Hacking without a legal basis

Posted on 30/10/2014 on Oerlemansblog

In May 2014, the Dutch Public Prosecution Office announced that the Dutch police participated in a global action against ‘Blackshades’ malware. Blackshades enables individuals to remotely take over computers and copy information (among other functionalities). The Dutch press release stated that:

“Team High Tech Crime of the Dutch police saw an opportunity to enter the Blackshades server and secure a large amount of information. The location of the server is unknown”.

This statement implies that Dutch law enforcement authorities entered the server remotely to copy data. Said in other words, Dutch law enforcement authorities hacked a server without knowing the location of the server to secure information. Indeed, recent answers to parliamentary questions confirmed the computer was ‘remotely accessed’(hacked) by law enforcement authorities during the operation in May. In addition, the Dutch Minister of Security of Justice stated in the letter to the Dutch Parliament that art. 125i of the Dutch Code of Criminal Procedural (DCCP) provides for a legal basis to access computer remotely (by hacking) and copy information.

The problem with this letter is that there is arguably no legal basis for hacking in Dutch criminal procedural law. The statement of the Minister of Safety and Justice is in my view worrisome, because a special investigation power is interpreted very broadly by the minister to suit the needs of law enforcement authorities. This undermines a fundamental principle of our criminal law system.

Art. 125i DCCP does not provide a legal basis for hacking

Art. 125i DCCP provides for an ill-understood investigation power that allows law enforcement authorities to search a place in order to secure information stored on computers. The article specifically refers to existing investigation powers for search and seizure at a particular place by law enforcement authorities. Therefore, art. 125i DCCP should always be read in conjunction with the power to search a place, seize a computer and subsequently search data on a computer. In the letter, the minister seems to ignore these explicitly referred to powers of search and seizure at a particular place.

For example, a public prosecutor can seize a computer located at hosting provider and search the data stored on a computer in an effort to secure the sought after data upon the legal basis of art. 125i DCCP jo art. 96c DCCP. These powers for search and seizure are simply different from hacking as an investigation method. The most notable difference between hacking and the search and seizure of computers is that hacking takes place remotely in secret, whereas the search and seizure of computers takes place at a particular place in the presence of witnesses.

There are good reasons to think that the Dutch legal framework to analyse data on computers is outdated. Additionally, there are good reasons why law enforcement authorities feel the need to be able to access computers remotely to acquire information relevant to a criminal investigation. But a key principle and essential to the rule of law is that law enforcement authorities are bound by the law. In my view, as I argued extensively in 2011 and 2013 (in Dutch), Dutch criminal procedural law does not provide for the investigation power to hack computers by law enforcement authorities.

Criminal procedural legality principle

In Dutch criminal procedural law, investigation methods that infringe in the right to privacy in more than a minor way or threaten the integrity of a criminal investigation require detailed regulations. This ‘criminal procedural legality principle’ with regard to the regulation of investigation methods ensures that governmental powers are controlled by the law and prevent arbitrary interferences by the government in the private lives of citizens. The principle also ensures that governmental powers to investigate crime are foreseeable to citizens. In essence, this legality principle harnesses governmental power which is essential to the rule of law.

Therefore, I find it curious our Minister of Security and Justice endorses a broad and highly debatable interpretation of the law to enable law enforcement authorities to hack computers, especially considering that a new legislative proposal is under way which aims to regulate hacking as an investigation power. This ‘Computer Crime Act III’ will be send to the Dutch Parliament in early 2015.

A democratic legislative process is required to provide Dutch law enforcement authorities with the powers that a majority of the elected representatives of the Dutch people find appropriate. Perhaps hacking computers under stringent conditions to allow for evidence gathering activities is desirable as a new investigation power. But in the meantime, the criminal procedural legality principle as a key principle in Dutch criminal procedural law should not be ignored.

This is a cross post from LeidenLawBlog.nl

Extraterritorial use of policeware in the United States?

Posted on 02/05/2013 on Oerlemansblog

Last week, the story broke that a judge from Texas (United States) had published a decision  (.pdf) denying a warrant for the placement of “policeware” on a computer of an unknown suspect at an unknown location. Policeware is special surveillance software, also called “spyware”, utilized to secretly monitor all kinds of internet activities of a computer user. The decision is interesting because it sheds light on the use of policeware in the United States.

Capabilities of the software

Judge Smith explains that the FBI requested to install “data extraction software” on the “Target Computer” (presumably the computer of a suspect). This software has the capability to search the computer’s hard drive, random access memory, and other storage media (thus perform a “remote search”). Additionally, the software can “activate the computer’s built-in camera, generate latitude and longitude coordinates for the computer’s location and transmit the extracted data to FBI agents in the district”. By installing the software, the FBI wishes to obtain information such as web browsing history, e-mail contents, e-mail contacts, chat logs, photographs and correspondence. The law enforcement agency also wishes to use the built-in camera to make photographs to identify the person using the target computer.

Extraterritorial application of a warrant to install policeware

The Texan judge then ascertains whether the request complies with the warrant requirements as described in Rule 41 of the U.S. Federal Rules of Criminal procedure. This blog post does not allow to me elaborate on the judge’s decision and the requirements of a “Rule 41 warrant”, but I do want to point out that the judge establishes that Rule 41 only allows for searches “in the district of the judge”. In this case the territoriality requirement is not met, because the search does not take place within the district, “so far as the Government’s application shows”, according to the judge. Note the judge’s witty remark that the search takes place: “not in the airy nothing of cyberspace, but in the physical space with a local habitation and a name”.

U.S. digital surveillance expert Orin Kerr analyzed the court decision of judge Smith on the popular legal blog “The Volokh Conspiracy”. I found his considerations about the applicability of the warrant requirement on a potentially foreign suspect particularly fascinating. It is standing case law (under United States v. Verdugo-Urquidez, 494 U.S. 259 (1990) that the warrant requirement of the Fourth Amendment of the U.S. Constitution does not apply outside the United States. Since it is likely the physical computer will be searched overseas (because the last known IP address is traced back somewhere in Southeast Asia), the government does not need a warrant to search the physical computer. However, Kerr believes the search also takes place in the United States when the information is analyzed by U.S. law enforcement officials and therefore a warrant is required “for that part of the search that takes place in judge Smith’s home district”.  Kerr ultimately finds the arguments presented by judge Smith to deny the warrant unconvincing.

Conclusion

Kerr’s analysis of the case begs the question: is it desirable that the United States could potentially perform searches of computers and install policeware on computers in foreign territory by unilaterally applying their criminal procedural rules to foreigners? If the answer is no, keep in mind that the Dutch government suggested more or less the same thing on p. 34-35 in their announcement today (in Dutch) to amend the Dutch Code of Criminal Procedure to make hacking and the placement of spyware possible on computers “if their location is unknown” (see also this blog post).

I’m curious to hear from international criminal law legal experts and others as to what they think of this.

This is a cross post from LeidenLawBlog.nl.