The Dutch police have a history of being proactive in their approach to cybercrime. Almost exactly two years ago they took control of the BredoLab botnet servers, but went further by using those servers to download a benign trojan to infected zombie PCs. The trojan merely warned the user that the PC was infected, saying, “If this Browser has opened automatically then your computer has been infected with malware. Your computer has become part of a bot network.” Needless to say, the message also gave advice on how to remove the infection.
At the time, many questioned the international legality of this. On the assumption that some of the infected computers would be in the UK, leading UK lawyer Nicholas Bohm commented, “Infecting a computer with a trojan would involve offenses under the Computer Misuse legislation unless carried out with some form of lawful authority.” Now, in a letter sent to the lower house of the Dutch parliament, Minister of Security and Justice Ivo Opstelten has described plans to give the Dutch police their own authority to do just that.
The letter makes it clear that international cooperation with the relevant authorities will always be sort, but notes that in some cases it is impossible to discover the geographic location of target servers. TOR, which can be used to hide the location of both the server and the visiting client, is used as an example; and the letter describes a particular instance. The police had located a number of servers hidden by TOR on the darknet “containing recorded images of serious sexual abuse of children” (Google translation). But the police could not discover their location – international cooperation was impossible.
The Dutch police took action without that international cooperation. They copied the content of the servers so that international law enforcement agencies could use the material to investigate the crimes, then deleted the material from the servers and made them inaccessible. It is the questionable legality of this proactive action that Opstelten now wishes to clarify by more clearly defining and expanding the legal power of the Dutch police in international cybercrime.
He concludes, “The coming months will be used together with the police, prosecutors and other relevant stakeholders [to] prepare a draft bill. I am convinced that it is necessary to strengthen the investigation and prosecution of cybercrime.”