Panel discussion with:
- Ronald Prins - CEO & Co-Founder, Fox-IT (Chairman)
- Bart Jacobs – Professor, Radboud University Nijmegen and chairman of Bits of Freedom
- Peter Zinn – Dutch National Police
- Troels Oerting – Head of European Cybercrime Centre (EC3), Europol
Hacking back as a law enforcement role is much debated topic. The Netherlands is the first country to develop specific legislation. The underlying problem is that in cyberspace criminals have more capabilities than law enforcement. Often investigations are hampered by cross-border collaboration and jurisdiction issues. This session explores the issues.
What is hacking back? In the view of Ronald, it is the police using the form of online hacking to take tackle illegal activities.
The discussion is politically charged, because this is going to be a debate in Dutch parliament soon.
Peter, why is it important for the policy to have hacking capabilities?
We don’t call it hacking, we call it legal intrusion, but we do use the same techniques that hacks do. Technically, it is already possible, legally it is forbidden, this is a legal discussion. Laws should be able to keep up with technology. Where did we stretch the law in the past? LeaseWeb was informed that there was a Bredolab C&C server cluster on their network. With permission from the judge, we were able to take over the botnet and find the criminal in question and he is now in custody in Armenia. We also did it with Robert M., one of the worst child molesters in the world. We hacked his computer to find our who his associates were, which has lead to numerous arrests around the world. We got permission to hack child pornography to bring these sites down. The worst site of them all, was so well protected that we could not hack it, but using the admin password we could also bring it down. These cases could not be solved withour legal intrusion.
Bart, what are your issues with hacking back, with regards to privacy?
Not everything that is technically possible, should be done. This is a deliberate choice, like building nuclear weapons. Hacking back is a misnomer, because it draws a picture of the police being with their back against the wall. I propose lawfull intrusion as well. Computer intrusion is clearly forbidden by law, so new law is needed. I’m concerned by the privacy aspect, but I’m more concerned about the difficult distinction between active and passive investigation when a computer has been lawfull intruded. It is e.g. difficult to prove that the police has not planted evidence. We should really reconsider this, because this may harm the integrity of the whole legal process. How can a civilian be sure that the police does not change the content of a computer.
Troels, why isn’t international cooperation sufficient?
There is a difference between normal and “cyber” policing. The first police was local. When borders disappeared this was compensated by things like Europol and the Schengen database. Physcial crime has the advantage of being physical and thus allows a normal policemen to do the normal police work on site. There are now billions of people that can go on line, the criminally inclined of them do not have to travel, do not have to cross the borders to commit crimes against their fellow citizens.
In the physical world, you can be detained, physically searched, including their house and the stuff in them and we allow policy to use physical and sometimes even lethal force, all legally. We do not have such powers in the online world and we can sometimes not even reach the police of a country to help police from other countries.
Policy cooperation is excellent within the EU, but when you cross the EU border cooperation goes poorly.
Do we have a choice? Is not allowing legal intrusion an option?
Bart: In my opinion the police should only have the power to do intrusion in order to disrupt, not to collect evidence. I think evidence obtained during such an intrusion it is very hard to prove that evidence is not planted.
Audience question: What is a disruption? Is it just DDoS-ing the server? Aren’t you breaking laws of other countries doing so?
Peter: No country would pass a law a law that would allow policy to intrude a computer that is not in country. It is just too complicated from a legal perspective.
Bart: Lets say, you hack into a computer via TOR, so you don’t know where it is. Should you then stop as soon as you find out where it is located?
Peter: Yes, you should. But, we are always accused of planing evidence. We have processes around this for physical searches that we also need to apply to cyber searches.
Bart: It is not a personal trust issue, I am also worried that the policy might blemish their good reputation in The Netherlands. For physical searches a judge has to be present to avoid planted evidence, this is very hard to do for cyber intrusions.
Audience: Aren’t electronic logs easy to tamper. Isn’t it like the NSA we should just trust.
Troels: Normal police works different then intelligence work. We work transparently. In police work we are allowed to pass borders in hot pursuit in the Schengen treaty. If the police doesn’t provide this service, commercial companies will offer this service to the highest bidder.
Audience: Is it withing in the authorization to change configurations or run programs on it?
Peter: No, we are not allowed
Audience: Do you use commercially available surveillance malware/zero days/etc?
Peter: No, in those two cases we didn;t buy anything. If the law is passed we should use tested and accepted methods.
Audience: Bart, the police could get in a strange situation, but they don’t seem to care. What about privacy?
Bart: Yes, I see privacy as big concern I didn;t elaborate?
Ronald: What do other countries think about the Dutch police doing lawfull interception? Will the first officer hacking into a computer abroard be arrested?
Troels: The Dutch police will miss out if they will only hack computers in country? If it is a computer in a friendly country, he should work via the normal route, but what if it is not a friendly country, should we just stop then or should we still go in hot persuit. This requires a big international discussion. We give away privacy and trade if for certain safety. We need to balance the right to be forgotten and a reason to be remembered.
Audience: Isn’t there a difference between being searched at airports and being serach all the time on my laptop?
Troels: The police should work in the open unless a judge allows an undercover operation. I think we will be the last generation that will have a choice to remain private.
Ron: Peter, what type of cases and how often do you foresee the police will be using this? Will it be narrowed to cybercrime cases?
Peter: Police has less power to search then an average citizen when there is no suspect and more power when there is a suspect. Current thinking is that we can only use these powers in severe cases, e.g. when there is a punishment of more then x years. It is our natural inclination to use a method when it is available.
Bart: intruding on personal devices like phones is more intrusive then a phone tap, which can only be used in limited cases. There is a danger of a slippery slope, this may be used quite often quite quickly. When phone tapping was introduced it was said that the power would be hardly ever used. Now The Netherlands is percentage wise the biggest phone tapper in the world. Hacking is nice, comfortable and less boring than e.g. a stake-out, so there will be pressure to use this other cases as well. The current proposal does not restrict this to cybercrime, but allows use to solve any crime.
Ron: How should be discribe the allowed use cases for lawfull intrusion?
Bart: I do not see a good method to restrict this to certain types of cases. E.g. not all cases end up in front of a judges and how wel does the legal process discover these methods. Silent SMS was used six years before it was finally discovered in a trail.