On 15 October, the Dutch ministry of Justice and Security proposed powers for the police to break into computers, install spyware, search computers and destroy data. These powers would extend to computers located outside the Netherlands. Dutch digital rights movement Bits of Freedom warns for the unacceptable risks to cybersecurity and calls on other countries to strongly oppose the proposal.

Three new powers: spy, search and destroy

The proposal (Dutch, PDF, see here for an unofficial English translation) would grant powers to the Dutch police to break into computers, including mobile phones, via the internet in order to:

• install spyware, allowing the police to overtake the computer;
• search data on the computer, including data on computers located in other countries; and
• destroy data on the computer, including data on computers located in other countries.

If the location of the computer cannot be determined, for example in the case of Tor-hidden services, the police is not required to submit a request for legal assistance to another country before breaking in. Under the current text, it is uncertain whether a legal assistance request would be legally required, or merely preferred, if the location of the computer is known. The exercise of these powers requires a warrant from a Dutch court.

Hacking proposal poses unacceptable cybersecurity risk

This proposal poses unacceptable risks. If the Dutch government gets the power to break into foreign computers, this gives other governments the basis to break into Dutch computers which infringe the laws of their country. The end result could be less security for all computer users, instead of more. This is even more true with regard to the power to destroy data on foreign computers; it is likely that other governments would be very interested in using such a power against Dutch interests.

Furthermore, providing the government the power to break into computers provides a perverse incentive to keep information security weak. Millions of computers could remain badly secured because the government does not have an incentive to publish vulnerabilities quickly because it needs to exploit these vulnerabilities for enforcement purposes.

In addition, spyware is difficult to control. Research from the Chaos Computer Club demonstrates that, even though spyware from the German police was intended to be used to intercept only Skype calls, it could in practice be extended to take over the entire computer. In addition, the spyware itself could be remotely hacked by criminals as well, allowing them to take over the computer of a suspect.

The risks above do not even touch on the privacy-issues yet. Breaking into a computer infringes the privacy not only of the suspect, but of all non-suspects whose data is also on the computer. And, somewhat related to this, the value of evidence gathered via these methods is at the least less obvious and will be harder to assess in court. The digital nature of the investigation makes it harder to prove that evidence was not fabricated or perhaps destroyed by the police.

International opposition is necessary

A legislative text implementing the highly controversial proposal will be introduced to parliament in the coming months. The law does not only concern the Netherlands: it concerns all countries whose IT-infrastructure may be affected. Bits of Freedom therefore calls on other countries to oppose the proposal. Laws like these make the internet a more dangerous place.