch).
UPDATE 2015-06-11: it is reported that the cabinet will submit the proposal after the parliamentary summer break, which ends on August 31st 2015.
In October 2012, the Dutch government announced its initiative to grant law enforcement the power to covertly and remotely access “automated works” (computers, phones, etc.), under certain circumstances. In 2013, draft legislation (Memorandum of Understanding) was published. The proposal concerning covert and remote access is part of a larger text — unofficial English summary available here — that criminalizes the trade in stolen (digital) data and that proposes the following powers:
- Remote entry of automated works and the placement of technical means (such as software) for the purpose of investigation of severe forms of cybercrime. (Note 1: this applies to “serious criminal offenses”. Note 2: some hacking has already been carried out by Dutch police, for instance to take down Bredolab (2010) and to fight child porn on Tor (2011), under authorization of a magistrate.)
- Remote search of data that is accessible from an automated work, regardless of the location of the automated work on which the data is stored and taking into consideration agreements and rules of international legal assistance;
- Remotely making data inaccessible that is accessible from an automated work, regardless of the geographical location of the automated work on which the data is stored and taking into consideration agreements and rules of international legal assistance;
- Compelling suspects of certain “very serious criminal offenses” to decrypt their data under penalty three years imprisonment or a fine of up to ~20k euro (at odds with nemo tenetur).
All of the proposed powers require authorization from a magistrate. The proposal was covered on Slashdot and criticized by Bits of Freedom. In May 2013, the Dutch government submitted the proposal for public consultation (in Dutch). Bits of Freedom submitted criticism, as many others did, including me (in Dutch). The government also submitted the proposal to the Dutch Data Protection Agency (CBP), who in February 2014 expressed concerns relating to the requirements of necessity and proportionality imposed by the European Convention on Human Rights (ECHR). That same month, the government submitted its proposal to the Dutch Council of State for further consultation.
It is publicly known that the Dutch national police (KLPD) had, and still has, active licenses for FinSpy (trojan horse that runs on Windows, OS X and Linux) and FinSpy Mobile (that runs on Android, Blackberry, iOS and Windows Phone): this was observed in WikiLeaks’ SpyFiles 4. The use of such methods is confirmed through the answers (in Dutch) given on October 6th 2014 to Parliamentary questions on this topic (h/t @rejozenger).
On October 18th 2014, the Dutch Minister of Security & Justice answered (.pdf, in Dutch) Parliamentary questions by MP’s Berndsen-Jansen and Verhoeven (both affiliated with the D66 party) concerning this proposal. The last answer indicates that the govt will submit its proposal to the Dutch Parliament in early 2015. Here is a translation of all six questions and answers:
Are the reports correct that a large international investigation is ongoing into Blackshades, software that can be used to create malware, among others? [Footnote 1: http://www.nu.nl/weekend/3858563/huiszoeking-aanschaffen-omstreden-software.html]
The reports are correct to the extent that the US and Canada have ongoing criminal investigations in various European countries against buyers, sellers, distributors and/or creators of software primarily designed to commit, in short, computer crime as meant in Articles 138ab (first section), 138b and 139c of the Penal Code.
Does the Public Prosecution, in the context of investigation into Blackshades, commissioned the hacking of the Blackshades server? If so, can you explain the legal basis for that, and the grounds on which it is permissible?
The Public Prosecution did not commission the accessing of the Blackshades server. Dutch law enforcement has, under the responsibility of the Public Prosecution, and after authorization of a magistrate, remotely accessed a server and searched this server to record data on the basis of Article 125i of the Code of Criminal Procedure.
Under certain circumstances, Article 125i, after authorization of a magistrate, permits remote access of a computer, for the sole purpose of searching the computer for predetermined data files and if necessary seize those by recording them. This occurred in two criminal cases involving very serious offenses. I refer to the answers to the questions by MP Gesthuizen (Socialist Party) to the Minister of Security & Justice on the use of controversial spying software by Dutch law enforcement (2014Z13948, submitted August 11th 2014).
How often did the Public Prosecution so far commissioned the police to hack servers and computers in the context of an investigation and what was the basis for the authority to hack?
Police carries out investigations on the basis of the Code of Criminal Procedure. The term “hacking” is not present there. The police has, as mentioned in the previous answer, on the basis of Article 125i, only in several (exceptional) cases, with authorization from the magistrate, accessed an automated system and secured data from a server whose location and ownership were unknown. One of those investigations concerns Blackshades.
To what extent is the current Penal Code sufficient as a legal ground for the police to access servers and computers of suspects?
Is it true that your proposal to “Change the Penal Code and the Code of Criminal Procedure in relation to the improvement and strengthening of investigation and prosecution of computer crime (Computer Crime III)” aims to provide a legal basis for Justice to hack servers and computers for the purpose of an investigation? If so, how does the current practice of commissioning hacking for the purpose an investigation relate to this proposal?
Answers 4 and 5:
As explained in answer 2, the current legislation must be supplemented, which the Computer Crime III proposal aims to do. The purpose of that legislative proposal is to tailor the legal framework for investigation and prosecution of cybercrime towards the investigation and prosecution of computer crime and new methods used by criminals. Today’s society and the fast changes of technology for communicating and sharing or storing information globally require that law enforcement keeps pace (also see my letter to Parliament of October 15th 2012 concerning legislation for fighting cybercrime).
Besides various changes and supplements, the legislative proposal provides a new power that allows an investigating officer, following an order of a prosecutor, to covertly and remotely access an automated work to exercise certain investigatory powers in that automated work. Accessing an automated work is a more infringing power than searching an automated work, and necessary for the investigation of many forms of internet crime.
When do you expect to submit the Computer Crime III proposal, that has been in consultation since May 2013, to Parliament?
The legislative proposal will be submitted to Parliament in early 2015.
One important aspect will be to what extent the government addressed the concerns expressed by the Dutch Data Protection Authority (CBP). Notably, the CBP advised that logging of police actions through malware for the purpose of accountability requires that the precise way in which the software works must be known — including the source code (although that probably won’t fly IRL).