Tag hacking

The necessity of a new cyberlaw for dutch intelligence and security services 

jjoerlemans

Growing cyber threats to Dutch national security reveal an urgent need to amend current  powers of intelligence and security services. The proposed “Cyber Act” aims to address these challenges by granting bulk interception and hacking capabilities, and by allowing for greater flexibility in the oversight process. However, further clarification is needed on the scope of the Act.

In my opinion, there is an urgent need for a new bill that amends the bulk interception and hacking powers of Dutch intelligence and security services. In this blog post, I share the essential points that I presented during a ‘round table hearing’ at the Dutch parliament on 5 April 2023. My original contribution (in Dutch) can be found here.

The (cyber)threat

The cyberthreat the proposed legislation aims to address should be completely clear. The Dutch General Intelligence and Security Service (AIVD) first reported about ‘digital infringements on Dutch vital ICT infrastructures’ in 2007. This message highlighting the risks of digital espionage to our national security has been reiterated in every annual report since 2013. These reports explicitly mention various victims of digital espionage, including Dutch ministries, telecom providers, universities, educational institutions, think tanks, and biotechnology companies.

Our Military Intelligence and Security Services (MIVD), as well as the National Cyber Security Centre (NCSC), have echoed these concerns. In fact, the NCSC considers the threat posed by ‘state actors’ to cybersecurity as the most significant among all threats, surpassing even the threats posed by criminal actors. 

The problem

In 2021, the Dutch intelligence and security services raised concerns regarding challenges they encountered in their cyber operations. These issues primarily stem from the “legality review” process conducted by the newly established Investigatory Powers Commission (TIB). The TIB is responsible for granting or denying warrants for investigatory powers, including bulk interception and hacking.

The proposed Cyber Act  

To address these challenges, a bill has been introduced, which I refer to as the ‘Cyber Act’. This proposed legislation specifically addresses bulk interception and hacking capabilities and proposes significant changes to the oversight system in the Netherlands. It is crucial to emphasise that the scope of the bill is limited to operations conducted by Dutch intelligence and security services that target the gathering of intelligence related to “offensive cyber operations of foreign states”. 

The aim of the proposed bill is to amend and partially shift the oversight of bulk interception and hacking as investigatory powers from the Investigatory Powers Commission (TIB) to the Dutch Review Committee on Intelligence and Security Services, allowing for greater flexibility for intelligence and security services. It seeks to establish a more dynamic oversight process that aligns with the technical realities of these powers. 

It is also noteworthy that the proposal grants the Dutch Review Committee on Intelligence and Security Services the (binding) power to halt an operation and (ultimately) order the deletion of unlawfully processed data when specific investigatory powers are employed. Currently, this oversight body lacks any binding authority in its task of overseeing intelligence and security services. Additionally, the proposed legislation introduces an appeals procedure for decisions made by the Dutch oversight bodies, enabling a judge to make the final determination regarding the legality of actions and decisions. 

Bulk interception 

Bulk interception serves as a notable example that illustrates how investigatory powers are amended in the Cyber Act. One significant challenge in the current application of bulk interception as an investigatory power is the disagreement between the intelligence and security services (and their responsible ministers who authorise these powers) and the Investigatory Powers Commission (TIB) regarding the level of focus that should be applied to bulk interception.

It is important to clarify that bulk interception is inherently non-targeted in nature. It involves the interception of large volumes of data (bulk) after it is collected at a specific location. This process differs from, for instance, wiretapping. With wiretapping, data associated with a particular identifying number, such as a telephone number or IP address is intercepted. Bulk interception captures a greater volume of data, including unidentified numbers that may be connected to potential national security threats. In a cybersecurity context, bulk interception can be used to collect intelligence about the IT infrastructure utilised by foreign actors engaging in covert activities on Dutch infrastructure.

The Cyber Act aims to do more justice to the untargeted nature of bulk interception, but solely within the context of gathering intelligence related to the threat of offensive cyber operations conducted by state actors that pose a risk to national security. While the bill includes numerous detailed provisions, which I will not delve into here, I believe the arguments put forth in support of the proposals are compelling. Therefore, it is in my view necessary to amend the law. In fact, I think we should consider an even more substantial role for intelligence and security services in combating cybersecurity threats.

Addressing the threat of cybercrime to national security

The issue of cybercrime posing a threat to national security deserves attention. I emphasised that the Dutch National Security Centre identified ransomware as a national security threat. I agree with this assessment, insofar ransomware attacks have severe economic consequences or disrupt vital infrastructures. Regrettably, we have already witnessed ransomware incidents targeting the Port of Rotterdam, hospitals, and municipalities in the Netherlands.

In the Netherlands, there is a strict separation between the investigation of criminal activities and the investigation of national security threats. It is evident to me that the Dutch Intelligence and Security Services should investigate ransomware attacks that pose a risk to national security. However, it remains unclear whether such investigations are currently being carried out. While the Dutch Cyber Act appears to primarily focus on state actors, I would appreciate clarification on whether it also encompasses ransomware activities conducted by criminal organisations.

This is a cross-post from my blog post on aboutintel.eu. It is part of a discussion prompt about the ‘Dutch Temporary Cyber Act‘, with contributions of Lotte Houwing and Bert Hubert.

Chapters of ‘Essentials in Cybercrime’ available in open access

jjoerlemans

On 22 December 2021, our book ‘Essentials in cybercrime. A criminological overview for education and practice’ (edited by W. van der Wagen, J.J. Oerlemans & M. Weulen Kranenbarg) was published.

Our book is intended for students and professionals and offers insight into the various manifestations and features of cybercrime, offender and victim characteristics, quantitative and qualitative methods for studying crime in the digital domain, criminological theories that can be used to understand cybercrime, as well as possible interventions.

In addition to criminological aspects, the book also deals with a number of legal topics, including the criminalisation of cybercrime (under the Convention on Cybercrime) and the investigative powers that can be used by the police in the online domain.

My chapters ‘Types of cybercrime and their criminalisation’ (.pdf) (together with dr. Wytske van der Wagen) and ‘Cybercrime investigations’ (.pdf) (together with dr. Maša Galič) are now available in open access.

The rest of the is available at the store of Eleven Publishing (with Chapter 1 freely available) and stores like Bol.com.

Table of contents:

Chapter 3 – Types of cybercrime and their criminalisation

Jan-Jaap Oerlemans & Wytske van der Wagen

3.1         Introduction

3.2         Cyber-dependent crime

3.2.1     Hacking

3.2.1.1 Computer hacking

3.2.1.2 Ethical hacking

3.2.2     Malware

3.2.2.1 Ransomware

3.2.3     Botnets

3.2.4     Ddos attacks

3.3         Cyber-enabled crime

3.3.1     Cyber-enabled fraud

3.3.2     Online drug trafficking

3.3.3      Money laundering and virtual currency

3.3.4     Online sex offences

3.3.4.1 Child pornography

3.3.4.2 Sexting

3.3.4.3 Grooming

3.3.4.4 Sextortion

3.3.4.5 Revenge porn

3.3.5     Content crimes

3.4         Future developments

3.4.1     Increased involvement of state actors

3.4.2     The ‘internet of things’

3.4.3     The use of artificial intelligence by cybercriminals

3.5         To conclude

3.6         Discussion questions

3.7         Core concepts

Please cite as:

Oerlemans, J.J., & Van der Wagen, W. (2022). Types of cybercrime and their criminalisation. In Essentials in cybercrime: A criminological overview for education and practice. Eleven International Publishing, 53-98.

Table of contents

Chapter 8 – Cybercrime investigations

Jan-Jaap Oerlemans & Maša Galič

8.1         Introduction

8.2         Digital investigations and criminal procedure law

8.2.1     Regulating investigative methods

8.2.2     Jurisdiction and cybercrime

8.3         IP addresses as digital leads

8.3.1      Data production and preservation orders

8.3.2     Seizing and analysing data on computers

8.3.3     Network computer searches

8.4         The challenge of anonymity

8.4.1     Proxy and VPN services

8.4.2     Tor

8.4.3     Open source investigations

8.4.4     Online undercover operations

8.5         The challenge of encryption

8.5.1     Encryption in storage

8.5.2     Encryption in transit

8.5.3     Hacking as an investigative method

8.6         Disrupting cybercrime

8.7         To conclude

8.8         Discussion questions

8.9         Core concepts

Please cite as:

Oerlemans, J.J. & Galič, M. (2022). Cybercrime investigations. In Essentials in cybercrime: A criminological overview for education and practice. Eleven International Publishing, 197-254.

New book on cybercrime

jjoerlemans

Yesterday, our new book ‘Essentials in cybercrime. A criminological overview for education and practice’ became available. Wytske van der Wagen, Marleen Weulen Kranenbarg, and me, are the editors of the book and we are proud of the result. In this blog post, I’ll briefly introduce the book and explain its background.

Background

A study book about the essentials of cybercrime was in our view necessary, in order to bring together knowledge about cybercrime in a conveniently arranged manner. That is why, in 2020, we published our (Dutch) book ‘Basisboek Cybercriminaliteit’, in which all the necessary basic knowledge about cybercrime was provided.

As some universities expressed the desire for an English version of the book, we decided to move forward with a translation. The current book is however not a literal translation. It is more internationally oriented, especially when it comes to legislation, it includes the most recent studies, and it also provides an entirely new chapter on organized cybercrime (Chapter 5). Like the Dutch version of our book, it aims to provide the essential knowledge of various facets of cybercrime.

Aim of the book and intended audience

Our book is intended for students and professionals who want to learn more about cybercrime. The book offers insight into the various manifestations and features of cybercrime, offender and victim characteristics, quantitative and qualitative methods for studying crime in the digital domain, criminological theories that can be used to understand cybercrime, and possible interventions.

In addition to criminological aspects, the book also deals with a number of legal topics, including the criminalisation of cybercrime, the detections process and the investigative powers that can be used by the police in the online domain.

The book is introductory in nature and is therefore are also suitable for those who are new to the subject of cybercrime. At the same time, the book discusses the various topics in depth and incorporates a broad range of studies and perspectives.

Contents and (co-)authors

In this book, we combine our own criminological and legal expertise in the development of cybercrime, our knowledge about cybercrime offenders and victims, and the investigation of cybercrime. We also asked experts in the fields of organised cybercrime, the victimisation of cybercrime and cybercrime interventions to complement our understanding of cybercrime and to contribute to this book.

We therefore thank our guest authors – Rik Beerthuizen, Maša Galič, Tamar Fischer, Thomas Holt, André van der Laan, Rutger Leukfeldt, Sifra Matthijsse, Take Sipma and Elina van ’t Zand – for their important contributions to this book.

Availability

Our book is published by Eleven and now available in the store of Eleven Publishing (with Chapter 1 freely available) and stores like Bol.com.

One year after publication, Chapter 3 about ‘Types of cybercrime and their criminalisation’ and Chapter 8 about ‘Cybercrime investigations’ will be available in open access.

Hacking without a legal basis

jjoerlemans Een reactie plaatsen

Posted on 30/10/2014 on Oerlemansblog

In May 2014, the Dutch Public Prosecution Office announced that the Dutch police participated in a global action against ‘Blackshades’ malware. Blackshades enables individuals to remotely take over computers and copy information (among other functionalities). The Dutch press release stated that:

“Team High Tech Crime of the Dutch police saw an opportunity to enter the Blackshades server and secure a large amount of information. The location of the server is unknown”.

This statement implies that Dutch law enforcement authorities entered the server remotely to copy data. Said in other words, Dutch law enforcement authorities hacked a server without knowing the location of the server to secure information. Indeed, recent answers to parliamentary questions confirmed the computer was ‘remotely accessed’(hacked) by law enforcement authorities during the operation in May. In addition, the Dutch Minister of Security of Justice stated in the letter to the Dutch Parliament that art. 125i of the Dutch Code of Criminal Procedural (DCCP) provides for a legal basis to access computer remotely (by hacking) and copy information.

The problem with this letter is that there is arguably no legal basis for hacking in Dutch criminal procedural law. The statement of the Minister of Safety and Justice is in my view worrisome, because a special investigation power is interpreted very broadly by the minister to suit the needs of law enforcement authorities. This undermines a fundamental principle of our criminal law system.

Art. 125i DCCP does not provide a legal basis for hacking

Art. 125i DCCP provides for an ill-understood investigation power that allows law enforcement authorities to search a place in order to secure information stored on computers. The article specifically refers to existing investigation powers for search and seizure at a particular place by law enforcement authorities. Therefore, art. 125i DCCP should always be read in conjunction with the power to search a place, seize a computer and subsequently search data on a computer. In the letter, the minister seems to ignore these explicitly referred to powers of search and seizure at a particular place.

For example, a public prosecutor can seize a computer located at hosting provider and search the data stored on a computer in an effort to secure the sought after data upon the legal basis of art. 125i DCCP jo art. 96c DCCP. These powers for search and seizure are simply different from hacking as an investigation method. The most notable difference between hacking and the search and seizure of computers is that hacking takes place remotely in secret, whereas the search and seizure of computers takes place at a particular place in the presence of witnesses.

There are good reasons to think that the Dutch legal framework to analyse data on computers is outdated. Additionally, there are good reasons why law enforcement authorities feel the need to be able to access computers remotely to acquire information relevant to a criminal investigation. But a key principle and essential to the rule of law is that law enforcement authorities are bound by the law. In my view, as I argued extensively in 2011 and 2013 (in Dutch), Dutch criminal procedural law does not provide for the investigation power to hack computers by law enforcement authorities.

Criminal procedural legality principle

In Dutch criminal procedural law, investigation methods that infringe in the right to privacy in more than a minor way or threaten the integrity of a criminal investigation require detailed regulations. This ‘criminal procedural legality principle’ with regard to the regulation of investigation methods ensures that governmental powers are controlled by the law and prevent arbitrary interferences by the government in the private lives of citizens. The principle also ensures that governmental powers to investigate crime are foreseeable to citizens. In essence, this legality principle harnesses governmental power which is essential to the rule of law.

Therefore, I find it curious our Minister of Security and Justice endorses a broad and highly debatable interpretation of the law to enable law enforcement authorities to hack computers, especially considering that a new legislative proposal is under way which aims to regulate hacking as an investigation power. This ‘Computer Crime Act III’ will be send to the Dutch Parliament in early 2015.

A democratic legislative process is required to provide Dutch law enforcement authorities with the powers that a majority of the elected representatives of the Dutch people find appropriate. Perhaps hacking computers under stringent conditions to allow for evidence gathering activities is desirable as a new investigation power. But in the meantime, the criminal procedural legality principle as a key principle in Dutch criminal procedural law should not be ignored.

This is a cross post from LeidenLawBlog.nl

Extraterritorial use of policeware in the United States?

jjoerlemans Een reactie plaatsen

Posted on 02/05/2013 on Oerlemansblog

Last week, the story broke that a judge from Texas (United States) had published a decision  (.pdf) denying a warrant for the placement of “policeware” on a computer of an unknown suspect at an unknown location. Policeware is special surveillance software, also called “spyware”, utilized to secretly monitor all kinds of internet activities of a computer user. The decision is interesting because it sheds light on the use of policeware in the United States.

Capabilities of the software

Judge Smith explains that the FBI requested to install “data extraction software” on the “Target Computer” (presumably the computer of a suspect). This software has the capability to search the computer’s hard drive, random access memory, and other storage media (thus perform a “remote search”). Additionally, the software can “activate the computer’s built-in camera, generate latitude and longitude coordinates for the computer’s location and transmit the extracted data to FBI agents in the district”. By installing the software, the FBI wishes to obtain information such as web browsing history, e-mail contents, e-mail contacts, chat logs, photographs and correspondence. The law enforcement agency also wishes to use the built-in camera to make photographs to identify the person using the target computer.

Extraterritorial application of a warrant to install policeware

The Texan judge then ascertains whether the request complies with the warrant requirements as described in Rule 41 of the U.S. Federal Rules of Criminal procedure. This blog post does not allow to me elaborate on the judge’s decision and the requirements of a “Rule 41 warrant”, but I do want to point out that the judge establishes that Rule 41 only allows for searches “in the district of the judge”. In this case the territoriality requirement is not met, because the search does not take place within the district, “so far as the Government’s application shows”, according to the judge. Note the judge’s witty remark that the search takes place: “not in the airy nothing of cyberspace, but in the physical space with a local habitation and a name”.

U.S. digital surveillance expert Orin Kerr analyzed the court decision of judge Smith on the popular legal blog “The Volokh Conspiracy”. I found his considerations about the applicability of the warrant requirement on a potentially foreign suspect particularly fascinating. It is standing case law (under United States v. Verdugo-Urquidez, 494 U.S. 259 (1990) that the warrant requirement of the Fourth Amendment of the U.S. Constitution does not apply outside the United States. Since it is likely the physical computer will be searched overseas (because the last known IP address is traced back somewhere in Southeast Asia), the government does not need a warrant to search the physical computer. However, Kerr believes the search also takes place in the United States when the information is analyzed by U.S. law enforcement officials and therefore a warrant is required “for that part of the search that takes place in judge Smith’s home district”.  Kerr ultimately finds the arguments presented by judge Smith to deny the warrant unconvincing.

Conclusion

Kerr’s analysis of the case begs the question: is it desirable that the United States could potentially perform searches of computers and install policeware on computers in foreign territory by unilaterally applying their criminal procedural rules to foreigners? If the answer is no, keep in mind that the Dutch government suggested more or less the same thing on p. 34-35 in their announcement today (in Dutch) to amend the Dutch Code of Criminal Procedure to make hacking and the placement of spyware possible on computers “if their location is unknown” (see also this blog post).

I’m curious to hear from international criminal law legal experts and others as to what they think of this.

This is a cross post from LeidenLawBlog.nl.