Police want to be able to hack all computers
Today, a important hearing place on the bill Computer crime III. In this context, Privacy First provided critical input to relevant MPs yesterday. Some passages from our letter appeared in The Telegraph this morning, click HERE. Below is the full text of our letter (click HERE for the original version in pdf):
Honourable members of the House of Representatives,
A hearing on the bill will take place tomorrow Computer crime III. This bill risks making the government itself the biggest cybercriminal. Privacy First briefly explains why below.
Under the bill, the police will have the power to hack virtually any computer connected to the internet, including smartphones, televisions, cameras, car navigation, on-board computers, medical systems, etc. etc. The police even want to pacemakers can hack, according to p. 86 of the Explanatory memorandum to the bill. No device is excluded. Only condition seems to be that the device in question is connected to the internet. With the 'Internet of Things' in sight (where virtually all of society can be connected to the internet, right down to sports shoes and refrigerators), this power is downright totalitarian. It will therefore only be a matter of time before the hacking powers in this bill are used and abused for all sorts of unforeseen purposes. The current bill does not restrict this at all and, on the contrary, allows ample scope for it. On this basis alone, the bill should be rejected.
Disaster by legal design
In police circles, target shifting (function creep) embedded in this bill was precisely intended, Privacy First knows from a reliable source. For example, to be able to hack and stop cars remotely (remote police trap). Technically, this is perfectly possible and the bill does not prohibit it. However, the risks of this for road safety (especially also of innocent occupants and bystanders) are enormous. The same applies to computers in hospitals, industry, critical infrastructure, etc. Why does the bill not impose any restrictions in this regard?
The international law required "social necessity" and proportionality of this bill are far from the case, as even the usually accommodating Personal Data Protection Board (now Personal Data Authority) rightly stated in early 2014. Subsequently, this controversial bill lay dormant for several years, but now suddenly seems to be rushed through the Lower House. Why the sudden rush?
Every citizen outlawed
By this bill, everyone's computer, tablet, smartphone etc. (even abroad!) will be declared outlawed. Indeed, the hacking power in the bill is not limited to the equipment of suspects, but also to connected equipment of innocent, unsuspecting citizens. Every citizen as a potential target of government. Had we not just learned in recent years that this is not a salutary path for a democratic rule of law?
The Netherlands is currently at a crossroads. What example do we want to be for the rest of the world? Our country has all the prerequisites to make the Netherlands a secure Privacy Guide Country. However, the current bill is a typical building block for a police state, not for a democratic rule of law based on freedom and trust. During the internet consultation of an earlier version of this bill in 2013, Privacy First raised this also stated. Apart from the subsequent removal of the decryption order from the bill, it is sad to note that little has changed since then. Privacy First advocates privacy by design, not only through technology, but also through privacy-friendly laws and policies. Through this bill, however, the government gains from suboptimal government-crackable ICT security. In doing so, the government is setting course for a society in which everyone's privacy becomes illusory.
Privacy Impact Assessment missing
Still this bill does not include a thorough and independent Privacy Impact Assessment (PIA). The associated "PIA" is nothing more than a superficial checklist and is not worthy of the term PIA. Even the privacy paragraph in the Explanatory Memorandum is paper-thin and only meant to legitimise the bill. Moreover, given the security risks of this bill, a Security Impact Assessment is obvious. Therefore, at this state of affairs, Privacy First cannot take this bill seriously at all.
Second Chamber to move
Should the current bill pass both Houses unamended, Privacy First will not hesitate to have it declared unlawful by the courts. It is now up to the Lower House not to let it come to that.