[HN Gopher] NL national security law to grant automatic permissi... ___________________________________________________________________ NL national security law to grant automatic permission for targeted surveillance Author : pseudotrash Score : 153 points Date : 2023-06-07 16:55 UTC (6 hours ago) (HTM) web link (aboutintel.eu) (TXT) w3m dump (aboutintel.eu) | jacquesm wrote: | One example of where this would apply is for instance against | criminals whose medium of information exchange has been | compromised. Yes, they are 'victims', but they are also perps and | probably in much worse crimes than the original hack of their | comms. | | An example of such a situation is the EncroChat hack. | radicalbyte wrote: | The thing is, is that we've had an oversight commission who | reacted quickly to decide in those cases. That worked, it | provided oversight. | | Now they want free reign to spy on everyone. | jacquesm wrote: | Wanting something and getting it aren't the same thing and it | wouldn't be the first time that something like this gets | enacted and then gets shut down again. | | My main worry would be journalists, those are at some danger | from stuff like this especially when they are protecting | their sources. If this ever gets abused that's where I would | expect it to happen. | Nevermark wrote: | I don't follow your logic. It seems to be a circular way of | downplaying the laws potential for harm. | | I am sure you are right, harmful laws have been passed, and | then on the basis of their harm, repealed. | | But if we are to be reassured that since the law is harmful | it will be repealed, that is an illusionary reassurance. | Clearly not all harmful laws are repealed, even if some | are. | | And even repealed harmful laws are likely not repealed | until the harm they cause is very evident. Meaning great | harm has been done. | jacquesm wrote: | That's not how I read the law with the supplied context. | | It basically reads like this - translation/interpretation | errors are mine: Any machine that is compromised by a | hacker and that leads to other machines that are _also_ | compromised by this hacker are fair game in the process | of an investigation. | | This ensures that the typical chain of wrapped | connections can be pierced, even if some of those systems | may well be compromised outside of the owners knowledge. | Yes, they are also victims, but their unsecured systems | and accounts that are currently under the control of the | hacker makes them a part of the investigation. | | It's no secret that hackers tend to use many layers of | obfuscation in order to reach their ultimate target and | this attempts to put a stop to that, with the nice side | benefit that if one of the machines en-route is a | communications server that other accounts found there are | fair game (such as what happened with EncroChat, but | there are also other examples). | | From what I can see this is all relatively | straightforward, and as long as the usual safeguards are | in place I do not see a problem with it. Investigators | are often laughed at for their lack of digital chops, | this doesn't match my own experience, the thing I do see | is that they are almost always outmatched because of the | constraints placed on their ability to investigate when | it comes to digital crime. Some balance should be found | here and given a relatively careful weighing of the | interests of society and law enforcement I think this | proposal really does its best to achieve such a balance. | If and when it is abused I fully expect that abuse to be | smacked down, as has happened numerous times. | | There always will be a tension between LE on the one side | and society on the other, LE only has as much power as we | collectively grant them and oversight is the ultimate | arbiter of what is and what isn't permissible. | | As for the context: this is NL we're talking about where | such oversight really seems to work well, in other | countries that may be a completely different story. | Nevermark wrote: | Removing huge legal safeguards, vastly expanding law | enforcement's legal freedom, without adding back more | nuanced safeguards, makes no sense. | | The history of good behavior of NL law enforcement took | place, itself, under legal safeguards! | | What would have been abuses today, will no longer be | abuses. So LE can now act in good faith in a far more | pervasive manner. | | Unless you think the previous safeguards were | superfluous, because of LE good sense, there should still | be legal safeguards. More nuanced safeguards of course, | that take into account the new LE freedoms. But still | explicit legal safeguards. | | Otherwise, we are not just depending on LE to act in good | faith, but to define good faith. Which is not a good | system, or the system before, when safeguards were | explicit. | jacquesm wrote: | This all presupposes that LE is acting in bad faith, | which - so far - has not been my experience. There | definitely have been exceptions and those have rightfully | been smacked down, both AIVD and the regular police | forces have seen judgments against them for trying to | expand the envelope to the point that it was clear that | was not the intent of the law. | | Those 'huge legal safeguards' in practice work out to a | fairly loosely specified set of laws that are then | interpreted as widely as possible by LE and subsequently | tested in court whenever a party feels that they have | overstepped the line. This method seems to work well | enough that it has become standard procedure and of | course new laws will be tested in a similar way. The | current investigative process is often very dynamic, far | more dynamic than the usual warrant process provides for | and in that sense I can see the frustration about seeing | a crime in progress and not being able to something about | it as something that would need addressing. The | international nature of the net and the speed with which | these situations develop would mean that the online | equivalent of 'skipping state lines' would be enough for | a perp to always get away with it. This is an undesirable | situation. It is also undesirable that law enforcement | would be handed tools that give them too much leeway. | Whether this tool is one of those or not will depend very | much on how it plays out, given what I know about how the | oversight system here works I have very good confidence | that if there is abuse that it will be stopped. Dutch LE | has learned a lot from various incidents in the past, | which led to various backlashes. So they stand to lose as | much as they stand to gain here. | coldtea wrote: | That's one of the prime real uses cases they'd care | about... | jacquesm wrote: | Yes, and clearly there should be a very pointed note | about journalists in this law if it is to be put into | practice. But for the likes that use(d) EncroChat I'm all | for it. | | Btw, both lawyers _and_ journalists have quite a few | special protections under Dutch law and it isn 't clear | to me that this proposal would trump those protections, | in fact if challenged I would expect the judiciary to | affirm that those protections carry the most weight. | ahubert wrote: | Author here - the protections remain in theory, but will | not longer be active beforehand. It is possible that the | oversight committee finds the time to check afterwards, | but they aren't obliged to do so. Also, by then the | damage is done. | jacquesm wrote: | Yes, that's the risk, but: similar issues have been | flagged in the past and in the end oversight won out so | I'm not quite as worried as you are. | | A typical scenario is that a hacker is using a series of | nested accesses to compromised systems, if the original | warrant allows for tracking the hacker on the first | system then there is no time to obtain warrants for the | systems that are uncloaked as the result of the | investigation, this happens pretty much in real time. So | this provision allows the investigation to proceed and | will have a reasonable time allowed to 'catch up'. | | It definitely is possible that it will be abused, but | that will lead to this provision being disbanded, as has | happened in the past when dutch LE overstepped their | authority. I'm fairly sure that those lessons - and the | cases thrown out as a result - have been learned, but of | course it is very well possible that we'll see a re-run. | | I'm on the fence on this one, I'd say let's see where it | leads because it is clear to me that the digital world is | moving _much_ faster than law enforcement can normally | speaking keep up with and a lot of crime is perpetrated | because of that. The risk of abuse of such methods is | always present, and 'protections in theory' that are | abused tend to find very unsympathetic judges in this | country. It's fairly clear that something will have to | change if LE is to keep up with the increase in online | crime, whether this overshoots the mark or not remains - | in my view - to be seen. It definitely has that risk, but | then again, so would every other proposal short of the | status quo and that clearly isn't effective enough. | radicalbyte wrote: | I'm worried about minorities; our government has a terrible | record in recent years. | | They'll use this to hound poor people and anyone who isn't | white. | jacquesm wrote: | That's a fair criticism, they really do, and any kind of | law tends to disproportionally target minorities. | | That said, I fail to see how this particular law could be | abused in that way, after all, the typical hacking | investigation doesn't really know much about the perp | until the moment of apprehension. It's _after_ that | moment that most of the concern for minorities should | kick in, because most of the real life trouble has to do | with abusive treatment by the authorities once someone | became an identified target. Racial profiling and all | kinds of other abuses have been heaped upon minorities | time and again, but in the context of hacking suspects | prior to apprehension I have no evidence that this has | happened. | | Usually the problem that this phase of an investigation | focuses on (the access to systems that are compromised) | is when the hacker is still unknown other than that the | authorities are aware they exist. | | But I don't doubt that if someone does get arrested and | they happen to be a minority that the system will not | treat them equally compared to someone who is not a | minority. This is a systemic problem that needs | addressing, but it isn't directly connected to this law. | daenney wrote: | It also applies to all victims of hackers, irrespective of | whether the victims themselves are supposedly criminals or not. | So if you get hacked, then suddenly the government can hack you | too. | | No amount of hypothetical "it could also be used against | criminals" balances out the bonkers overreach this represents. | jacquesm wrote: | In theory yes, but in practice this hasn't happened and I | really don't expect it to happen. I've seen enough of LE in | NL up close to have an idea of how it all hangs together and | this article definitely has a point: the law should be worded | more carefully but at the same time it isn't going to get out | of hand the way the article would have you believe. Plenty of | oversight here and judges that take conflicting laws fairly | seriously (such as the GDPR, but also laws regarding the | gathering of evidence and such). | | NL has lots of problems, but lack of judicial oversight over | both the police and the intelligence services isn't one of | them, in fact you could make a pretty good argument that the | degree of oversight actually hinders going after tech savvy | criminals. But better too much than too little. This law | won't change that by much as far as I can see. | costco wrote: | "Going dark" is a scam - https://crimesciencejournal.biomed | central.com/articles/10.11... for instance found that there | was no difference in conviction rate for cases involving | E2EE encryption vs those that didn't in the Netherlands. | The government just wants the halcyon period of | surveillance from late 1900s to the early 2000s back but | these supposed tech savvy criminals almost never turn out | to exist. | jacquesm wrote: | That's a different context entirely. | | Obviously the intelligence services would love to be able | to tap phones the way they were able to in the past as | well as to read all of your mail. | | But in practice the network analysis is as much or even | more efficient than reading the mail itself in the | investigation phase of a case. | hulitu wrote: | Another example are opposition's politicians. | rollulus wrote: | The author of the article is Bert Hubert, starred frequently on | HN [1] and has expertise in many fields, including the world of | intelligence agencies. | | [1]: https://news.ycombinator.com/from?site=berthub.eu | ahubert wrote: | Well I try to :-) | rollulus wrote: | Now I'm star-struck. Thanks for your work. | sam_lowry_ wrote: | Thank you and please keep trying, Bert! | ahubert wrote: | Author here - I mirrored the page on | https://berthub.eu/articles/posts/dutch-intel-law-about-inte... | since y'all managed to take out the about:intel server! | Rizz wrote: | I suspect this is also to provide a legal framework to | automatically remove malware from victim's computers, as has been | done before by Dutch authorities without any law permitting such | actions, and removing malware is obviously good for society. | Rizz wrote: | And of course it can also be used for gaining entry to hackers | systems by infiltrating c&c servers on third party hardware, | which also had been done before by Dutch authorities without | any existing legal framework to allow this. | sam_lowry_ wrote: | > automatically remove malware from victim's computers, | | Like uninstall Windows without permission? | photochemsyn wrote: | All adblock extensions, torrent software and end-to-end- | encryption systems will now be classified as 'malware'. | 13of40 wrote: | Assuming a security analyst is allowed to look at content that's | been identified as malicious beyond some threshold like 99.9%... | | And in order to address emerging threats, they should be able to | apply their judgement based on threat indicators like known bad | hashes, origin from known bad email addresses or IPs, etc. to | call something malicious beyond that threshold... | | Does that mean that if they know your account is under attack | they can just read all of your emails? | | I would give that a big "no" because unless your account has 999 | malicious emails in it for every benign one, they have not met | the criteria. | coldtea wrote: | > _Does that mean that if they know your account is under | attack they can just read all of your emails?_ | | If they "suspect" it is more like it in practice, suspecting | also meaning "when they want to target you". | 13of40 wrote: | My point is that unless they can make a case that some random | email from your inbox is 99.9% likely to be malicious, then | they should not be able to read it. Yes they have a button | that lets them read it, but they should not press that | button, and if they do they should get their ass sent to the | clink. | greatgib wrote: | It is really scary the accelerating trend of creating regulations | to restrict or violate basic human rights on the basis of straw | man national security reasons... | | What is nice with this law is that they can look for things not | related to the hack on target devices. If they see something | incriminating against you not related to the case, they can still | use it against you in a new procedure. Without warrant. How | convenient. | | In addition, I can easily guess that they don't have to prove | that you were really hacked, but mere suspicion or being a | potential victim of the hackers might be enough. | varispeed wrote: | What makes me feel puzzled is I remember politicians were | condemning these type of actions done in authoritarian | countries. I now wonder whether that was a genuine concern or | just a tool used for bargaining. | | I also find puzzling, that I remember people being outraged if | country X done something and now when something like this gets | done in Western countries, there is very much indifference. | | When I talked about this with a couple of friends, who are not | interested in politics, they just shrugged it "why would anyone | would be interested in spying on me. I don't do anything wrong, | so they can follow me to their heart's content. That would be a | waste of time." and so on. | | Seems like indeed, the media are powerful in regulating | emotions and turning the outrage up and down. | | If that topic was on the front pages, using the same language | as some other issues that governments are using to cover up | their ineptitude (so called dead cats), then maybe people would | be more aware and inclined to do something about it. But I can | imagine anyone trying to run these kind of stories would be | quickly shut down. | tome wrote: | > I remember politicians were condemning these type of | actions done in authoritarian countries | | I don't remember it. Do you have some citations that would | jog my memory? | ljlolel wrote: | See Hong Kong national security law | ecshafer wrote: | When a politician says a country is authoritarian, they don't | really care about that. What they mean is that "this country | is not friendly to our own imperial interests so they are | bad". | | The media is owned by these same people that push these laws. | FpUser wrote: | When they do they're bad and we are the good guys. When we do | it and are being called for it - it is whataboutism. | localplume wrote: | [dead] | CTDOCodebases wrote: | It's the pushback against technology. | | As technology makes individuals more powerful the state wishes | to diminish this power. | explorer83 wrote: | So to my understanding what they are proposing is allowing you to | be hacked by the government if you are a victim of hacking by | another actor. I can see the value of this being able to access | log files and other data that could assist in investigating the | original hackers. I suppose they wouldn't want to always tip off | the victim of hacking because the victim might change something | that could scare aware the original hackers or delete useful | metadata before the investigation could be carried out. But it | essentially could become a free pass for the state to hack | anybody. Because 1.) Anyone with a public facing server knows | there are bot hacking attempts made against them 24/7 or 2.) Just | hire a 3rd party to hack someone then you have immediate cause to | get access to their data. This article didn't seem to have a | definite answers what kind of protections would be put in place | in these events. It sounded like they previously did try to word | the law to only pertain to the original investigation but one can | only wonder. | jstarfish wrote: | > Just hire a 3rd party to hack someone then you have immediate | cause to get access to their data. | | This is absolutely what this is about. | | Prosecuting cybercrime is a nightmare, especially if it crosses | international borders. NL has historically had a bad CSA | hosting reputation, though I get the impression LEO hands have | been tied. | | This legalizes fruit of the poisoned tree. Or at least, blurs | the line until the fruit rolls into scope of plain-sight | doctrine. Hire some Israelis to pop a machine and you won't | have to deal with mapping Tor/VPN connections across all of the | world's jurisdictions until it comes back to your own | neighborhood. | | The way it's phrased, they're positioned to take down entire | _networks_ of pedophiles. Compromise a host, then compromise | anything connecting to it, etc. | | It's ugly but makes a lot of sense, and there really isn't a | better solution short of limiting networks to national borders. | Anybody who leads a long enough wild goose chase across the | world is more untouchable than Pedo Sandiego. This cuts through | the shenanigans. | | And unfortunately will be abused in time, but it solves the | problems of today. | mtlmtlmtlmtl wrote: | I have exactly zero faith that this will solve anything. It | will allow them to round up some people, make a big fuzz | about it in the press, and then the people they're chasing | will simply adapt which is what always happens. Then, all | that's left will be diminished rights for innocent people. | jstarfish wrote: | I agree, but look on the bright side-- you now know what to | expect. They're being honest with you. | | In the US, they'd do this stuff and make up an elaborate | story about how they came to discover the evidence they | illegally obtained. | [deleted] | nonethewiser wrote: | Yes. This simply makes it legal for the Dutch government to | hack their citizens. It doesn't matter what the intentions or | purported rules are, if they are self-regulating then there are | no limits. The publicly stated intentions and rules only give | some naive people peace of mind. | belter wrote: | Coming from the State that did not yet resolved one of the | worst scandals ever...And from the Prime Minister that | deleted official government data for years... | | "Dutch scandal serves as a warning for Europe over risks of | using algorithms" - https://www.politico.eu/article/dutch- | scandal-serves-as-a-wa... | | "Dutch PM has been deleting text messages daily for years: | report" - https://nltimes.nl/2022/05/18/dutch-pm-deleting- | text-message... | FpUser wrote: | And those fuckers are not in prison? And then they talk | about "our democracy" and teaching other countries how to | "respect human rights". | kleiba wrote: | https://en.wikipedia.org/wiki/Parliamentary_immunity | FpUser wrote: | I get it. But I think there should be some limits. | Otherwise they can do just about anything and walk away. | Taking away children on a basis of pure speculation I | think is plain and clear crime from which they should not | be absolved. | bboygravity wrote: | Don't overreact, they just kidnapped a few thousand kids | from their families and placed them with foster parents due | to some bureaucratic hick-ups. No biggy. | | /s | dotancohen wrote: | > kidnapped a few thousand kids from their families | | What is this? | FpUser wrote: | A sarcasm if you take into account "no biggy" part | axus wrote: | https://nltimes.nl/2022/05/11/1675-children-removed- | parents-... | belter wrote: | That is not even the worst...The government resigned | because of the scandal. The article below is a "sad face" | of the prime minister at the time. I leave it as exercise | for the curious reader a comparison with the current | prime minister... | | "Dutch government resigns over child benefits scandal" - | https://www.theguardian.com/world/2021/jan/15/dutch- | governme... | Freestyler_3 wrote: | And the same government is in place they just switched | some roles around. The PM is still the same. | redeeman wrote: | its funny how when its "government" that does atrocities | in the name of "government" and "democracy", its simply a | "scandal", but if you or I stormed in and kidnapped the | children of members of parliament, it would be a | "viscious attack on democracy". | | I wonder, at what point does a government become and | enemy of the people, and defending oneself is legitimate? | is it when the storm troopers comes to take your children | based on false premises? if no, what is is then? | | im sure a "scandalized government" will say that its | "never", but really, when as criminals ever agreed that | going against them is okay? | teamspirit wrote: | I'm having issues loading the page. https://archive.is/J3ieO if | it helps anyone. | [deleted] | FpUser wrote: | They are simply jealous of Hitler, Putin, Xi and other upstanding | individuals. ___________________________________________________________________ (page generated 2023-06-07 23:01 UTC)