[HN Gopher] NL national security law to grant automatic permissi...
___________________________________________________________________
NL national security law to grant automatic permission for targeted
surveillance
Author : pseudotrash
Score : 153 points
Date : 2023-06-07 16:55 UTC (6 hours ago)
(HTM) web link (aboutintel.eu)
(TXT) w3m dump (aboutintel.eu)
| jacquesm wrote:
| One example of where this would apply is for instance against
| criminals whose medium of information exchange has been
| compromised. Yes, they are 'victims', but they are also perps and
| probably in much worse crimes than the original hack of their
| comms.
|
| An example of such a situation is the EncroChat hack.
| radicalbyte wrote:
| The thing is, is that we've had an oversight commission who
| reacted quickly to decide in those cases. That worked, it
| provided oversight.
|
| Now they want free reign to spy on everyone.
| jacquesm wrote:
| Wanting something and getting it aren't the same thing and it
| wouldn't be the first time that something like this gets
| enacted and then gets shut down again.
|
| My main worry would be journalists, those are at some danger
| from stuff like this especially when they are protecting
| their sources. If this ever gets abused that's where I would
| expect it to happen.
| Nevermark wrote:
| I don't follow your logic. It seems to be a circular way of
| downplaying the laws potential for harm.
|
| I am sure you are right, harmful laws have been passed, and
| then on the basis of their harm, repealed.
|
| But if we are to be reassured that since the law is harmful
| it will be repealed, that is an illusionary reassurance.
| Clearly not all harmful laws are repealed, even if some
| are.
|
| And even repealed harmful laws are likely not repealed
| until the harm they cause is very evident. Meaning great
| harm has been done.
| jacquesm wrote:
| That's not how I read the law with the supplied context.
|
| It basically reads like this - translation/interpretation
| errors are mine: Any machine that is compromised by a
| hacker and that leads to other machines that are _also_
| compromised by this hacker are fair game in the process
| of an investigation.
|
| This ensures that the typical chain of wrapped
| connections can be pierced, even if some of those systems
| may well be compromised outside of the owners knowledge.
| Yes, they are also victims, but their unsecured systems
| and accounts that are currently under the control of the
| hacker makes them a part of the investigation.
|
| It's no secret that hackers tend to use many layers of
| obfuscation in order to reach their ultimate target and
| this attempts to put a stop to that, with the nice side
| benefit that if one of the machines en-route is a
| communications server that other accounts found there are
| fair game (such as what happened with EncroChat, but
| there are also other examples).
|
| From what I can see this is all relatively
| straightforward, and as long as the usual safeguards are
| in place I do not see a problem with it. Investigators
| are often laughed at for their lack of digital chops,
| this doesn't match my own experience, the thing I do see
| is that they are almost always outmatched because of the
| constraints placed on their ability to investigate when
| it comes to digital crime. Some balance should be found
| here and given a relatively careful weighing of the
| interests of society and law enforcement I think this
| proposal really does its best to achieve such a balance.
| If and when it is abused I fully expect that abuse to be
| smacked down, as has happened numerous times.
|
| There always will be a tension between LE on the one side
| and society on the other, LE only has as much power as we
| collectively grant them and oversight is the ultimate
| arbiter of what is and what isn't permissible.
|
| As for the context: this is NL we're talking about where
| such oversight really seems to work well, in other
| countries that may be a completely different story.
| Nevermark wrote:
| Removing huge legal safeguards, vastly expanding law
| enforcement's legal freedom, without adding back more
| nuanced safeguards, makes no sense.
|
| The history of good behavior of NL law enforcement took
| place, itself, under legal safeguards!
|
| What would have been abuses today, will no longer be
| abuses. So LE can now act in good faith in a far more
| pervasive manner.
|
| Unless you think the previous safeguards were
| superfluous, because of LE good sense, there should still
| be legal safeguards. More nuanced safeguards of course,
| that take into account the new LE freedoms. But still
| explicit legal safeguards.
|
| Otherwise, we are not just depending on LE to act in good
| faith, but to define good faith. Which is not a good
| system, or the system before, when safeguards were
| explicit.
| jacquesm wrote:
| This all presupposes that LE is acting in bad faith,
| which - so far - has not been my experience. There
| definitely have been exceptions and those have rightfully
| been smacked down, both AIVD and the regular police
| forces have seen judgments against them for trying to
| expand the envelope to the point that it was clear that
| was not the intent of the law.
|
| Those 'huge legal safeguards' in practice work out to a
| fairly loosely specified set of laws that are then
| interpreted as widely as possible by LE and subsequently
| tested in court whenever a party feels that they have
| overstepped the line. This method seems to work well
| enough that it has become standard procedure and of
| course new laws will be tested in a similar way. The
| current investigative process is often very dynamic, far
| more dynamic than the usual warrant process provides for
| and in that sense I can see the frustration about seeing
| a crime in progress and not being able to something about
| it as something that would need addressing. The
| international nature of the net and the speed with which
| these situations develop would mean that the online
| equivalent of 'skipping state lines' would be enough for
| a perp to always get away with it. This is an undesirable
| situation. It is also undesirable that law enforcement
| would be handed tools that give them too much leeway.
| Whether this tool is one of those or not will depend very
| much on how it plays out, given what I know about how the
| oversight system here works I have very good confidence
| that if there is abuse that it will be stopped. Dutch LE
| has learned a lot from various incidents in the past,
| which led to various backlashes. So they stand to lose as
| much as they stand to gain here.
| coldtea wrote:
| That's one of the prime real uses cases they'd care
| about...
| jacquesm wrote:
| Yes, and clearly there should be a very pointed note
| about journalists in this law if it is to be put into
| practice. But for the likes that use(d) EncroChat I'm all
| for it.
|
| Btw, both lawyers _and_ journalists have quite a few
| special protections under Dutch law and it isn 't clear
| to me that this proposal would trump those protections,
| in fact if challenged I would expect the judiciary to
| affirm that those protections carry the most weight.
| ahubert wrote:
| Author here - the protections remain in theory, but will
| not longer be active beforehand. It is possible that the
| oversight committee finds the time to check afterwards,
| but they aren't obliged to do so. Also, by then the
| damage is done.
| jacquesm wrote:
| Yes, that's the risk, but: similar issues have been
| flagged in the past and in the end oversight won out so
| I'm not quite as worried as you are.
|
| A typical scenario is that a hacker is using a series of
| nested accesses to compromised systems, if the original
| warrant allows for tracking the hacker on the first
| system then there is no time to obtain warrants for the
| systems that are uncloaked as the result of the
| investigation, this happens pretty much in real time. So
| this provision allows the investigation to proceed and
| will have a reasonable time allowed to 'catch up'.
|
| It definitely is possible that it will be abused, but
| that will lead to this provision being disbanded, as has
| happened in the past when dutch LE overstepped their
| authority. I'm fairly sure that those lessons - and the
| cases thrown out as a result - have been learned, but of
| course it is very well possible that we'll see a re-run.
|
| I'm on the fence on this one, I'd say let's see where it
| leads because it is clear to me that the digital world is
| moving _much_ faster than law enforcement can normally
| speaking keep up with and a lot of crime is perpetrated
| because of that. The risk of abuse of such methods is
| always present, and 'protections in theory' that are
| abused tend to find very unsympathetic judges in this
| country. It's fairly clear that something will have to
| change if LE is to keep up with the increase in online
| crime, whether this overshoots the mark or not remains -
| in my view - to be seen. It definitely has that risk, but
| then again, so would every other proposal short of the
| status quo and that clearly isn't effective enough.
| radicalbyte wrote:
| I'm worried about minorities; our government has a terrible
| record in recent years.
|
| They'll use this to hound poor people and anyone who isn't
| white.
| jacquesm wrote:
| That's a fair criticism, they really do, and any kind of
| law tends to disproportionally target minorities.
|
| That said, I fail to see how this particular law could be
| abused in that way, after all, the typical hacking
| investigation doesn't really know much about the perp
| until the moment of apprehension. It's _after_ that
| moment that most of the concern for minorities should
| kick in, because most of the real life trouble has to do
| with abusive treatment by the authorities once someone
| became an identified target. Racial profiling and all
| kinds of other abuses have been heaped upon minorities
| time and again, but in the context of hacking suspects
| prior to apprehension I have no evidence that this has
| happened.
|
| Usually the problem that this phase of an investigation
| focuses on (the access to systems that are compromised)
| is when the hacker is still unknown other than that the
| authorities are aware they exist.
|
| But I don't doubt that if someone does get arrested and
| they happen to be a minority that the system will not
| treat them equally compared to someone who is not a
| minority. This is a systemic problem that needs
| addressing, but it isn't directly connected to this law.
| daenney wrote:
| It also applies to all victims of hackers, irrespective of
| whether the victims themselves are supposedly criminals or not.
| So if you get hacked, then suddenly the government can hack you
| too.
|
| No amount of hypothetical "it could also be used against
| criminals" balances out the bonkers overreach this represents.
| jacquesm wrote:
| In theory yes, but in practice this hasn't happened and I
| really don't expect it to happen. I've seen enough of LE in
| NL up close to have an idea of how it all hangs together and
| this article definitely has a point: the law should be worded
| more carefully but at the same time it isn't going to get out
| of hand the way the article would have you believe. Plenty of
| oversight here and judges that take conflicting laws fairly
| seriously (such as the GDPR, but also laws regarding the
| gathering of evidence and such).
|
| NL has lots of problems, but lack of judicial oversight over
| both the police and the intelligence services isn't one of
| them, in fact you could make a pretty good argument that the
| degree of oversight actually hinders going after tech savvy
| criminals. But better too much than too little. This law
| won't change that by much as far as I can see.
| costco wrote:
| "Going dark" is a scam - https://crimesciencejournal.biomed
| central.com/articles/10.11... for instance found that there
| was no difference in conviction rate for cases involving
| E2EE encryption vs those that didn't in the Netherlands.
| The government just wants the halcyon period of
| surveillance from late 1900s to the early 2000s back but
| these supposed tech savvy criminals almost never turn out
| to exist.
| jacquesm wrote:
| That's a different context entirely.
|
| Obviously the intelligence services would love to be able
| to tap phones the way they were able to in the past as
| well as to read all of your mail.
|
| But in practice the network analysis is as much or even
| more efficient than reading the mail itself in the
| investigation phase of a case.
| hulitu wrote:
| Another example are opposition's politicians.
| rollulus wrote:
| The author of the article is Bert Hubert, starred frequently on
| HN [1] and has expertise in many fields, including the world of
| intelligence agencies.
|
| [1]: https://news.ycombinator.com/from?site=berthub.eu
| ahubert wrote:
| Well I try to :-)
| rollulus wrote:
| Now I'm star-struck. Thanks for your work.
| sam_lowry_ wrote:
| Thank you and please keep trying, Bert!
| ahubert wrote:
| Author here - I mirrored the page on
| https://berthub.eu/articles/posts/dutch-intel-law-about-inte...
| since y'all managed to take out the about:intel server!
| Rizz wrote:
| I suspect this is also to provide a legal framework to
| automatically remove malware from victim's computers, as has been
| done before by Dutch authorities without any law permitting such
| actions, and removing malware is obviously good for society.
| Rizz wrote:
| And of course it can also be used for gaining entry to hackers
| systems by infiltrating c&c servers on third party hardware,
| which also had been done before by Dutch authorities without
| any existing legal framework to allow this.
| sam_lowry_ wrote:
| > automatically remove malware from victim's computers,
|
| Like uninstall Windows without permission?
| photochemsyn wrote:
| All adblock extensions, torrent software and end-to-end-
| encryption systems will now be classified as 'malware'.
| 13of40 wrote:
| Assuming a security analyst is allowed to look at content that's
| been identified as malicious beyond some threshold like 99.9%...
|
| And in order to address emerging threats, they should be able to
| apply their judgement based on threat indicators like known bad
| hashes, origin from known bad email addresses or IPs, etc. to
| call something malicious beyond that threshold...
|
| Does that mean that if they know your account is under attack
| they can just read all of your emails?
|
| I would give that a big "no" because unless your account has 999
| malicious emails in it for every benign one, they have not met
| the criteria.
| coldtea wrote:
| > _Does that mean that if they know your account is under
| attack they can just read all of your emails?_
|
| If they "suspect" it is more like it in practice, suspecting
| also meaning "when they want to target you".
| 13of40 wrote:
| My point is that unless they can make a case that some random
| email from your inbox is 99.9% likely to be malicious, then
| they should not be able to read it. Yes they have a button
| that lets them read it, but they should not press that
| button, and if they do they should get their ass sent to the
| clink.
| greatgib wrote:
| It is really scary the accelerating trend of creating regulations
| to restrict or violate basic human rights on the basis of straw
| man national security reasons...
|
| What is nice with this law is that they can look for things not
| related to the hack on target devices. If they see something
| incriminating against you not related to the case, they can still
| use it against you in a new procedure. Without warrant. How
| convenient.
|
| In addition, I can easily guess that they don't have to prove
| that you were really hacked, but mere suspicion or being a
| potential victim of the hackers might be enough.
| varispeed wrote:
| What makes me feel puzzled is I remember politicians were
| condemning these type of actions done in authoritarian
| countries. I now wonder whether that was a genuine concern or
| just a tool used for bargaining.
|
| I also find puzzling, that I remember people being outraged if
| country X done something and now when something like this gets
| done in Western countries, there is very much indifference.
|
| When I talked about this with a couple of friends, who are not
| interested in politics, they just shrugged it "why would anyone
| would be interested in spying on me. I don't do anything wrong,
| so they can follow me to their heart's content. That would be a
| waste of time." and so on.
|
| Seems like indeed, the media are powerful in regulating
| emotions and turning the outrage up and down.
|
| If that topic was on the front pages, using the same language
| as some other issues that governments are using to cover up
| their ineptitude (so called dead cats), then maybe people would
| be more aware and inclined to do something about it. But I can
| imagine anyone trying to run these kind of stories would be
| quickly shut down.
| tome wrote:
| > I remember politicians were condemning these type of
| actions done in authoritarian countries
|
| I don't remember it. Do you have some citations that would
| jog my memory?
| ljlolel wrote:
| See Hong Kong national security law
| ecshafer wrote:
| When a politician says a country is authoritarian, they don't
| really care about that. What they mean is that "this country
| is not friendly to our own imperial interests so they are
| bad".
|
| The media is owned by these same people that push these laws.
| FpUser wrote:
| When they do they're bad and we are the good guys. When we do
| it and are being called for it - it is whataboutism.
| localplume wrote:
| [dead]
| CTDOCodebases wrote:
| It's the pushback against technology.
|
| As technology makes individuals more powerful the state wishes
| to diminish this power.
| explorer83 wrote:
| So to my understanding what they are proposing is allowing you to
| be hacked by the government if you are a victim of hacking by
| another actor. I can see the value of this being able to access
| log files and other data that could assist in investigating the
| original hackers. I suppose they wouldn't want to always tip off
| the victim of hacking because the victim might change something
| that could scare aware the original hackers or delete useful
| metadata before the investigation could be carried out. But it
| essentially could become a free pass for the state to hack
| anybody. Because 1.) Anyone with a public facing server knows
| there are bot hacking attempts made against them 24/7 or 2.) Just
| hire a 3rd party to hack someone then you have immediate cause to
| get access to their data. This article didn't seem to have a
| definite answers what kind of protections would be put in place
| in these events. It sounded like they previously did try to word
| the law to only pertain to the original investigation but one can
| only wonder.
| jstarfish wrote:
| > Just hire a 3rd party to hack someone then you have immediate
| cause to get access to their data.
|
| This is absolutely what this is about.
|
| Prosecuting cybercrime is a nightmare, especially if it crosses
| international borders. NL has historically had a bad CSA
| hosting reputation, though I get the impression LEO hands have
| been tied.
|
| This legalizes fruit of the poisoned tree. Or at least, blurs
| the line until the fruit rolls into scope of plain-sight
| doctrine. Hire some Israelis to pop a machine and you won't
| have to deal with mapping Tor/VPN connections across all of the
| world's jurisdictions until it comes back to your own
| neighborhood.
|
| The way it's phrased, they're positioned to take down entire
| _networks_ of pedophiles. Compromise a host, then compromise
| anything connecting to it, etc.
|
| It's ugly but makes a lot of sense, and there really isn't a
| better solution short of limiting networks to national borders.
| Anybody who leads a long enough wild goose chase across the
| world is more untouchable than Pedo Sandiego. This cuts through
| the shenanigans.
|
| And unfortunately will be abused in time, but it solves the
| problems of today.
| mtlmtlmtlmtl wrote:
| I have exactly zero faith that this will solve anything. It
| will allow them to round up some people, make a big fuzz
| about it in the press, and then the people they're chasing
| will simply adapt which is what always happens. Then, all
| that's left will be diminished rights for innocent people.
| jstarfish wrote:
| I agree, but look on the bright side-- you now know what to
| expect. They're being honest with you.
|
| In the US, they'd do this stuff and make up an elaborate
| story about how they came to discover the evidence they
| illegally obtained.
| [deleted]
| nonethewiser wrote:
| Yes. This simply makes it legal for the Dutch government to
| hack their citizens. It doesn't matter what the intentions or
| purported rules are, if they are self-regulating then there are
| no limits. The publicly stated intentions and rules only give
| some naive people peace of mind.
| belter wrote:
| Coming from the State that did not yet resolved one of the
| worst scandals ever...And from the Prime Minister that
| deleted official government data for years...
|
| "Dutch scandal serves as a warning for Europe over risks of
| using algorithms" - https://www.politico.eu/article/dutch-
| scandal-serves-as-a-wa...
|
| "Dutch PM has been deleting text messages daily for years:
| report" - https://nltimes.nl/2022/05/18/dutch-pm-deleting-
| text-message...
| FpUser wrote:
| And those fuckers are not in prison? And then they talk
| about "our democracy" and teaching other countries how to
| "respect human rights".
| kleiba wrote:
| https://en.wikipedia.org/wiki/Parliamentary_immunity
| FpUser wrote:
| I get it. But I think there should be some limits.
| Otherwise they can do just about anything and walk away.
| Taking away children on a basis of pure speculation I
| think is plain and clear crime from which they should not
| be absolved.
| bboygravity wrote:
| Don't overreact, they just kidnapped a few thousand kids
| from their families and placed them with foster parents due
| to some bureaucratic hick-ups. No biggy.
|
| /s
| dotancohen wrote:
| > kidnapped a few thousand kids from their families
|
| What is this?
| FpUser wrote:
| A sarcasm if you take into account "no biggy" part
| axus wrote:
| https://nltimes.nl/2022/05/11/1675-children-removed-
| parents-...
| belter wrote:
| That is not even the worst...The government resigned
| because of the scandal. The article below is a "sad face"
| of the prime minister at the time. I leave it as exercise
| for the curious reader a comparison with the current
| prime minister...
|
| "Dutch government resigns over child benefits scandal" -
| https://www.theguardian.com/world/2021/jan/15/dutch-
| governme...
| Freestyler_3 wrote:
| And the same government is in place they just switched
| some roles around. The PM is still the same.
| redeeman wrote:
| its funny how when its "government" that does atrocities
| in the name of "government" and "democracy", its simply a
| "scandal", but if you or I stormed in and kidnapped the
| children of members of parliament, it would be a
| "viscious attack on democracy".
|
| I wonder, at what point does a government become and
| enemy of the people, and defending oneself is legitimate?
| is it when the storm troopers comes to take your children
| based on false premises? if no, what is is then?
|
| im sure a "scandalized government" will say that its
| "never", but really, when as criminals ever agreed that
| going against them is okay?
| teamspirit wrote:
| I'm having issues loading the page. https://archive.is/J3ieO if
| it helps anyone.
| [deleted]
| FpUser wrote:
| They are simply jealous of Hitler, Putin, Xi and other upstanding
| individuals.
___________________________________________________________________
(page generated 2023-06-07 23:01 UTC)