Cops hacking into computers to
investigate crimes
What could go wrong?

Panel
Moderator:
• Lucian Constantin, Romania Correspondent for IDG News Service
(PCWorld, Computerworld etc.)
Participants:
• Carsten Eiram, Chief Research Officer at Risk Based Security , vulnerability research
and management expert with a 10-year experience, led the research team at
Secunia
• Raoul “Nobody” Chiesa, Founder & President The Security Brokers, Member of the
European Network & Information Security Agency (ENISA) Permanent
Stakeholders’ Group (PSG), UN agency “UNICRI” (United Nations Interregional
Crime and Justice Research Institute), working on “HPP”, the Hackers Profiling
Project run by ISECOM and UNICRI; in 2005 he has been officially recognized as a
cybercrime advisor.
• Bogdan Manolea, Executive Director of Association for Technology and
Internet, legal advisor, IT&C law expert, Editor of EDRi-gram, a biweekly
newsletter on digital civil rights in Europe.
• Silviu Sofronie, Forensics Specialist at Bitdefender, acts as liason with law
enforcement

What we know so far
• In October 2012, the Dutch Minister of Justice proposed a
law that would allow law enforcement (police) to remotely
infiltrate computers and install surveillance software and
gather evidence.
• The new legislation will provide strict safeguards for the
proposed investigative powers, Opstelten said. Law
enforcement authorities will only be able to exercise such
powers when investigating offenses that carry a maximum
prison sentence of four years or more and only after
obtaining authorization from a judge, he said. Furthermore,
all such actions will be automatically logged and the logs
will be accessible for later review.

What we know so far
• Draft presented in May 2013 (obviously in Dutch)
• Some highlights:
• The Dutch proposal allows police "lawful intrusion" into
computers located in the Netherlands or computers whose
location cannot be established (like those running Tor
hidden services). If the computer is clearly in another
country, the intrusion shouldn't take place.
• The Dutch proposal is not limited to cybercrime. It does
seek to restrict the use of such intrusions only for serious
offenses -- offenses that carry a certain minimum prison
sentence.
• It's not only about hacking to gather evidence, but also to
disrupt/stop attacks or crimes in progress.

What we know so far
• We don’t call it hacking, and we definitely don’t call it hacking
back, because we won’t be waiting until we are hacked. The more
appropriate term would be “lawful intrusion,” - Peter Zinn, a senior
cybercrime adviser for the Dutch National High Tech Crime Unit (NHTCU)
• Lawful interception and intrusion, done in a very strict and transparent
manner, will be necessary because in many cases cybercriminals will not
be from neighboring countries and may not even be from the European
Union. They will be from areas where it will be very hard to gather
evidence from, and we might not even be able to call the police force that
has the capacity to help us. - Troels Oerting, the head of the European
Cybercrime Centre (EC3) at Europol
• There are already similar agreements in the physical world. The Schengen
Area agreement, an agreement among 25 European countries that
abolishes passport and immigration control at their common
borders, allows police officers from one country to follow suspects into
another country while in hot pursuit - Troels Oerting, the head of the
European Cybercrime Centre (EC3) at Europol

What we know so far
• In the physical world, a police officer has the power to
detain suspects for 24 hours, search their bodies for
evidence, search their houses for evidence, use violence
against suspects if they don’t comply with orders and even
shoot them in certain circumstances, Oerting said. “We
accept this because we have a transparent system, we have
rules and we have the rule of law.”
• Why is it, then, that if they do some of those same things
on a computer, it suddenly becomes such a big privacy
issue and those actions should be banned? he asked. “I
think that we need to have a balance between
privacy, which I think we should respect, and
anonymity, which I think is dangerous.”

What can go wrong?
• - How will this influence the market for zero-day vulnerabilities and
overall security of software? What are the implications of police
joining intelligence agencies in buying 0days? Will this create an
incentive to keep those vulnerabilities unpatched? Will it decrease
overall software security or keep it from improving?
- Legal and privacy considerations? Will Dutch police violate the
laws of other countries? Should they be arrested if they travel
there? If a lawyer claims police planted the evidence obtained in
this way, can police disprove giving how computers work and the
computer environment?
- Who will help police do this? Should the police hire ethical hackers
(consultants) or should they train their own people?
- How will security vendors respond? Will they differentiate
between police attacks and malicious attacks?
- Ethical considerations.

Q&A
Thank you
Previus coverage:
• http://www.cio.com/article/719307/Dutch_Governme
nt_Seeks_to_Let_Law_Enforcement_Hack_Foreign_Co
mputers
• http://www.computerworld.com/s/article/9238849/Du
tch_bill_would_give_police_hacking_powers?taxonom
yId=82&pageNumber=1
• http://www.pcworld.com/article/2059800/copsshould-be-allowed-to-hack-into-computers-policeofficials-say.html