Cybercrime in the Netherlands
Some of you probably know that as a hobby I publish books in translation from Eastern European languages into English and Dutch – http://www.glagoslav.com. One of my recent publications is the book written by a prominent Russian attorney Anatoly Kucherena, who has been handling the case of Snowden in Russia. The author has written a book based on the true story of his client Edward Snowden – Time of the Octopus, which has become the basis for the script of the recently released Hollywood movie “Snowden” directed by Oliver Stone a prominent US film director.
Edward Snowden became widely known for being a whistleblower, leaking a large amount of confidential information on the “espionage activities” of the CIA, the NSA and the GCHQ to the press. The movie amongst others shows the use of the ‘PRISM’ program, through which the NSA could intercept telecommunications on a large scale and without prior, individual judicial authorization. Many people will see these activities as far removed and describe them as a depiction of American scenes. The legal reality we live in shows the contrary. What many don’t know is that comparable situations occur more often than you think. Even in the Netherlands. Namely, on December 20, 2016 the Dutch House of Representatives passed the rather privacy sensitive bill “Computercriminaliteit III” (“Cybercrime III”).
The bill Computercriminaliteit III, which still needs to be passed by the Dutch Senate and of which many already pray for its failure, is meant to give investigating officers (police, the Royal Constabulary and even special investigating authorities such as the FIOD) the ability to investigate (i.e. copy, observe, intercept and make inaccessible information on) ‘automated operations’ or ‘computerised devices’ (for the layman: devices such as computers and cell phones) in order to detect serious crime. According to the government it proved necessary to grant investigating officers the ability to – bluntly put – spy on its citizens as modern times have caused crime to become hardly traceable due to an increasing digital anonymity and encryption of data. The explanatory memorandum published in connection to the bill, which is a great difficult-to-read tome of 114 pages, described five aims on the grounds of which the investigating powers may be used:
- The establishment and capturing of certain details of the computerised device or of the user, such as the identity or location: more specifically, this means that investigating officers can secretly access computers, routers and mobile phones in order to obtain information such as an IP address or IMEI number.
- The recording of data stored in the computerised device: investigating officers may record data that are needed in order to ‘establish the truth’ and solve serious crime. One can think of the recording of images of child pornography and login details for closed communities.
- Making data inaccessible: it will become possible to make data with which a crime is committed inaccessible in order to end the crime or prevent future crimes. According to the explanatory memorandum, it should in this way become possible to combat botnets.
- The execution of a warrant for the interception and recording of (confidential) communications: under certain conditions it will become possible to intercept and record (confidential) information with or without the cooperation of the provider of the communication service.
- The execution of a warrant for systematic observation: the investigating officers will gain the ability to establish the location and track the movements of a suspect, possibly by remotely installing special software on the computerised device.
Persons believing that these powers can only be used in case of cybercrime will be disappointed. The investigating powers as mentioned under the first and the last two bullet points as described above, can be applied in case of crimes for which provisional detention is permitted, which comes down to crimes for which the law sets a minimum sentence of 4 years. The investigating powers connected to the second and the third aim can only be used in case of crimes for which the law sets a minimum sentence of 8 years. In addition, a general order in council can indicate a crime, which is committed using an automated operation of which it is of obvious social importance that the crime is ended and the perpetrators are prosecuted. Fortunately, the penetration of automated operations can only be authorised in case the suspect is using the device.
As the road to hell is paved with good intentions, proper supervision is never a superfluity. The investigating powers granted by the bill can be exercised covertly, but the request for the application of such an instrument can only be made by a prosecutor. Prior authorization of a supervisory judge is needed and the “Centrale Toetsingscommissie” of the Public Prosecution Department assesses the intended use of the instrument. Additionally, and as mentioned earlier, there is a general restriction to application of the powers to crimes with a minimum sentence of 4 or 8 years. In any case, requirements of proportionality and subsidiarity need to be fulfilled, as well as substantive and procedural requirements.
The most significant aspect of the bill Computercriminaliteit III has now been discussed. I have however noticed that most media, in their cries of distress, forget to discuss two additionally important topics of the bill. The first is that the bill will also introduce the possibility to use ‘bait adolescents’ in order to trace ‘groomers’. Groomers can be seen as the digital version of lover boys; digitally searching sexual contact with minors. Furthermore, it will grow easier to prosecute receivers of stolen data and fraudulent sellers who abstain from delivering the goods or services which they offer online.
Objections to the bill Computercriminaliteit III
The proposed law potentially provides a huge invasion on the privacy of Dutch citizens. The scope of the law is endlessly broad. I can think of a many objections, a selection of which includes the fact that when looking at the limitation to offenses with a minimum sentence of 4 years, one immediately assumes that this probably represents a reasonable boundary and that it will always involve offenses that are unforgivably severe. However, a person that deliberately enters into a second marriage and refuses to inform the counterparty, can already be sentenced to 6 years. Additionally, it can well be the case that a suspect eventually turns out to be innocent. Not only his or her own details have then been thoroughly scrutinised, but likely also the details of others that had nothing to do with the ultimately-not-committed crime. After all, computers and phones are ‘par excellence’ being used to contact friends, family, employers and countless others. In addition, it is questionable whether the persons responsible for the approval and supervision of requests based on the bill have enough specialised knowledge to properly asses the request. Yet, such legislation almost seems like a necessary evil in the present day. Almost everyone once had to deal with Internet scams and tensions tend to run enormously high when someone has bought a fake concert ticket through an online marketplace. Moreover, no one would ever hope that his or her child comes into contact with an iffy figure during his or her daily browsing. The question remains whether the bill Computercriminaliteit III, with its broad possibilities, is the way to go.
The bill Computercriminaliteit III seems to have become a somewhat necessary evil. The bill provides investigating authorities with an extensive degree of power to gain access to computerised works of suspects. Unlike the case in the Snowden-affair the bill provides considerably more safeguards. However, it is still questionable whether these safeguards are sufficient to avoid a disproportionate intrusion of the privacy of the Dutch citizens and in the worst-case scenario to prevent a “Snowden 2.0”-affair from happening.