Dutch police get OK to exploit zero-days: So will that just mean more surveillance?

Despite its previously tough stance against encryption backdoors, the Netherlands has now given the green light for its secret services and police to exploit zero-day software vulnerabilities.
Written by Tina Amirtha, Contributor
dutch police

Zero-day exploits are seen by Dutch law-enforcement agencies as key tools in understanding potential cyberattacks.

Image: Picasa, Getty Images

Last month, the Netherlands government gave its police and central intelligence agency official approval to exploit zero-day vulnerabilities.

These hardware and software flaws, which are unknown to the public and often also to the product makers themselves, are seen by Dutch law-enforcement agencies as key tools in understanding potential cyberattacks.

But critics believe that allowing security agencies to exploit zero-days amounts to a license to conduct covert surveillance programs on the public.

Zero-day vulnerabilities can be unknown or known to manufacturers. In either case, the public is not aware of them until the manufacturer issues a software or firmware patch or update.

Manufacturers usually issue swift updates, but sometimes end users do not download them right away. The Dutch government will also allow law enforcement to exploit known vulnerabilities that users or manufacturers have left untreated for a period.

In a memorandum to parliament, the Netherlands government called the use of hardware and software vulnerabilities by law enforcement an urgent matter of national security, as increasingly more criminals commit crimes via the internet.

As part of new guidelines, government officials are required to make any newly-discovered zero-day vulnerability known to the Dutch National Cyber Security Centre, or NCSC, under a "responsible disclosure" policy. In turn, the NCSC will notify the manufacturer of the flaw.

The new zero-day ruling is a U-turn for the government's stance on backdoors. In December last year, the Dutch voted to make the public's digital infrastructure more secure and prevent backdoors by funding three different open-source encryption projects.

However, the government's new zero-day policy essentially allows backdoors to stay open if the police stumble across them.

There is evidence that the police might use zero-day vulnerabilities to augment their surveillance capabilities, as the policy's detractors argue.

Last December, reports surfaced that the Netherlands Forensics Institute broke into data-encrypted messages on multiple BlackBerry smartphones and was able to recover deleted emails.

Then in March, the US Justice Department announced it had broken into the iPhone of one of the gunmen in the San Bernardino shooting case. The government had been appealing to Apple for months for assistance in accessing the gunman's data.

In both the Dutch and US government smartphone hacking cases, the government did not have to tell the smartphone manufacturers which methods they had used to hack into the devices. And each government employed resources from third-party companies to find the smartphones' vulnerabilities.

Both the lack of transparency that these public entities demonstrated in their treatment of the phones' vulnerabilities and their sharing of data to non-government contractors raise questions about how much more important the public's security is than their privacy. Is the lure of digital forensics greater than the charge to keep the public's digital lives private?

From the point of view of smartphone manufacturers, digital privacy trumps any of the security gains that could arise from exploiting zero-day vulnerabilities.

In response to both the Dutch and US government-sponsored hacks, both BlackBerry and Apple strengthened their data-security capabilities. BlackBerry issued new security updates to its phones, and Apple employed a new encryption specialist.

Yet many private companies sell services that can uncover zero-day vulnerabilities in mobile devices. For example, the Netherlands Forensics Institute contracted Israeli company Cellebrite to unlock data from the BlackBerry smartphones, according to AFP.

In addition to condoning surveillance on the public, critics also say the new Dutch position on undisclosed vulnerabilities will probably encourage a black market for zero-days, in which the police might be a lucrative customer.

"It ignores the fact that those vulnerabilities may be acquired on the black market, or that they may be shared among intelligence services," the European Digital Rights Institute wrote in its November 16 newsletter.

The Dutch government addressed the zero-day vulnerability market in its brief, stating that it is not illegal to discover and sell knowledge of these vulnerabilities over the internet. Rather, it places the onus on the manufacturers to stimulate third parties to report new vulnerabilities, using financial rewards as one strategy.

Still, the market is heavily unregulated, a point the government brief also acknowledged. Offenders can anonymously acquire and use zero-day vulnerabilities for criminal purposes on the internet, making them difficult to track.

Both the Dutch government and the European Commission are now taking steps to standardize regulation in the zero-day vulnerability market.

Meanwhile, the US has issued no official guidelines over how the public sector may exploit zero-day vulnerabilities and other hardware and software glitches in consumer products.

Read more about zero-day exploits

Editorial standards