Privacy First comments on Computer Crime III bill (police hacking law)

Tomorrow afternoon debates the House of Representatives with State Secretary Dijkhoff (Security and Justice) on the Computer Crime III bill. Under this bill, Dutch investigative services (including the police) are given the power to remotely hack computer systems of suspects. Today, Privacy First sent the letter below to MPs about this. Click HERE for the earlier letter on this bill sent by Privacy First to the House of Representatives already at the beginning of this year.

Honourable MPs,

Tomorrow, you will debate with State Secretary Dijkhoff about his controversial Computer Crime III bill. Prior to the critical hearing on this bill on 11 February 2016, you received a letter from Privacy First with our comments on this bill.[1] The content of this letter applies in full. Following the recent Note[2] of the secretary of state to the bill, we hereby send you our additional comments.

Necessity and proportionality always unproven

In his attempt to argue for the required necessity and proportionality of the bill, the State Secretary is again stuck in a vague story that smacks of technological determinism. Indeed, the state secretary is mainly guided by technological possibilities rather than the classic achievements of our free democratic constitutional state. In the current phase of the parliamentary debate, the necessity and proportionality of the bill have always only been stated by the state secretary, but never demonstrated. Any quantification is still lacking or indicates the introduction of completely disproportionate powers. The bill should therefore be rejected for violating the international law requirement of necessity and proportionality under Article 8 of the European Convention on Human Rights (ECHR).

No abuse of software vulnerabilities

Should your House unexpectedly decide to approve the bill, Privacy First considers it non-existent that the Dutch government would want to use (and thus abuse) new or unknown vulnerabilities in software to covertly access data. Such policies actively jeopardise the integrity and security of the entire Dutch information society. Privacy First therefore hereby calls on your Chamber to adopt the current relevant amendment by D66, GroenLinks and SP[3] unanimously to support and actively ensure that the Dutch government will not use vulnerabilities in software for hacking purposes.

Function creep

Admittedly, the powers in the bill now seem primarily limited to equipment belonging to suspects of serious crimes (and thus, in principle, no equipment belonging to innocent citizens with whom suspects are in contact). However, history shows that over time, these types of powers have been always is expanded. By stealth target shifting (function creep), it will therefore only be a matter of time before the hacking powers in the current bill will be used for the investigation and prosecution of all kinds of criminal offences. The current bill already provides ample scope for this, as the list of offences to which the new powers will apply can easily be extended by Order in Council rather than by formal legislative amendment. In this sense, this bill is a typical example of function creep by legal design. The best way to make these function creep preventable by rejecting the current bill or the relevant amendment of D66[4] to unanimously support and adopt legislative measures to eliminate any form of extra-parliamentary function creep contain.

Car hacking and stopping

Earlier this year, this bill caused great public unrest[5] because it leaves all scope for remote hacking and immobilisation of cars. In police circles, this possibility is actively envisaged, Privacy First knows from a reliable source. The risks of this to road safety (including that of innocent occupants and bystanders) are enormous. The same applies to the hacking, intentional or otherwise, of computers in hospitals, industry, vital infrastructure, pacemakers, medical wearables, etc. The Bill does not impose any restrictions in this regard and the State Secretary leaves these thorny issues virtually unaddressed. It is, therefore, up to your House to still bring order by simply banning such use of hacking powers.

Framing of suspects

Privacy First is deeply troubled by the following admission by the secretary of state:

"In theory, it is possible for an investigating officer to put data on a device that the suspect did not put on the device himself. On this point, the situation in the digital world does not differ from the analogue domain. During a search of a house, narcotics can be placed in a cupboard and during the search of a vehicle, weapons can be placed in the boot."[6]

Privacy First hereby calls on your Chamber to ensure that citizens have the best possible legal, organisational and technical protection against such framing-practices, to the extent that this is not already the case under existing penal provisions, policies and techniques.

Thorough review by supervisory judge

Privacy First asks your House to urge the State Secretary to ensure that prior authorisation for the deployment of powers by the magistrate judge will always be able to be done with the utmost care and thoroughness. Under no circumstances should superficial rubber-stamping due to operational pressures or lack of time and knowledge in the judiciary. To this end, the secretary of state should ensure that the judiciary will always be able to perform these tasks to the best of its ability.

Possible lawsuit Privacy First

Should the current bill be passed unchanged, Privacy First reserves the right to have this bill, once in force, reviewed by the courts and declared unlawful.

For further information or questions regarding the above, Privacy First can be reached at any time on telephone number 020-8100279 or by email: info@privacyfirst.nl.

Sincerely,

Privacy First Foundation

[1] See https://www.privacyfirst.nl/aandachtsvelden/online-privacy/item/1025-politie-wil-alle-computers-kunnen-hacken.html.

[2] Note following the report, Parliamentary Papers II, 2016-2017, 34372, no. 6.

[3] Parliamentary Papers II, 2016-2017, 34372, no. 11.

[4] Parliamentary Papers II, 2016-2017, 34372, no. 9.

[5] See for example 'Fear of hacking car on highway', Telegraph 11 February 2016, p. 10.

[6] Note following the report, Parliamentary Papers II, 2016-2017, 34372, no. 6, p. 52.

Update 14 December 2016: during yesterday's parliamentary debate (which lasted until late in the evening), many of the above issues passed in critical fashion. Click HERE To watch the entire debate, click HERE for the verbatim report and HERE for the current list of proposed amendments. The vote on the bill is tentatively scheduled for Tuesday afternoon, 20 December next.

Update 20 December 2016: today, the Lower House unfortunately passed the bill in almost unchanged form. VVD, CDA, PvdA, SGP and ChristenUnie voted in favour. D66, GroenLinks, SP, PvdD and PVV voted against. Click HERE for the voting record. The amendments not to exploit vulnerabilities in software (no. 13), to function creep contain (no. 21), to exclude certain equipment from the operation of the bill (no. 20) and a motion on hacking software (no. 22) were unfortunately all rejected. Remarkably, on several occasions Labour MP Oosenbrug independently (and quite rightly) voted in favour of privacy-friendly legislative and policy changes, contrary to the position of her own party. In Privacy First's view, this MP's good example deserves to be widely imitated. Incidentally, the PvdA party did submit a 'compromise motion' in which in large majority was adopted:

"The Room,
having heard the deliberations,
noting that under the present bill, investigative agencies are allowed to exploit vulnerabilities in computerised works;
believes that the government should promote the security and integrity of automated works, such as by promoting responsible disclosure and encouraging third parties to search for vulnerabilities at the invitation of software or hardware manufacturers;
Calls on the government to ensure that investigative agencies will deploy unknown vulnerabilities or software using them only in extreme cases,
and proceed to the order of business."

It is now up to the Senate to either reject the bill soon or correct the House of Representatives on the above points.