Oversight of hacking power and take down order

The Computer Crime Act III is now under consideration for approval by the Dutch Senate. The act extends the criminalisation of certain behaviour, such as grooming of persons that appear to be 18 year old and younger, the unauthorised gathering of non-public data and offering that stolen data online. Perhaps more importantly, the Computer Crime Act III authorises Dutch law enforcement authorities, with permission from an investigative judge, to make content containing serious crimes inaccessible (such as child abuse materials or jihadist propaganda) and to access computers remotely for evidence gathering purposes (a so-called hacking power).

Hacking power

The proposed power to hack computers seeks to provide a solution to the increasing challenges of anonymity, encryption and cloud computing in cybercrime investigations. By using this special investigative power, law enforcement officials can access computers remotely and gather evidence at its source, thereby circumventing problems such as the encryption of data. The instrument can only be used under the most stringent conditions, such as a warrant from an investigative judge and a limitation to serious crimes.

After law enforcement officials gain remote access to a computer system, they can be authorised to observe the behaviour of a person by turning on a GPS signal, microphone or video camera. Law enforcement officials can also remotely copy relevant data for evidence purposes in a criminal investigation. A particularly far-reaching power is to make a computer or data inaccessible. This may result in disabling a botnet infrastructure or encrypting child abuse images remotely.

Take down order

The proposed take down order provides an instrument for law enforcement authorities to make web content inaccessible. If online service providers or individuals publishing criminal materials do not disable the content voluntarily, a takedown order can be issued. Fortunately, the use of the instrument is restricted to serious crimes and a warrant from a judge is required. However, the take down order can go as far as ordering a hosting provider to take down a particular website (when possible) and even compelling an internet access provider to disable content. This last application of a takedown order boils down to an internet filter. Does this leave us in a few year with a black list of websites that must be filtered by Dutch internet access providers?

Oversight

In my article about the Computer Crime Act III (.pdf in Dutch), I discuss the changes the act will bring to the Dutch Penal Code and Code of Criminal Procedure. Although I do acknowledge the necessity of hacking as an investigative power to gather evidence in criminal investigations involving serious crimes, I worry about the proposed powers to make computers or data accessible.

The problem is that the cybercriminals behind this criminal behaviour often reside on foreign territory and hide behind anonymisation techniques. These cybercriminals will often not be tried in a Dutch court. I wonder how many times a botnet will be disrupted by taking it down, or websites will be shut down or even filtered, without a trial during which a judge can determine whether those acts by law enforcement officials were conducted lawfully.

Therefore, I argued (and with me some Members of Parliament, scholars and several civil rights organisations) that we need an independent supervisory authority. This authority, perhaps modelled on the UK Investigatory Powers Commissioner’s Office, should be issued with the task of overseeing the legitimacy of operations involving these far-reaching special investigative powers. It is not likely such an authority will be created as part of the Computer Crime Act III, but perhaps the new Dutch cabinet should consider legislation to create such an authority.

This is cross-post from LeidenLawBlog.

Europol iocta 2017 rapport

Europol brengt elk jaar het ‘internet organised threat assessment’ (iocta) rapport uit. Het rapport komt tot stand aan de hand van vragenlijsten aan politieorganisaties binnen de EU en door input van bedrijven. Het biedt een interessant en gedetailleerde inzicht in de actuele stand van cybercrime. Ook dit jaar sprak het rapport mij aan en daarom heb ik een samenvatting gemaakt van de belangrijkste bevindingen. Deze samenvatting wil ik de geïnteresseerde lezer natuurlijk niet onthouden.

Ransomware

Ransomware vormt volgens Europol de belangrijkste malware dreiging, gelet op de slachtoffers en de schade die het met zich meebrengt. Met ransomware wordt relatief eenvoudig geld verdiend. Door het gebruik van cryptocurrencies, zoals Bitcoin, zijn de verdiensten bovendien relatief eenvoudig wit te wassen. Naast Bitcoin worden ook Monero, Etherium en ZCash in toenemende mate door cybercriminelen gebruikt. ‘Kirk’ is de eerste ransomware, waarbij Monero werd gebruikt voor het losgeld (in plaats van Bitcoin).

Niet alleen individuen worden door cybercriminelen met ransomware aangevallen, maar ook ziekenhuizen, de politie en overheidsinstellingen. MKB-bedrijven worden steeds vaker aangevallen, mede vanwege hun beperkte budget om voldoende beveiligingsmaatregelen te nemen. Europol spreekt van een “explosie van ransomware” dat op de markt komt, waarbij sommige rapporten spreken van een toename van 750% in 2016 ten opzichte van 2015.

Information stealers

Information stealers’ vormen de op een na grootste bedreiging met betrekking tot malware. Het kost cybercriminelen aanzienlijk meer moeite de benodigde informatie te stelen (zoals financiële gegevens) en het is voor criminelen lastiger met deze malware geld te verdienen vergeleken met ransomware. In het rapport wordt terecht opgemerkt dat Europol een vertekend beeld krijgt van de malwaredreiging, omdat mensen vaak de gevolgen van het gebruik van malware rapporteren. De IT beveiligingsindustrie geeft daarom noodzakelijke input voor het rapport. Binnen deze industrie bestaat een meer volledig beeld van de dreiging.

Slechte beveiliging IoT-apparaten

Europol signaleert ook de dat zwakke beveiliging van Internet of Things-apparaten cyberaanvallen in de hand werkt. Het Mirai-botnet, dat werd gevormd door lekke en misbruikte IoT-apparaten, heeft in 2016 met een zeer sterke (d)DoS-aanval de Amerikaanse DNS-provider Dyn platgelegd, waardoor populaire diensten als Twitter, SoundCloud, Spotify, Netflix, Reddit en PayPal ongeveer 2 uur onbereikbaar waren. Denail-of-service aanvallen zijn eenvoudig uit te voeren. Een botnet die in staat is een denial-of-service aanval van 5 minuten op een webshop uit te voeren, kan slechts voor 5 dollar op websites worden gehuurd.

Kinderpornografie op internet

Kinderpornografie op internet blijft een groot probleem. Het aanbod, de verspreiding en vervaardiging van het materiaal lijkt niet af te nemen. Daarnaast worden enorme hoeveelheden kinderporno in beslag genomen. Volgens Europol zijn hoeveelheden 1-3 Terabyte niet ongebruikelijk met 1 tot 10 miljoen afbeeldingen met kinderpornografie. Peer-to-peer programma’s, zoals GigaTribe, worden nog steeds door kinderpornogebruikers misbruikt voor de verspreiding en het binnenhalen van kinderporno. Europol signaleert dat ook populaire apps en sociale mediadiensten in toenemende mate worden misbruikt.

Het is ook helder dat websites op het darkweb worden gebruikt voor toegang en verspreiding tot kinderporno. Het rapport haalt aan hoe de hack op het hosting bedrijf ‘Freedom Hosting II’ 10.000 darknet websites blootlegde, waarvan 50% kinderpornografische afbeeldingen bevatte. Deze websites zijn overigens vaak gespecialiseerd in kinderporno, omdat online marktplaatsen geen kinderporno accepteren. Zowel op het ‘Surface web’ als op het ‘dark web’ zijn er pay-per-view-diensten beschikbaar waarop kinderpornografische materiaal wordt aangeboden. Volgens Europol maken veel Westelingen gebruik van de diensten, waarbij vooral minderjarigen uit de Zuidoost-Azië en Afrika worden misbruikt. De opsporing van deze misdrijven wordt bemoeilijkt door het gebruik van gratis WiFi-diensten die bijvoorbeeld in de Filipijnen aan arme wijken worden aangeboden. Het is daardoor lastig op basis van het IP-adres de slachtoffers te identificeren.

Fraude met betaalkaarten

Het gebruik chipbetaalkaarten met de EMV-standaard is nog niet alle staten gemeengoed geworden. Betaalkaarten en betaalautomaten die niet van standaard gebruik maken, worden op grote schaal misbruik om fraude en andere delicten zoals de aankoop van drugs mee te plegen. In het rapport worden spectaculaire hacks beschreven waarbij pinautomaten of het systeem dat de pinbetalingen faciliteert worden gehackt, waarna de pinautomaten automatisch geld uitspuwen of geld tot een veel hoger bedrag (tot 200.000 euro) kan worden opgenomen. Verwezen worden naar de ‘Carnabak’-groep die in 2014-2015 op deze manier 1 miljard dollar buit heef gemaakt. Meer recent is volgens Europol de ‘Cobalt’-groep actief geweest met het infecteren van pinautomaten met malware om frauduleuze pinopnamen te doen binnen de Europese Unie, waaronder Nederland.

Groei darknet markets

In het rapport wordt veel aandacht besteed aan de groei van ‘darknet markets’. De online handelsplatformen op het darkweb zijn toegankelijk via Tor, I2P en Freenet, waarbij de illegale activiteiten zich nog voornamelijk via Tor afspelen. In juni 2017 had het Tor netwerk 2.2 miljoen actieve gebruikers en bevatte het bijna 60.000 unieke .onion domeinnamen. De gebruikmaking van deze diensten zijn nog niet de standaard geworden voor de distributie van illegale goederen. Maar de darknet markets groeien snel met een eigen klantenkring in de gebieden van illegale drugshandel, wapenhandel en kinderporno. Daarnaast worden ook veel persoonsgegevens, in het bijzondere gegevens over betaalkaarten en login gegevens voor online bankieren, op het dark web aangeboden. Volgens Europol maken de volgende drie factoren het gebruik van Tor voor criminelen aantrekkelijk: (1) een bepaalde mate van anonimiteit, (2) een diverse markt aan kopers die minder lijflijk risico lopen en kunnen betalen met cryptocurrencies en (3) een goede kwaliteit van producten die worden verkocht door aanbieders die worden beoordeeld op basis van reviews.

Encryptie en dataretentie belemmering de opsporing

Voor het tweede jaar achtereen geeft Europol in het rapport ook de boodschap af encryptie de opsporing voor cybercrime belemmert. Het maakt het aftappen van telecommunicatieverkeer minder effectief en belemmert digitaal forensisch onderzoek. Daarnaast is helder dat de onrechtmatig verklaring van de dataretentierichtlijn op 8 april 2014 door het Hof van Justitie van de EU een ‘aanzienlijke negatieve invloed’ heeft op de mogelijkheden van opsporingsautoriteiten om bewijsmateriaal veilig te stellen. In sommige lidstaten is nog steeds dataretentieregelgeving voor telecommunicatiedienstverleners (waaronder ISP’s) van kracht, maar veel andere EU lidstaten niet. Deze fragmentatie belemmert de internationale opsporing van cybercrime. Europol doet geen voorstellen tot maatregelen op dit gebied, wellicht omdat het te politiek gevoelig is, maar benadrukt de problematiek die het met zich meebrengt.

Gebruik van policeware in Aydin C.-zaak

Vorige week heb ik mijn noot gepubliceerd die ik heb beschreven over de Aydin C.-zaak. De zaak is veelvuldig in het nieuws geweest vanwege de tragische afloop van Amanda Todd, nadat zij werd gechanteerd door Aydin C. met webcamopnamen. De rechtbank Amsterdam veroordeelt Aydin voor meer dan 10 jaar gevangenisstraf voor kinderporno en (poging tot) aanranding met betrekking tot 34 meisjes en één man voor afdreiging.

Vanuit juridisch oogpunt vond ik het echter interessanter hoe de rechtbank is omgegaan met het gebruik van een softwarematige keylogger bij de bewijsgaring in deze zaak. Dergelijke ‘monitoringssoftware’ wordt ook wel ‘policeware’ genoemd.

Mag een keylogger nu wel of niet worden gebruikt?

Al tijdens het verloop van de zaak kwam via de media naar buiten de politie een ‘keylogger’ had ingezet om bewijsmateriaal te verzamelen. Een keylogger registreert toetsaanslagen waardoor communicatie, maar ook inlognamen en wachtwoorden, kan worden afgevangen om nader te onderzoeken. Een keylogger kan zowel hardwarematig zijn als softwarematig.

Eerder had ik ook al in een interview aangegeven dat het gebruik van een hardwarematige keylogger volgens mij door de beugel kan. De wetgever heeft al 20 jaar geleden in de memorie van toelichting van de Wet bijzondere opsporingsbevoegdheden (Wet BOB) (p. 35-37) voldoende duidelijk gemaakt dat onder de bijzondere opsporingsbevoegdheid van direct afluisteren (artikel 126l Sv) het gebruik van een apparaatje (een ‘bug’), dat ook toetsaanslagen kan registreren, is toegestaan.

Mag policeware worden gebruikt?

De vraag is lastiger te beantwoorden of het gebruik van een softwarematige keylogger is toegestaan. De tekst van de wet zelf sluit niet uit dat software wordt gebruik bij de toepassing van de bijzondere opsporingsbevoegdheid van direct afluisteren. Gesproken wordt over een ‘technisch hulpmiddel’, dat tevens uit software kan bestaan. Dat is ook af te leiden uit het Besluit technische hulpmiddelen. Eerder heb ik betoogd dat de software in ieder geval niet door middel van een ‘hack’ kan worden geplaatst, omdat daarmee een geheel andere privacyinbreuk plaatsvindt dan wanneer een bug fysiek in een woning of andere plek wordt geplaatst zoals bij ‘direct afluisteren’ gebruikelijk is. De wet zou dan niet meer voorzienbaar zijn.

Het is echter de vraag of de software ook andere functionaliteiten mag hebben dan het afluisteren van communicatie, het registreren van toetsaanslagen en het registreren van muisklikken. Hoewel het vonnis moeilijk leesbaar is, wordt interessante informatie gegeven over het gebruik van dergelijke software door de politie. Zo wordt onder andere gesteld dat via een softwarepakket ‘vinkjes’ kunnen worden aangezet om van bepaalde functionaliteiten van de afluistersoftware gebruik te maken. Uit het vonnis van de rechtbank blijkt ook dat gebruik is gemaakt van een screenshotfunctionaliteit. Is deze toepassing dan nog voorzienbaar is op basis van bestaande wetgeving?

Pas als de Wet computercriminaliteit III door de Eerste Kamer wordt aangenomen en de wet van kracht wordt, mag een softwarematige keylogger met andere functionaliteiten (waaronder ook het maken van screenshots, het vastleggen van identificerende gegevens, het aanzetten van een camera, en eventueel het aanzetten van een GPS-signaal) worden gebruikt. Deze software mag dan ook op afstand via een hack worden geïnstalleerd op de computer van de verdachte op basis van de voorgestelde nieuwe hackbevoegdheid in artikel 126nba Sv.

Mogelijkheden voor de verdediging

De verdediging voerde tal van verweren in de Aydin C.-zaak. In mijn noot heb ik aandacht besteed aan de mogelijkheid van de verdediging om tijdens de zitting na te gaan welke functionaliteiten van de software precies gebruik is gemaakt. Ik begrijp het standpunt van de politie en het Openbaar Ministerie dat het type software – of zelfs de broncode – niet wordt vrijgegeven aan de verdediging. Daarmee breng je namelijk het toekomstig gebruik van de software in strafzaken door opsporingsinstanties in gevaar. De verdediging moet echter wel de mogelijkheid hebben om het gebruik van de software achteraf – desnoods tijdens de zitting – te controleren. Nagegaan moet worden of niet meer functionaliteiten van de software zijn gebruikt dan de officier van justitie als het goed is in zijn bevel voor inzet van de bevoegdheid heeft aangegeven. In deze zaak werd het verweer geadresseerd door één deskundige van te politie te horen, waarbij ik de zorg om onafhankelijkheid goed begrijp.

Als de Wet computercriminaliteit III wordt aangenomen kan de verdediging het gebruik van de software beter controleren. De verdediging kan de rechter verzoeken tot nader onderzoek van de gelogde gegevens. De rechter kan dit ook overigens ook ambtshalve beslissen. Staatssecretaris Dijkhoff heeft in de nota naar aanleiding van het verslag aangegeven dat dit mogelijk is. Daarnaast wordt de waarborg ingebouwd dat de Inspectie Veiligheid en Justitie het gebruik van de software bij de politie controleren. Dit zijn twee zeer welkome waarborgen ten opzichte van de bestaande situatie.

Normering van digitale opsporingsmethoden

Op 1 maart 2017 is mijn nieuwe boekje ‘Normering van digitale opsporingsmethoden’ uitgebracht. Het boekje is bij de Nederlandse Defensie Academie gedrukt en stel ik hierbij in .pdf beschikbaar.

Mijn doel is om ‘de praktijk’ – dat wil zeggen professionals in de opsporing, advocaten en rechters – meer duidelijkheid te geven over de juridische basis bij de toepassing van digitale opsporingsmethoden. Tijdens mijn onderzoeksperiode voor mijn proefschrift van 2010-2016 heb ik regelmatig gehoord dat er onduidelijkheid bestaat over de vraag welke regels van toepassing zijn. Dat is vanuit rechtsstatelijk oogpunt zeer onwenselijk, want zowel de professionals in de praktijk als de betrokken burgers moeten weten waar ze aan toe zijn om willekeur van overheidsmacht tegen te gaan. Mogelijk bestaande interne richtlijnen binnen de opsporing vormen geen voorzienbaar juridisch kader waar betrokkenen een beroep op kunnen doen.

Met mijn boekje hoop ik dus meer duidelijkheid over de juridische basis van digitale opsporingsmethoden te leveren, maar ook de discussie aan te zwengelen. Het rechtsgebied is namelijk sterk in beweging. Ik verwacht dan ook dat dit werk slechts drie jaar actueel blijft. Dat komt doordat digitale opsporingsmethoden constant evolueren in verband met technologische ontwikkelingen en de onderliggende (cyber)criminaliteit, waar de opsporing op moet inspelen. Daarnaast zal het project ‘Modernisering strafvordering’ in de nabije toekomst aanzienlijke wijzigingen in het Wetboek van Strafvordering met zich mee brengen. Over de wenselijke juridische basis en waarborgen voor digitale opsporingsmethoden in toekomstige wetgeving moet dus nú worden gediscussieerd.

Investigating Cybercrime

On 10 January 2017, I successfully defended my PhD thesis ‘Investigating Cybercrime’. In this blog post, I would like the share my main research results.

Cybercrime investigations

My study shows that in cybercrime investigations, evidence is often gathered by following the two digital leads of IP-addresses and nicknames. I explain how evidence is gathered, based upon these leads. In cybercrime investigations, law enforcement officials often encounter the three challenges of anonymity, encryption and jurisdiction. These challenges can leave law enforcement officials empty-handed in certain circumstances.

However, law enforcement officials can use digital investigative methods to deal with these challenges. The following four investigative methods are identified and further analysed in the study: (1) gathering publicly available online information, (2) issuing data production orders to online service providers, (3) applying online undercover investigative methods, and (4) performing hacking as an investigative method.

Regulating digitale investigative methods on a national level

On a national level, my research shows that the identified digital investigative methods are not regulated in a foreseeable manner in the Netherlands. The reason is that the scope and manner in which investigative methods are applied are not sufficiently clear. In addition, I argue that the quality of the law for certain investigative methods is not adequate. The main and concrete results of my analysis are as follows:

  • The manual and automated gathering of publicly available online information should be regulated in detail, outside criminal procedural law. These regulations should indicate how data protection regulations should be applied in a concrete manner when these digital investigative methods are used.
  • The regulations for undercover investigative methods (both online and offline) should be improved by incorporating supervision by an investigative judge.
  • A warrant requirement should apply for obtaining traffic data and content data from online service providers. The category of ‘content data’ should be defined more clearly by the legislator or Public Prosecution Service.
  • Regulating hacking as an investigative power is necessary. The proposal to regulate this investigative method in the Computer Crime Act III is adequate. However, the investigative power is formulated in a rather broad manner and the legal consequences of its application to ‘disrupt cybercrime’ are uncertain.

Regulating digital investigative methods on an international level

On an international level, my research shows that the application of digital investigative methods are not sufficiently taken into consideration in mutual legal assistance treaties. States should realise and take into consideration that unilateral cross-border digital evidence-gathering activities already take place.

The application of digital investigative methods can endanger both State sovereignty and the legal certainty of individuals in certain circumstances. At the same time however, I argue that unilateral cross-border digital evidence-gathering activities should be permissible in certain circumstances. Ideally, States agree on what terms these evidence-gathering activities are allowed and protect the right and freedoms of the individuals involved in mutual legal-assistance treaties or on an ad-hoc basis. In the meantime, States should create a policy for their law enforcement authorities to determine under which circumstances unilateral cross-border digital evidence-gathering activities are allowed. I provide recommendations about these restrictions for the Dutch legislator.

Finally, I would like to say that it has been a pleasure performing research as a PhD Candidate at Leiden University. I will continue to do research in cybercrime, cybersecurity, digital investigations and privacy in the future.

This is a cross-post from LeidenLawBlog. My book is also commercially available at bol.com (among others).

A call to make a guideline for online investigations accessible

The gathering of publicly available online information is nowadays part of ‘most police investigations’. Some call this information the ‘new social DNA’ for law enforcement. Indeed people publish massive amounts of information about themselves on the internet on a voluntarily basis. At the same time other people can also publish information about individuals on the web. Law enforcement authorities make use of this information to fulfil their tasks, such as maintaining public order, and as a source of information in criminal investigations. In this blog post I submit that Dutch law enforcement authorities and the Public Prosecution Service should publish their policy on the use of publicly available online information in criminal investigations.

Accessibility and foreseeability

A policy on the use of privacy-interfering investigative methods should be accessible and foreseeable to the individuals involved. Accessibility means that a guideline or regulation is published and made publicly available to individuals to take notice from. Foreseeability means that the scope of investigative methods and the manner they are applied are clear to the individuals involved. An arbitrary interference by governmental authority powers in the private lives of individuals can be avoided with a foreseeable legal framework.

Murky legal basis

At the moment it is likely that the gathering of publicly available online information takes place on the legal basis of law enforcement officials’ statutory task description for the investigation of crimes (art. 3 of the Dutch Police Act). This is implied in legislative history (the explanatory memoranda on the Act on special investigative powers and the Computer Crime Act II). Although these acts go back more than 15 years – at a time when the Internet looked very different and social media services were not as popular – this is the only legislative history available. In addition a court in The Hague decided in 2011 that law enforcement officials can make use of Google Earth on the basis of art. 3 Police Act.

However this legislative history and court decision become murky when they explicitly mention that “information cannot be gathered systematically and stored in police systems” upon the basis of art. 3 of the Police Act. When exactly is information gathered systematically about individuals? Is it when a “more or less complete picture of certain aspects of an individual’s private life” is obtained? And then what? What special investigative powers apply? Shouldn’t the investigative activity be part of the task of law enforcement officials, to gather the necessary data they require for a criminal investigation without the application of special investigative powers?

Online observation

When law enforcement officials observe the online behaviours of individuals the special investigative power of ‘systematic observation’ applies. The Dutch legislator suggested at the time that factors such as the duration, place, intensity, frequency and the use of technical devices should be taken into consideration to determine whether the behaviours of individuals are observed ‘systematically’. Still, these abstract factors were originally written for application in the physical world and provide a lot of leeway for law enforcement officials and public prosecutors to decide when application of the special investigative power of systematic observation is required.

Data protection regulations

It is clear however that data protection regulations on the gathering of personal data restrict the investigative activity. Data protection regulations apply as soon as law enforcement officials look for the information on their computers or use an automated data collection system, to gather the information. These regulations thus apply at an earlier stage than when the results of the search are stored in police systems. Earlier research (see for instance this report and this report (in Dutch)) raises questions about how automated data collection systems meet key principles of data protection regulations. Yet these questions remain unanswered by law enforcement authorities and the legislator.

Conclusion

We – the people – require an explanation of how and under which conditions law enforcement authorities gather publicly available online information. Interestingly, in a 2016 master thesis (.pdf in Dutch) an internal procedure on the ‘gathering of data from social media services’ is mentioned. If such a policy indeed exists, but is not made available to the public, the law is not accessible and foreseeable to the individuals involved. For that reason I urge Dutch law enforcement authorities, the Public Prosecution Service and the Dutch legislator to make such a policy public. If such a policy does not exist, a guideline should be developed and published online as soon as possible.

This is a cross-post from LeidenLawBlog.

Criminal procedure and the digital revolution

A digital revolution has taken place for law enforcement authorities. A treasure trove of information is currently publicly available on the Internet. In addition, large amounts of information can be gathered from third parties, such as telecommunication providers, financial institutions and online service providers. Furthermore, law enforcement authorities can analyse every piece of information on seized computers with specialised software. All that information can be combined and processed and thereby provides great investigative potential for law enforcement authorities.

The Dutch legislator is currently seeking to amend (in Dutch) the Dutch Criminal Code of Criminal Procedure (DCCP) and aims to take into account the influence of Information and Communication Technology on police work. However the current plans only take into consideration the gathering of publicly available information and the seizure of computers. Yet these investigation methods are not the full spectrum of digital investigation methods that is available to law enforcement authorities. Remarkably, even the planned amendments to the DCCP to accommodate these two investigation methods – and beef up the safeguards to protect the individuals involved – have now been put on hold or will be further researched to assess their desirability.

‘Open source information’

Publicly available online information provides a powerful tool for surveillance by law enforcement authorities. People willingly post large amounts of personal information about themselves on online forums and social media services. Other individuals can also post information about people on the Internet. In law enforcement terms that information is called ‘open source’ information, i.e. information that anyone can access, purchase, or gather by observation. The thing is that law enforcement officials do not even know themselves under which conditions and to what extent the information can be collected.

Also note that the collected information can be combined with other information collected from third parties and further processed. By use of specialised software an intricate picture of certain aspects of an individual’s life and relationships with other individuals can be obtained. In first instance, the Dutch legislator proposed creating detailed regulations in the DCCP to regulate the investigation method. However the Dutch police do not support this proposal and the Dutch Minister of Security and Justice has now put these plans on hold to assess their desirability.

A warrant for computer searches

The second amendment proposed was for the seizure and subsequent analysis of data stored on computers. The Dutch Minister of Security and Justice acknowledges (p. 83) the serious privacy interference that takes place when computers are seized and suggests that ‘a higher authority’ should authorise the seizure. In my previous blog post I argued that a warrant requirement and mandatory limitation of the scope of the warrant are therefore appropriate safeguards for the seizure of computers. These safeguards can be derived from case law by the European Court of Human Rights regarding computer searches. Yet the Dutch Minister of Security and Justice does not even refer to that case law or current Dutch case law on the subject. Dutch law enforcement authorities fear a significant administrative burden (p. 8) due to proposed changes in legislation. Therefore further research has been announced to investigate the desirability of the amendment. Indeed, a warrant requirement will bring with it more paperwork. Yet it is an important safeguard in protecting individuals from the arbitrary interference of law enforcement authorities in our private lives. Possibly the Dutch Supreme Court will step in and require a warrant for seizing and analysing the contents stored on computers in the meantime.

Concluding remarks

In my view, the proposed Dutch reforms for criminal procedure do not fully appreciate the consequences that technology bring with for criminal investigations. The amount of data that law enforcement authorities can collect and the tools at their disposal to process every piece of that information should not be underestimated. The two proposed amendments are a start in thinking about those consequences and how to regulate digital investigation methods. Therefore it is unfortunate that those amendments will now be put on hold, possibly toned down, and further researched for their desirability.

Arguably, the ambition of updating criminal procedure law to fit the new digital investigation landscape is too ambitious and a separate legislative project is desirable. In addition, it is possible that certain restrictions on investigation methods are better suited for regulation outside criminal procedure. However, in any case, there should be a sense of urgency to accommodate digital investigation methods in our legal framework and provide sufficient safeguards for the individuals involved. To be continued I hope.

This blog post is cross-post from LeidenLawBlog.nl

A warrant requirement for analysing data stored on smartphones?

On 22 April 2015, the Dutch high court of Arnhem-Leeuwarden possibly set a precedent with far-reaching consequences. In this particular criminal case, a law enforcement official seized a smartphone and subsequently read and copied WhatsApp messages stored on the smartphone. The defence successfully argued that the investigation method was in violation of the right to privacy as articulated in art. 8 ECHR. The high court of Arnhem-Leeuwarden agreed and deemed the current regulations not foreseeable.

Currently, as explained in my previous blog post, law enforcement officials can seize a smartphone and examine all data stored on it in the context of a criminal investigation to obtain evidence without any notable legal thresholds. However, the high court points out that smartphones contain “not only access to traffic data, but also the contents of communications and private information of a smartphone user” . Because the analysis of such data severely infringes in the right to privacy, the current regulations for seizing and analysing data stored on smartphones are not adequately regulated according to the court.

Right to privacy and analysis of information on smartphones

Indeed, the European Court of Human Rights (ECtHR) recently decided in the case of Prezhdarovi v Bulgaria that (1) a judicial warrant requirement and (2) a limitation of the scope of the sought after data on computers is preferable when law enforcement authorities seize computers and analyse data stored on computers. Considering the serious privacy infringement that takes place when personal data that is stored on computers is analysed by law enforcement authorities, adequate safeguards in the domestic laws of States should protect the involved individuals against arbitrary interferences of State in their personal lives according to the ECtHR.

The decisions of the high court of Arnhem-Leeuwarden and ECtHR indicate that the Dutch regulations for the seizure of computers such as smartphones require amendments in order to adequately protect the right to privacy. In June 2014, the Dutch Ministry of Security and Justice already suggested that amendments were required for analysing data on computer systems. Yet, these amendments only suggested the legal thresholds of an order of a public prosecutor, whereas the ECtHR seems to prefer a prior review of an investigating judge – i.e., basically a warrant requirement – to analyse data on computer systems.

International trend?

Interestingly, almost a year ago, the U.S. Supreme Court decided in the landmark case of Riley v. California that a judge’s warrant is required in order to seize a smartphone and analyse data stored on a smartphone. The protection of the warrant requirement was deemed appropriate, because: “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life”.

Obviously, modern cell phones do not contain the ‘privacies of life’ only for Americans. So tell me, does your domestic State law require a warrant to seize computers and analyse data stored on those devices?

This is a cross-post from LeidenLawBlog.nl.

=== Updata ===

My commentary (in Dutch) on the case of 22 April 2015 is available here (in .pdf).

Note that, in the meantime, the Dutch courts of Oost-Brabant and Noord-Holland desmissed the verdict of the high court of Arnhem-Leeuwarden, stating that article 94 of the Dutch Code of Criminal Procedure allows for the seizure of smartphones and subsequent search of data stored on the device.

The court of Amsterdam decided on 18 June 2015 that art. 8 ECHR was not infringed, because law enforcement restricted the search of data stored on the smartphone to  contact details. Thefefore, the search was not deemed disproportionate. Interestingly, other judges of the court of Noord-Holland decided on 4 June 2015 in a different case that seizing a smartphone based on art. 94 DCCP does infringe art. 8 ECHR. Clearly, the courts in the Netherlands are devided on the question whether seizing a smartphone based on art. 94 DCCP infringes art. 8 ECHR. Apparently, the Public Prosecution’s Office went in appeal and the question will be brought  to the Dutch Surpeme Court.

Hacking without a legal basis

In May 2014, the Dutch Public Prosecution Office announced that the Dutch police participated in a global action against ‘Blackshades’ malware. Blackshades enables individuals to remotely take over computers and copy information (among other functionalities). The Dutch press release stated that:

“Team High Tech Crime of the Dutch police saw an opportunity to enter the Blackshades server and secure a large amount of information. The location of the server is unknown”.

This statement implies that Dutch law enforcement authorities entered the server remotely to copy data. Said in other words, Dutch law enforcement authorities hacked a server without knowing the location of the server to secure information. Indeed, recent answers to parliamentary questions confirmed the computer was ‘remotely accessed’(hacked) by law enforcement authorities during the operation in May. In addition, the Dutch Minister of Security of Justice stated in the letter to the Dutch Parliament that art. 125i of the Dutch Code of Criminal Procedural (DCCP) provides for a legal basis to access computer remotely (by hacking) and copy information.

The problem with this letter is that there is arguably no legal basis for hacking in Dutch criminal procedural law. The statement of the Minister of Safety and Justice is in my view worrisome, because a special investigation power is interpreted very broadly by the minister to suit the needs of law enforcement authorities. This undermines a fundamental principle of our criminal law system.

Art. 125i DCCP does not provide a legal basis for hacking

Art. 125i DCCP provides for an ill-understood investigation power that allows law enforcement authorities to search a place in order to secure information stored on computers. The article specifically refers to existing investigation powers for search and seizure at a particular place by law enforcement authorities. Therefore, art. 125i DCCP should always be read in conjunction with the power to search a place, seize a computer and subsequently search data on a computer. In the letter, the minister seems to ignore these explicitly referred to powers of search and seizure at a particular place.

For example, a public prosecutor can seize a computer located at hosting provider and search the data stored on a computer in an effort to secure the sought after data upon the legal basis of art. 125i DCCP jo art. 96c DCCP. These powers for search and seizure are simply different from hacking as an investigation method. The most notable difference between hacking and the search and seizure of computers is that hacking takes place remotely in secret, whereas the search and seizure of computers takes place at a particular place in the presence of witnesses.

There are good reasons to think that the Dutch legal framework to analyse data on computers is outdated. Additionally, there are good reasons why law enforcement authorities feel the need to be able to access computers remotely to acquire information relevant to a criminal investigation. But a key principle and essential to the rule of law is that law enforcement authorities are bound by the law. In my view, as I argued extensively in 2011 and 2013 (in Dutch), Dutch criminal procedural law does not provide for the investigation power to hack computers by law enforcement authorities.

Criminal procedural legality principle

In Dutch criminal procedural law, investigation methods that infringe in the right to privacy in more than a minor way or threaten the integrity of a criminal investigation require detailed regulations. This ‘criminal procedural legality principle’ with regard to the regulation of investigation methods ensures that governmental powers are controlled by the law and prevent arbitrary interferences by the government in the private lives of citizens. The principle also ensures that governmental powers to investigate crime are foreseeable to citizens. In essence, this legality principle harnesses governmental power which is essential to the rule of law.

Therefore, I find it curious our Minister of Security and Justice endorses a broad and highly debatable interpretation of the law to enable law enforcement authorities to hack computers, especially considering that a new legislative proposal is under way which aims to regulate hacking as an investigation power. This ‘Computer Crime Act III’ will be send to the Dutch Parliament in early 2015.

A democratic legislative process is required to provide Dutch law enforcement authorities with the powers that a majority of the elected representatives of the Dutch people find appropriate. Perhaps hacking computers under stringent conditions to allow for evidence gathering activities is desirable as a new investigation power. But in the meantime, the criminal procedural legality principle as a key principle in Dutch criminal procedural law should not be ignored.

This is a cross post from LeidenLawBlog.nl

Reforming the legal regime for search and seizure of computer data

On 6 June 2014, the Dutch Ministry of Security and Justice published several ‘discussion documents’ about reforming Dutch criminal procedural law. Of particular interest to this blog post is the document relating to search and seizure (in Dutch). The authors of this discussion document suggest amending the legislation with regard to the search and seizure of data on computer systems. In my view, that is a very good idea considering the old-fashioned approach we now have towards search and seizure of computer systems.

Computer systems as regular objects

In 1993, the Dutch legislator decided to treat computer systems as regular tangible objects which can be seized and subsequently analysed for evidence gathering purposes in criminal investigations. The reason for this is that data in itself cannot be seized in a criminal investigation, because data can be copied, whereas only tangible ‘goods’ can be taken out of the possession of the owner. Although data cannot be copied, the data carrier can be seized like all other goods. The regular rules for search and seizure of goods are applicable for data carriers (computers). Similar to the seizure of a bloody baseball bat in a murder investigation, computers can be seized and indefinitely analysed for evidence. Such an analysis to ‘ascertain the truth’ of what happened by analysing computer systems in a murder investigation is not far-fetched, as this case shows in which the intent to commit a murder was proven by analysing the search history of the personal computer of the suspect.

Considering the modern software tools which law enforcement authorities can utilise to analyse data on computers, it is easy to imagine that such a search may heavily infringe on an individual’s right to privacy. Perhaps it is time to amend the legislation for search and seizure of computers. Indeed, the authors of the discussion document recognise that “taking knowledge and securing stored e-mail correspondence, photos and videos, personal notes and internet search history” can heavily interfere with the personal lives of the individuals involved. “In comparison”, the authors state, “the seizure of all photo albums, video tapes, is soon deemed disproportional” (see p. 37). Possibly, specialised software can filter out information and thus limit the privacy infringement that occurs.

Location based legal regime

Currently, which conditions apply for the seizure of computers and subsequent analysis of data depends on the location at which the computer is located. If the computer is located (a) on public streets or a vehicle, law enforcement officials can seize the computer, (b) in an office building, a public prosecutor can give the order to seize a computer and (c) in a residence, an order from a public prosecutor and a warrant from an examining judge is required (leaving out exceptions to these rules). One could wonder: is this differentiation correct? Does a different privacy infringement occur when the information on a computer is analysed, depending on the location at which the computer is seized? I think not. I think in all circumstances a serious infringement of the right to privacy occurs when computers are seized and individuals must be adequately protected against the arbitrary interference of the government in their private lives.

How to deal with privileged communications, chain of custody, etc.

The discussion document also raises other important issues relating to the search and seizure of computers systems. The authors rightfully point out that regulations are possibly required to make sure that (a) privileged communications cannot be accessed by law enforcement officials, (b) the regulations for the seizing of letters also applies to digital communications and (c) more attention is required for the regulations regarding the ‘chain of custody’ when data is analysed (see p. 42-49). Clearly, digital forensic investigators can also contribute to better regulations for the search and seizure of computer data in criminal investigations.

Hopefully, we will soon be able to read more observations regarding the discussion documents online, in order to further the debate about the necessary reforms in criminal procedure law!

This is a cross post from LeidenLawBlog.nl

————

Update

Days after this blog post first appeared, the U.S. Surpreme Court  decided in Florida vs Riley that a warrant was required to search a modern cell phone. The Surpreme Court noted: “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life”.”. See this New York Times article for more information about the Riley case.

Perhaps inspired by the Riley decision, Dutch Parliamentary Members soon proclaimed that a warrant for a house search should be required to search phones in the Netherlands. Probably the warrant would be extended for different types of computers as well. Parliamentary Member Jeroen Recourt elaborated in an interview that the announced reforms of the Dutch Criminal Procedure Code may provide a good opportunity to better protect the confidentially and integrity of mobile phones. Note however, how he also left open the option the data on a computer can be searched after an order of a public prosecutor.