Dutch police ask for powers to plant malware, hack DDoS servers

Dutch police are set to get the power to hack people's computers as part of investigations - but antivirus experts say they won't help police reach their targets.

A bill before the Dutch government will give police the power to hack computers, read email and other files, and install spyware, according to the BBC.

It would also give police the power to legally hack into overseas servers, if they were part of a denial-of-service attack, for example.

F-Secure chief research officer Mikko Hypponen said such requests won't only come from Dutch police, as authorities in other countries will increasingly ask for such powers - not least as most investigations already involve looking through smartphones or PCs.

"This isn't going to go away, it's only going to get more and more important. All countries will be wanting rights and regulations," he told PC Pro.

"But the Dutch already had an unusually strong powers for the local police. They seem to be the forerunners in Europe, in how much rights police have to fight crime."

Hypponen said it's understandable why police want such powers, and admitted few would complain if it's used sparingly and only against guilty parties.

However, there's no question that innocent people would get caught up in police investigations, making transparency key.

"They should have to have serious enough crimes to even request such strong tools to be used," he said.

"And then, they should have to get a judge or court order, and even more importantly, they should afterwards make public how many citizens were hacked, and how many turned out to be guilty or innocent."

That last point is the most important, Hypponen said. "This is the key thing: if the police hack into your systems, the public needs to know," he said, calling for police to disclose what type of crimes the powers are used on, whether the police were successful in their hacking, and whether the targets turned out to be guilty or innocent.

He doesn't see such investigative hacking powers leading to an "arms race" between police and criminals, but between police and all citizens. "There will be guilty citizens and innocent citizens, and they will both be wanting to keep malware away from their computers."

That raises a problem for antivirus firms like his own, with antivirus firms potentially asked to cooperate with authorities to let an attack reach the target.

So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request, and said his own firm wouldn't want to take part. Purely for business reasons, it doesn't make sense to fail to protect customers and let malware through "regardless of the source".

Bounty hunters

Whether police have the skills to successful hack into computers isn't clear, but Hypponen said it wouldn't be ideal for them to outsource such tasks. However, it's likely police would follow the lead of other government agencies - such as intelligence and security - and buy vulnerabilities from third-party firms.

"It’s not just government in this picture," he said. "Many of the exploits being stockpiled are actually being developed by third parties, such as defence contractors or private companies looking for vulnerabilities." And they, of course, have no motivation to hand flaws in software over to the affected companies.

"I don’t like this development in general," he said. "It used to be black and white. If you were breaking into systems, you were the bad guy – you were the evil one. Now, over the past five years, the situation is changing very rapidly, with governments entering the picture."