> In the new situation, hacking, targeted interception and data access operations get an automatic extension beyond the actual target of the warrant. If a warrant is requested to intercept the communications of a specific hacking organization, the warrant now also extends to victims of this hacking group. Or, more concretely, if your computer gets hacked by group X and there was a warrant to intercept the traffic of group X, the Dutch services now gain automatic approval to also intercept your communications or hack you.
I guess I can see that being useful occasionally, but it also seems ripe for abuse. Just plant a mole in a hacker organisation of your choice, get a warrant against them, and now you can have your mole hack whoever you like, giving you the automatic right to hack them and intercept their communications
How about asking the hacked person for permission to access their (other?) communications to prosecute the hacker? Too simple? Doesn't scale automatically? But if the latter is the case, it's not something to be used sparingly.
This seems like a better check on the authoritative power imo. It can come with gag orders and so on. But no free citizen's property should be seized without explicit permission or extreme circumstances. But I don't know if the Dutch has anything similar to the US's 4th amendment (against unreasonable search an seizures). I'd still argue that you're not free if the government can just seize your things when you have not broken any law, and don't feel like that's a high bar. And we all know Goodhart, so I'm sure someone will exploit this like the parent suggested.
> I'd still argue that you're not free if the government can just seize your things when you have not broken any law, and don't feel like that's a high bar.
I was wondering how this would fit if an entity like equifax wanted to hide a data breach. However, reading your statement again, failure to report a security breach is unlawful in all fifty states as far as I can tell from a Google search (I anal, I don't know the law) so I'd imagine EU laws would be at least as strong as this.
Those are not really a thing in the EU (at least, not for regular police)
> you're not free if the government can just seize your things when you have not broken any law
This is something that can and does happen in the Netherlands, f.e. when the government feels they need to destroy your apartment and build a new one (as part of gentrification, generally). They are tangentially required to get you replacement housing, but not at the same price or in a similar location. Thus, not in any practical sense. If they cannot find this for you they will still kick you out and where you will live after is your problem.
Thank you. I'm actually a bit surprised how close some of these read to US amendments.
Though reading Article 8 -- Right to respect for private and family life -- I'm not sure if this matters IANAL
> 2. There shall be no interference by a public authority with the
exercise of this right __except such as is in accordance with the
law__ and is necessary in a democratic society __in the interests of
national security, public safety__ or the economic well-being of the
country, for the prevention of disorder or crime, for the protection
of health or morals, or for the protection of the rights and freedoms
of others
That feels like as long as it is the law then it doesn't violate Article 8. Seems that saying it is for public safety is also another way to get around this. I also noticed this in Article 11 (right to assembly) and some others. Not being a lawyer, these seem pretty non-binding.
Yes, unfortunately there's the potential exception you see. The European interpretation of rights is that they're balanced against each other, as opposed to absolute.
The good news is that “necessary in a democratic society” is a high bar. Thankfully there have been several successful challenges to government mass surveillance in the past, under this Article.
Unfortunately, proposals like this keep coming back, and you never know what way a court will rule.
> That should not be allowed. Police should give discloser.
This obviously cannot be a boundary condition for policing; it's adversarial. The question is whether this balances public needs against private rights. My gut feeling is the extensions should require court approval or disclosure.
It is an adversarial game. The hackers could plant fake victims as monitors for police activities. This is an important reason why the police can't disclose to the victims that they were hacked or how they were hacked. However, I think we could at least make the laws such that the police can disclose certain information upon request post mortem. Absolutely not during investigation.
This doesn't scale. The fbi has tried for years to cooperatively remediate US businesses who have been hacked. And not just carders, although those too- but actual apts pursuing national security goals. And the frank news is that these businesses do not care. It isnt their responsibility, and they do have responsibilities.
The infosec goobers on HN are about 5 years behind the times. Since about Obama (when the fbi started doing this in the us) it's been clear that the whole name/shame won't cause orgs to do better. Publishing active proof of concepts for exploits will not cause orgs to patch. It will take national legislation giving people federal-pound-me-in-ass-prison to get them to enforce cybersecurity.
I'll take it a few steps further than you. Legislation won't fix it. Until the military is authorized to start up a new branch of the military to redteam corporations, nothing will ever change. If they don't patch immediately, throw the entire C-suite in Gitmo under suspicion of being enemy combatants.
Does that sound hyperbolic? It really shouldn't. These negligent corporate parasites are by far the greatest national security threat we've ever faced. bin Laden couldn't have dreamed of doing as much damage to the US as they have. China will hand us our asses on a silver platter if we ever go to war with them, because these rootless global capitalists have betrayed their country with every budget they've approved with 100x more given to stock buybacks than infosec. Taiwan better start reading Mao's little red book, because we don't stand a chance.
Throwing the CISO in prison because the CEO/CFO won't fund infused isn't going to change anything. It's just going to make it so no qualified person will ever take the CISO fall-guy position, only exacerbating the problem further. It's not the CISO's fault.
I don't believe professional engineers are held liable for a legacy bridge that they can't get funding to repair, or a project that was built in violation of their specifications by a corrupt contractor. They're only held liable when the engineering work is flawed.
It doesn't actually. It just means construction becomes extremely slow and backwards because engineering subcontracting firms now send unlimited amounts of construction delay notices to cover their asses when things are wrong and then ultimately still building the wrong and outdated things and leaving it up to the auditors later to fail the audit review to allow people into the building.
So if your goal is to not have people die, you accomplished your mission, but if your goal was to make the project owner be responsible not to fuck up you still failed.
What you've described is essentially China, so no I can't agree with you. I can't imagine ever wanting to live in that world, but if you do it's never been cheaper to fly across the world.
The only similarity is that China holds corporate executives accountable. The idea isn't to backdoor every company like the CCP or the NSA and leave them sitting ducks, it's to make them close the backdoors.
The country I'd point to for inspiration on this is actually Israel, a country even less deserving of praise than China in my opinion, but hey, good ideas can come from bad places. There's tight integration between the Israeli private cybersecurity sector and the Israeli military. Israel had a very prosperous tech industry, at least until the present constitutional crisis. The IDF trains cyber soldiers for four years, then the private sector hires them.
You can't solve the cyber warfare problem without the military. Capitalism is structurally incapable of doing it alone, any more than Detroit's manufacturing plants could've defeated Japan without the military nationalizing them. Cyber policies and products without the military's direct involvement is like guns without bullets.
Whis is why laws like the GDPR exist. That doesn't mean you need to allow domestic intelligence agencies to rife through victims' pockets and see what they can find.
I don't know what you think you're referring to. The police are absolutely empowered to break down your door and stop a crime if they have cause to think one is happening. That ship sailed long ago, and generally agreed for the better.
If you read, God forbid, what's happening it is not materially different than the fbi saying "hey there's a domestic, let's go and break it up." Even if the door is locked they're allowed in.
Useful occasionally, without doubt.. but the abuse potential, blown proportionality, and then these legislations always only know one way. Its never about that this wouldn't be useful to the utopian goods vs the criminals. :/
That example seems a little contrived, when with the legislation used for interception is broad enough to just got after the actual target straight away. Seems a long way for a shortcut, so to speak.
The fear in this regard is more about overreach and stalking by officers twisting the law for their own agenda. Dunno whenever that's a widespread issue with the Dutch police.
As an example: It's doubtful they could get a warrent for their neighbors girlfriend, but now they've got another legal way in.
It remains to be seen wherever that's actually going to happen though.
> Dunno whenever that's a widespread issue with the Dutch police.
Every police force has issue with abuse of power and the Dutch are no different. As always, it is the worst in the margins and so hard to get a picture of how bad it is in an empirical way.
I don't believe it's wide spread but exactly that is possible with the Dutch government and without any consequences.
I lived next door to one of their targets from a drug investigation. The other neighbor was involved and for the next 10 years the other neighbor was allowed to commit all manner of criminal offenses against me and stalk me and the government protected him. They protected him all the way to the courts and then the prosecutor lied in court. I filed criminal charges with the police against him for obstruction of justice. A year later it was dismissed, I filed an appeal to the attorney general and it was dismissed again. The evidence I had against him was overwhelming they simply will not prosecuted a prosecutor in the Netherlands or obstruction of justice.
The laws for using civilians in investigations here forbid the use without having a contract upfront, the civilian is not allowed to commit any crimes. However, none of that matters cause there's no effective control and absolutely no consequences. The laws and their guidelines are just bullshit for the public to read and think that it's all under control.
The Dutch government were envious of what organized crime could do and now the government is organized crime. And yes, completely innocent, non crime involved citizens can become victims of this.
How is that easier for law enforcement than just hacking the targets anyways? It's way more steps that can go wrong and way more people who could blab about your operation.
Contrary to common opinion here I think this is a small thing. The way these things work in the Netherlands, an intelligence agency would currently not intercept any communication from a "stepping stone" hacked by a criminal organisation, because it would be outside the scope of their warrant. That's a stupid limitation to have because it's very common to perform attacks from other hacked machines and not your own. (And for the bad guy's connection to such a server to be encrypted and useless to intercept)
What's a bit bigger in this thing is that they would be allowed to actively hack into such a machine themselves instead of just intercepting communications. However that has to be proportional with extra emphasis on the rights of the non-target. That practically means they can only do it in severe cases and not to get information on the non-target.
Those suggesting this could be used to "just" hack random citizens are exaggerating. That would not be accepted by the oversight agencies.
> Those suggesting this could be used to "just" hack random citizens are exaggerating. That would not be accepted by the oversight agencies.
In most countries, good governance is considered to be writing laws in such a way that abuse by the government is a violation of the written word of the law, not merely in opposition to its spirit or intent as interpreted by the government's own agencies.
Such things are easier said than done. Humans aren't computers. They have far more behaviors, and infinite corner cases. Writing laws that cover all of them is incredibly difficult, and as soon as you do something pops up that you didn't anticipate.
It's the reason all of your license agreements and other contracts are so long. Every phrase and sentence is there because something went wrong.
It doesn't let them off the hook for the fact that legislatures often do badly. But even with the best of intentions and the best skill things are still never as thorough as a programmer would like them to be, because programming people is way harder.
> They have far more behaviors, and infinite corner cases. Writing laws that cover all of them is incredibly difficult, and as soon as you do something pops up that you didn't anticipate.
Pretty irrelevant in this case, where we're talking about easy, obvious ways to abuse this rule. Your "it's all so complicated" argument relies on ignoring the substance of the objections to making ones victimization an opportunity to reduce their civil rights, and moving into generalization and vague abstraction.
This paragraph captures the crux of the problem for me:
> In addition, whereas previously there was an elevated standard for applying powers to non-targets, there is now actually a vastly reduced standard compared to actual targets. The ex-ante regulator TIB will need to be convinced that it is proportional to target organization X. However, any non-targets now no longer benefit from an elevated standard. The non-targets in fact benefit from no standards at all anymore.
They're going from a situation where it was considered an extreme measure to get a warrant to break into a victim's machine to a situation where it's now a given that all victims of the target organization are themselves targets unless the oversight body takes affirmative action to deny it in a specific case. If the concern were just about red tape, it would make more sense to remove the special protections that victims previously had and allow the warrant to be extended through the regular warrant process.
This automatic extension solution is a problem because it treats the rights of the victims as lesser than the rights of the suspected criminals. It treats them as collateral damage that can be safely ignored unless someone from higher up specifically decides it's a problem.
> because it would be outside the scope of their warrant.
And? Unless the scope of the warrant is immutable then what's the issue? It might be a bit slower to get the scope extended or get the victim's consent, but it seems far less abusable of a situation. It appears as a big deal to me because it is part of authoritative creep. Authoritarian powers don't come out of democracies overnight, but rather because the pathway to hell is paved with good intentions that are abused. The whole point of democracy is to distribute power and set up significant speedbumps for someone to agglomerate control. Things may seem small, but a few small things can form a big thing. If we just say that it is small in each of those situations, then the big thing happens unnoticed. The better question is how ripe a power is for abuse and what could an abuser do with such power. This is far more important than intent or even the size of the matter.
When the intelligence agencies will eventually abuse the law and lose their goodwill, the law will stay there and you will get nothing in return for your trust.
First of all you are assuming that the laws themselves are obeyed by the government in the Netherlands. They are not. All of the written guidelines are simply ignored. No one checks that they obey them and no one can getting any consequences applied to the violation of them.
The Dutch government is in a race to the bottom with respect to human rights over the last 20 years. It started around 2005, 4x years ago what was called the IRT affaire scandal in which the government themselves had become the biggest drug imported in Europe.
After then was discovered and cause a media fallout, 4 years later they started again but using a new approach in which they spread the blame and make it even harder to become accountable. In 2006, the councils started signing documents like the "Integrated approach to dealing with hennep plantations" in which they centralized the control of the intelligence, but spread the blame and the actions associated with this across the police, the council, the tax department and now there are about 9 partners or so.
This became so successful in their eyes that they formalized this at the end of 2008 and formed the RIEC, which stands for regional information and expertise centrum, which is an intelligence agency that is formed with a human representative so you cannot legally take this organisation to court under Dutch law and this organization does it's dirty work through it's parters, the police, council, tax department etc.
In addition, they expanded the scope of what they do. They no longer just find evidence and convict. Now they are able to "Interfere" with who they claim is involved with organised crime. And they are no limits to what interference means and there's no evidence required to do this, simple what's called "A reasonable suspicion". i.e. nothing.
Then in 2020 they changed to the law so that any one that works in a job that has an obligation to secrecy cannot be found guilty of perjury. They example they came at the time was "For example, a lawyer has an obligation to secrecy for his client". However, that was just a smoke screen. What they did was make it so that everyone in government now can lie in court under oath and not be prosecuted. Including prosecutors themselves. And if you don't believe this I've seen a document written by the attorney general in which he quite plainly states that a prosecutor cannnot be found guilty of perjury.
And believe me, even in places like the UK of the US prosecutors can be found guilty of obstruction of justice. Not in the Netherlands.
By allowing prosecutors and any government official to lie in court, they have effectively simply made all of the court proceedings in the Netherlands be a shame. As there is zero integrity. Clearly this also includes the international criminal court. It's located in the Netherlands after all.
Lots of typos in my text above sorry for that. But an important one, the RIEC is formed WITHOUT a human person as a representation and under Dutch law that means you cannot take the organisation to court. There's jurisprudence established to show this. And because their stated way of working is that they only give advice and their partners carry out actions they push responsibility away. Additionally, their state way of working is that their partners are forbidden to enter any information received by them into their computer systems unless it's it's operationally required to do so. Which is never the case. See what they have done here? They keep information on their computers but the RIEC cannot be taken to court. Any information that comes from the RIEC is not allowed to be stored in the computers of their partners, which can be taken to court.
Apparently, the partners are primarily just given orders to execute, without so much explanation. Need to know basis and all that. Without an explanation as to what the actions are used for the partners will simply get in the habit of executing without asking questions.
So all in any, unlawful and morally bankrupt operations with zero accountability and hundreds of millions of euros of budget. What could possibly go wrong? Basically, the Netherlands is screwed, there's no fixing this. It's not a functioning democratic state of law anymore. Not by a long shot. And the sad thing is that the public (And apparently the press) have not even begun to understand how bad it is yet.
Although not in connection with hacking operations, I was one of the people that was targetting simply by being close to their target. I lived "next door to" someone that was busted by a drug bust in 2005. Then next 10 years I spent more than 30,000 euros in court costs and preventative measures trying to protect myself from the actions of the other neighbor who was being deliberately run by the Dutch government!! And they are completely immune from repercusions I've discovered to my disgust.
The prosecutor that obstructed justice said in a phone call with me the next day. "Even if you complain... what did you possibly hope to achieve by complaining?"
So because I objected to the harrassment that I received by the Dutch government's illegal use of a civilian to harrass an already convicted weed grower I received 10 years+ of criminality carried out against me effectively by the Dutch government by proxy.
Sounds like a great way to cause a massive headache for innocent people: hack their computer so the government can then give them a digital proctology exam.
It might make more sense if we consider a physical analog: it's already generally the case that the police don't need to get a warrant to enter private property in a hostage situation, or when there's an active shooter, etc. This doesn't mean it's _necessarily_ a good thing in either case, but it's less sensational if you don't frame it as something unprecedented.
Those analogs are covered under exigent circumstances. But there is no imminent danger attached to a hacking case. This feels more like "somebody stole my briefcase, which is justification to search my home without a warrant".
Except the briefcase is a computer, and the computer is still in your home, and this is about not needing permission to search the briefcase even though it's still in your possession, because the briefcase has also been stolen and may be actively used in committing crimes despite the fact that you are not committing crimes and it remains in your possession.
An ex secret service regulator has previously warned the House of Representatives (Tweede Kamer) about cheating from the secret service so communication of all Dutch citizens can be tapped[1]
The Netherlands can barely be described as a state of law, considering its absolutely worthless constitution, its apathetic senate and its corrupted judiciary.
This is just business as usual, the mainstream media doesn’t even mention this and nobody cares.
Absolutely correct. The media part is the sad part, they simply won't print stories about government abuse of power and violation of human rights. If they did, then there would be some possible final accountability, but within the media publishing the Netherlands are absolutely screwed.
And for all of you people who are jealous of what the Netherlands has, don't worry. The limburg chapter of the RIEC have managed to convince Germany and Belgium to also start with their own version of democracy beating measures. It's called EURIEC, look it up you lucky people.
Recall the recent Chinese Volt Typhoon campaign against US infrastructure in which the threat actor used US residential computers as "proxies" to mask their traffic as coming from legitimate, inside the US IP addresses.
I imagine the same type of thinking is behind the justification for this.
wait. so if you are hacked, then the government has a free pass to hack you as well? Why do all the reasons that come to mind right now fit in the 'bad idea' bucket...?
That's not how it works. It's not "when you report a hack the government can now hack you at will". It is: When an intelligence agency with a legal warrant to monitor another entity that's a severe enough threat to national security sees that entity hack you, they can follow along and monitor communication from the hacked machine and/or hack into it themselves. If enough precautions are taken to limit impact on the victim's privacy and only if their right to privacy is less important than the national security risk the original target poses if not doing so.
Source: Read the source doc in Dutch, it's far more nuanced than the English blog post.
Actually the way t0mas phrased it looks pretty reasonable.
And the stuff about reporting makes no sense. Victims of hacks perpetrated by some entity that's worth a national security warrant will most likely not notice they're hacked.
As a citizen, I am concerned. Loosely interpreted, if your machine was hacked by a 3rd party - regardless of who it was, it is then permitted for the police to hack your device in order to determine the extent of the hack.
Very loosely interpreted, it also means they can go after you if your bittorrent traffic was found in the traffic of group "X". Since sometimes, it is not possible to determine which or what traffic is included.
The biggest thing is the last "explanatory memorandum" that is attached to the law. While not the law itself, it is in practice how the law will be used:
> the permission granted also contains authorization for, during the validity of the warrant, to also enter automated works of the person or organization targeted by the warrant,
As explained in the article;
> An ‘automated work’ in this specific Dutch law has an extremely broad interpretation and includes such things as phones, computers, servers, websites, databases and mailboxes.
This basically means that if you are part of compromised traffic/target, then as interpreted legally, it's open season on anything you have associated to you.
I really hope this doesn't become standard practice, because it will just mean widespread abuses similar to how the DMCA is used (but more sinister).
> This basically means that if you are part of compromised traffic/target, then as interpreted legally, it's open season on anything you have associated to you.
This is the point (also discussed in previous thread). It sucks (for some), but is only logical.
I suspect this is all NL finally getting around to dealing with its reputation for being a child-porn hosting haven. The goal of this legislation does allow the cops to "break a window" so they can look at domestic hardware currently only accessible from foreign endpoints. NL cops can't get a search warrant on someone in NL when their supposed IP maps to MIT. MIT says there's no server here, just a Tor exit node. Oh well, nothing we can do!
Thus, they're now allowed to hack domestically (force entry), and anybody found interacting with the child porn server they're monitoring necessarily falls under the same scope as the purveyor and rightfully becomes a target themselves.
It would make no sense to say you can hack the principal target, but not any subjects subsequently implicated in criminal activity.
This stuff is literally impossible to prosecute under the status quo-- the NL cops get tips but don't have cause to act (otherwise it'd just be SWAT-ing), nobody can crack the encrypted traffic, and the clients aren't necessarily resharing outside of this channel. It's a perfect closed system with solid technical and legal OPSEC.
But yes, once they punish all of those who have evaded the law this way for the last two decades, they'll come for the torrenters and other petty criminals next. Thank the pedophiles for getting the party shut down.
What if the police thinks someone is hacked, starts intercepting and recording their communication, and then later it turns out they were not hacked? In other words, the police could intercept anyone’s communication. Then later if the police is questioned about this, they could say, “Sorry about that. We thought you were hacked. Guess you weren’t.”
If they spent the money in the right places, i.e helping people or organizations get back on their feet after a breach, that would be more fruitful. This whole 'we're gonna sit in your computer chasing bad guys' is just shenanigans.
This is ridiculous. How are they going to prevent abuse against our own people? THe gov't here is generally pretty good and transparent but there are abuses in every level if they think they can get away with it.
I don't know about Dutch constitution, but there usually is something about privacy, and presumption of innocence, and even if it isn't in the constitution (constitution is mostly about the technicalities of governance), there are things like the Declaration of Human Rights and other treaties that mention it that are above the law.
I guess I can see that being useful occasionally, but it also seems ripe for abuse. Just plant a mole in a hacker organisation of your choice, get a warrant against them, and now you can have your mole hack whoever you like, giving you the automatic right to hack them and intercept their communications