Law enforcement agencies should be allowed to hack into computers to identify cybercriminals and collect evidence, representatives from Europol and the Dutch National Police argued in front of a room full of security professionals at the RSA Europe security conference in Amsterdam.
The Dutch parliament is expected to start debating a legislative proposal introduced earlier this year that would give the Dutch police the right to break into computers to investigate crimes, gather evidence and even take disruptive measures to stop crimes in progress.
“We don’t call it hacking, and we definitely don’t call it hacking back, because we won’t be waiting until we are hacked,” said Peter Zinn, a senior cybercrime adviser for the Dutch National High Tech Crime Unit (NHTCU), during the Wednesday panel, “Hacking Back as a Law Enforcement Role.” The more appropriate term would be “lawful intrusion,” he said.
The technological methods used for such intrusions would be the same ones used by hackers, but the police would do this legally, he said.
Updating the law
The laws should keep pace with technology and law enforcement agencies should have, under strict conditions, the ability to lawfully intrude on computers, Zinn said. There have already been two cases in the Netherlands where existing laws were stretched to allow for this type of action, he said.
In one case, the Dutch police obtained a court order to take control of some computers at hosting provider LeaseWeb and reconstruct the command-and-control panel for the Bredolab botnet, an action that eventually led to the identification of the botnet’s creator and his arrest in Armenia in 2010. In the other case, police obtained permission from a judge to hack into a large child pornography website that was only accessible through the Tor network in order to bring it down.
“Without having the possibility to use these methods, we wouldn’t have been able to solve those cases,” Zinn said.
Troels Oerting, the head of the European Cybercrime Centre (EC3) at Europol, also argued that police should receive computer intrusion powers as part of the same discussion.
There are fundamental differences between how the police will have to fight cybercrime and how they fight traditional crime, Oerting said. In the case of traditional crime, old-fashioned police work is effective because there’s a crime scene and a perpetrator who had to be there in order to carry out the crime, he said.
Cybercriminals don’t have to travel, they don’t have to cross any borders, and they conduct their crimes against multiple victims while hidden abroad, Oerting said. “So the police cannot use the normal ways of obtaining evidence as it used to.”
In the physical world, a police officer has the power to detain suspects for 24 hours, search their bodies for evidence, search their houses for evidence, use violence against suspects if they don’t comply with orders and even shoot them in certain circumstances, Oerting said. “We accept this because we have a transparent system, we have rules and we have the rule of law.”
Why is it, then, that if they do some of those same things on a computer, it suddenly becomes such a big privacy issue and those actions should be banned? he asked. “I think that we need to have a balance between privacy, which I think we should respect, and anonymity, which I think is dangerous.”
Lawful interception and intrusion, done in a very strict and transparent manner, will be necessary because in many cases cybercriminals will not be from neighboring countries and may not even be from the European Union, Oerting said. “They will be from areas where it will be very hard to gather evidence from, and we might not even be able to call the police force that has the capacity to help us.”
Oerting warned against drawing comparisons between the alleged hacking activities of national intelligence agencies such as the U.S. National Security Agency and lawful intrusions conducted by the police, arguing that unlike intelligence services, police forces operate in a much more transparent manner and have better oversight.
Bart Jacobs, a professor of computer security at Radboud University Nijmegen and member of the Dutch National Cybersecurity Council, told the panel he is concerned about the privacy implications of the Dutch legislative proposal, but more fundamentally about how it will affect the integrity of the legal process.
Police should follow technological advances, but not everything that is technologically possible should be done by a technologically advanced society, he said. “For example, in the Netherlands we have the technological capability to build nuclear weapons, but we choose not to do it.”
If police officers enter someone’s computer, the distinction between passive and active actions they take on that computer is difficult to draw, Jacobs said. Every lawyer defending a suspect accused of a crime based on evidence obtained through such lawful computer intrusion could argue that the evidence was planted there, and it would be difficult for the police to defend themselves against such accusations, he said.
When police are doing roadside checks for speeding cars, those are passive measurements, but when they intrude into a computer, they can do whatever they want, Jacobs said. “Theoretically, by simply being on a computer, you’ve changed the log files, so that’s no longer passive.”
“We should think hard about this before we go down this road, because it will complicate the legal process in a very serious way,” he said.
Jacobs also had doubts that the Dutch law would only be used for serious cases, especially since the proposal does not restrict the use of such powers to cybercrime investigations.
There’s a danger that it will be used very often, and there are historical examples of this happening with other powers granted to the police, Jacobs said. When a law allowing phone tapping was first introduced and debated in the Dutch parliament, the government argued it would hardly ever be used, but today the Netherlands is one of the most active phone tappers in the world, he said.
When asked about the implications of Dutch police officers breaking the laws of foreign countries by hacking into computers located there, Zinn said the Dutch proposal limits the lawful intrusion powers to computers located in the Netherlands and computers whose locations cannot be determined.
If it’s determined that a computer is located in another country, the lawful intrusion should not take place, he said.
Oerting was more supportive of the idea of cross-border computer intrusion conducted by law enforcement agencies, saying there are already similar agreements in the physical world. The Schengen Area agreement, an agreement among 25 European countries that abolishes passport and immigration control at their common borders, allows police officers from one country to follow suspects into another country while in hot pursuit, he said.
However, there are also questions about the implications of this law when considering that cybercriminals often use compromised computers to launch attacks.
For example, if during a lawful intrusion the police discover evidence of an unrelated crime possibly conducted by the compromised computer’s owner, not by the cybercriminal they were investigating, would they use it to launch a separate investigation? According to Zinn, that might be possible.