Cops should be allowed to hack into computers, police officials say

A panel at RSA Europe debated a proposed Dutch police hacking law

Law enforcement agencies should be allowed to hack into computers to identify cybercriminals and collect evidence, representatives from Europol and the Dutch National Police argued in front of a room full of security professionals at the RSA Europe security conference in Amsterdam.

The Dutch parliament is expected to start debating a legislative proposal introduced earlier this year that would give the Dutch police the right to break into computers to investigate crimes, gather evidence and even take disruptive measures to stop crimes in progress.

"We don't call it hacking, and we definitely don't call it hacking back, because we won't be waiting until we are hacked," said Peter Zinn, a senior cybercrime adviser for the Dutch National High Tech Crime Unit (NHTCU), during the Wednesday panel, "Hacking Back as a Law Enforcement Role." The more appropriate term would be "lawful intrusion," he said.

The technological methods used for such intrusions would be the same ones used by hackers, but the police would do this legally, he said.

The laws should keep pace with technology and law enforcement agencies should have, under strict conditions, the ability to lawfully intrude on computers, Zinn said. There have already been two cases in the Netherlands where existing laws were stretched to allow for this type of action, he said.

In one case, the Dutch police obtained a court order to take control of some computers at hosting provider LeaseWeb and reconstruct the command-and-control panel for the Bredolab botnet, an action that eventually led to the identification of the botnet's creator and his arrest in Armenia in 2010. In the other case, police obtained permission from a judge to hack into a large child pornography website that was only accessible through the Tor network in order to bring it down.

"Without having the possibility to use these methods, we wouldn't have been able to solve those cases," Zinn said.

Troels Oerting, the head of the European Cybercrime Centre (EC3) at Europol, also argued that police should receive computer intrusion powers as part of the same discussion.

There are fundamental differences between how the police will have to fight cybercrime and how they fight traditional crime, Oerting said. In the case of traditional crime, old-fashioned police work is effective because there's a crime scene and a perpetrator who had to be there in order to carry out the crime, he said.

Cybercriminals don't have to travel, they don't have to cross any borders, and they conduct their crimes against multiple victims while hidden abroad, Oerting said. "So the police cannot use the normal ways of obtaining evidence as it used to."

In the physical world, a police officer has the power to detain suspects for 24 hours, search their bodies for evidence, search their houses for evidence, use violence against suspects if they don't comply with orders and even shoot them in certain circumstances, Oerting said. "We accept this because we have a transparent system, we have rules and we have the rule of law."

Why is it, then, that if they do some of those same things on a computer, it suddenly becomes such a big privacy issue and those actions should be banned? he asked. "I think that we need to have a balance between privacy, which I think we should respect, and anonymity, which I think is dangerous."

Lawful interception and intrusion, done in a very strict and transparent manner, will be necessary because in many cases cybercriminals will not be from neighboring countries and may not even be from the European Union, Oerting said. "They will be from areas where it will be very hard to gather evidence from, and we might not even be able to call the police force that has the capacity to help us."

Oerting warned against drawing comparisons between the alleged hacking activities of national intelligence agencies such as the U.S. National Security Agency and lawful intrusions conducted by the police, arguing that unlike intelligence services, police forces operate in a much more transparent manner and have better oversight.

Bart Jacobs, a professor of computer security at Radboud University Nijmegen and member of the Dutch National Cybersecurity Council, told the panel he is concerned about the privacy implications of the Dutch legislative proposal, but more fundamentally about how it will affect the integrity of the legal process.

Police should follow technological advances, but not everything that is technologically possible should be done by a technologically advanced society, he said. "For example, in the Netherlands we have the technological capability to build nuclear weapons, but we choose not to do it."

If police officers enter someone's computer, the distinction between passive and active actions they take on that computer is difficult to draw, Jacobs said. Every lawyer defending a suspect accused of a crime based on evidence obtained through such lawful computer intrusion could argue that the evidence was planted there, and it would be difficult for the police to defend themselves against such accusations, he said.

When police are doing roadside checks for speeding cars, those are passive measurements, but when they intrude into a computer, they can do whatever they want, Jacobs said. "Theoretically, by simply being on a computer, you've changed the log files, so that's no longer passive."

"We should think hard about this before we go down this road, because it will complicate the legal process in a very serious way," he said.

Jacobs also had doubts that the Dutch law would only be used for serious cases, especially since the proposal does not restrict the use of such powers to cybercrime investigations.

There's a danger that it will be used very often, and there are historical examples of this happening with other powers granted to the police, Jacobs said. When a law allowing phone tapping was first introduced and debated in the Dutch parliament, the government argued it would hardly ever be used, but today the Netherlands is one of the most active phone tappers in the world, he said.

When asked about the implications of Dutch police officers breaking the laws of foreign countries by hacking into computers located there, Zinn said the Dutch proposal limits the lawful intrusion powers to computers located in the Netherlands and computers whose locations cannot be determined.

If it's determined that a computer is located in another country, the lawful intrusion should not take place, he said.

Oerting was more supportive of the idea of cross-border computer intrusion conducted by law enforcement agencies, saying there are already similar agreements in the physical world. The Schengen Area agreement, an agreement among 25 European countries that abolishes passport and immigration control at their common borders, allows police officers from one country to follow suspects into another country while in hot pursuit, he said.

However, there are also questions about the implications of this law when considering that cybercriminals often use compromised computers to launch attacks.

For example, if during a lawful intrusion the police discover evidence of an unrelated crime possibly conducted by the compromised computer's owner, not by the cybercriminal they were investigating, would they use it to launch a separate investigation? According to Zinn, that might be possible.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government use of ITDutch National High Tech Crime UnitlegislationgovernmentLeaseWebcybercrimeDutch National Cybersecurity CouncilrsaDutch National PoliceintrusionEuropolsecuritylegalRadboud University Nijmegen

More about EuropolNational Security AgencyRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts