'Hack back' law would let Dutch police install spyware, eavesdrop on Skype

A bill expected to be put before the Netherlands' parliament later this year giving Dutch authorities wide-ranging powers is already drawing criticism.

Read this

Germany backs away from using a Trojan on its citizens - for now

Support for the use of a government-created Trojan to intercept the VoIP communications of suspected criminals appears to be on the wane - but it's far from dead.

Read More

A bill proposed by the Dutch government that would give authorities wide-ranging powers to hack users' devices has sparked a heated privacy debate in the Netherlands. Critics fear the new bill, if it makes it through parliament in its current form, would set a dangerous precedent.

Under the proposal (PDF), investigators would get the power to break into suspects' computer systems, listen in to VoIP conversations such as those made over Skype, install spyware, hack smartphones and force suspects to provide access to encrypted files. The law would also extend to giving authorities' access to servers which are physically located abroad.

Justice minister Ivo Opstelten argues that the Dutch police's jurisdiction currently is too limited to allow it to effectively combat cybercrime, such as recent large-scale DDoS attacks — including one targeting Dutch banks that disrupted access to online banking systems — and paedophilia.  Opstelten cited one case where police took half a year to break the encryption used by a prime suspect in a paedophilia investigation. Under the new law, paedophilia and terrorism suspects risk three years imprisonment if they don't cooperate with the police by providing encryption keys.

According to critics of the legislation, the bill is too vague and goes too far. With no definition of 'cybercrime' given, the legislation could potentially create a slippery slope where more and more offences could be brought within its remit.

In its current form, the law could be stretched to combat drug trafficking and fraud, Jan Jaap Oerlemans, a legal expert at Utrecht University told radio station BNR Nieuwsradio, while the legislation would also enable police to use smartphones' GPS data to track the locations of suspects.

Ronald Prins, director at security company Fox-IT, applauded the new powers to "hack back", but counselled the Dutch government against replicating the so-called Bundestrojaner scheme developed by the German authorities - a government-created Trojan that can be used to intercept the VoIP communications of suspected criminals.

Privacy group Bits of Freedom has also warned that the new law would lead to police ignoring other powers they already have, and that any spyware created by the Dutch authorities could be seized by cyber criminals and used for malicious purposes. It would also send the wrong signal to countries where internet freedoms are already severely curtailed, such as China, it added.

The draft legislation is expected to be put before Dutch parliament before the end of the year.