The Netherlands’ Minister of Security and Justice Ivo Opstelten asked the Dutch parliament earlier this month to pass a law that would allow the authorities to hack into computers both at home and abroad in an effort to fight crime.
But those opposed to the new proposal are saying it’s the Dutch authorities themselves who will be waging cyber war on the rest of the world.
“We are worried because these are very heavy measures,” says Tim Toornvliet, spokesperson for the NGO Bits of Freedom, a Dutch digital rights group. “In order for police to be able to hack into computers, they need to have back doors into them, and this makes the internet less safe.”
In asking the Lower House of the Dutch Parliament for a “possible expansion of powers”, Opstelten said that police and prosecutors are out of date with the fast-moving digital world, where it is “relatively simple for criminals to cover [their] digital tracks.”
They want the law updated to allow them to conduct remote searches on both local and foreign computers, render some data inaccessible and remotely install “technical resources”—what critics say is malware—on computers they are targeting. They also want to criminalise the purchase of stolen digital data.
But Bits of Freedom says the Dutch initiative to investigate computers on foreign soil may violate European human rights law. They say the new laws could lead to Dutch investigators going after “cloud computing” services such as Gmail, allowing “Dutch police to use the methods of cyber war to enforce Dutch law on people living anywhere in the world.”
Adds Toornvliet: “If Dutch police can do this, why can’t other countries do it? In Thailand, it’s illegal to criticise the king. So does that mean the Thai police investigating a Thai person could hack into a Dutch computer looking for criticism of the king?”
Even Dutch officials seem to be mindful of the potential slippery slope. “The new powers do need to be surrounded by strict guarantees,” warns the Ministry on its website. “Remotely hacking into a computer will require the advance authorisation of an examining judge.” And the powers, they say, will only be applied for serious crimes with potential prison sentences.
But if the location of a computer is hidden, like when people use Tor or VPN software, determining where the computer actually is may prove impossible. “The internet doesn’t stick to national borders,” says Toornvliet, who notes it’s impossible to ask for authorisation when you don’t know which authorities to turn to.
The draft legislation is expected to be ready early next year.