Hacker News new | past | comments | ask | show | jobs | submit login
NL national security law to grant automatic permission for targeted surveillance (aboutintel.eu)
210 points by pseudotrash on June 7, 2023 | hide | past | favorite | 66 comments



It is really scary the accelerating trend of creating regulations to restrict or violate basic human rights on the basis of straw man national security reasons...

What is nice with this law is that they can look for things not related to the hack on target devices. If they see something incriminating against you not related to the case, they can still use it against you in a new procedure. Without warrant. How convenient.

In addition, I can easily guess that they don't have to prove that you were really hacked, but mere suspicion or being a potential victim of the hackers might be enough.


What makes me feel puzzled is I remember politicians were condemning these type of actions done in authoritarian countries. I now wonder whether that was a genuine concern or just a tool used for bargaining.

I also find puzzling, that I remember people being outraged if country X done something and now when something like this gets done in Western countries, there is very much indifference.

When I talked about this with a couple of friends, who are not interested in politics, they just shrugged it "why would anyone would be interested in spying on me. I don't do anything wrong, so they can follow me to their heart's content. That would be a waste of time." and so on.

Seems like indeed, the media are powerful in regulating emotions and turning the outrage up and down.

If that topic was on the front pages, using the same language as some other issues that governments are using to cover up their ineptitude (so called dead cats), then maybe people would be more aware and inclined to do something about it. But I can imagine anyone trying to run these kind of stories would be quickly shut down.


When a politician says a country is authoritarian, they don't really care about that. What they mean is that "this country is not friendly to our own imperial interests so they are bad".

The media is owned by these same people that push these laws.


> I also find puzzling, that I remember people being outraged if country X done something and now when something like this gets done in Western countries, there is very much indifference.

This also works the other way around. For example, if some far right group in US uses Nazi symbolism, people get understandably outraged, and the system goes into overdrive to destroy the groups and people involved. On the other hand, when random photos of Ukrainian soldiers with Nazi patches sewed to their uniforms keep popping up, the New York Times talks about “complicated relationship with Nazi imagery”

https://www.nytimes.com/2023/06/05/world/europe/nazi-symbols...

The point is, all that matters is “who whom”, and there is little point in trying to parse and analyze the arguments made by powers on rational, objective level. These are always self-serving, and if take these at face value and respond to the content, you have been successfully fooled.


> I remember politicians were condemning these type of actions done in authoritarian countries

I don't remember it. Do you have some citations that would jog my memory?



See Hong Kong national security law


When they do they're bad and we are the good guys. When we do it and are being called for it - it is whataboutism.


It's the pushback against technology.

As technology makes individuals more powerful the state wishes to diminish this power.


So to my understanding what they are proposing is allowing you to be hacked by the government if you are a victim of hacking by another actor. I can see the value of this being able to access log files and other data that could assist in investigating the original hackers. I suppose they wouldn't want to always tip off the victim of hacking because the victim might change something that could scare aware the original hackers or delete useful metadata before the investigation could be carried out. But it essentially could become a free pass for the state to hack anybody. Because 1.) Anyone with a public facing server knows there are bot hacking attempts made against them 24/7 or 2.) Just hire a 3rd party to hack someone then you have immediate cause to get access to their data. This article didn't seem to have a definite answers what kind of protections would be put in place in these events. It sounded like they previously did try to word the law to only pertain to the original investigation but one can only wonder.


> Just hire a 3rd party to hack someone then you have immediate cause to get access to their data.

This is absolutely what this is about.

Prosecuting cybercrime is a nightmare, especially if it crosses international borders. NL has historically had a bad CSA hosting reputation, though I get the impression LEO hands have been tied.

This legalizes fruit of the poisoned tree. Or at least, blurs the line until the fruit rolls into scope of plain-sight doctrine. Hire some Israelis to pop a machine and you won't have to deal with mapping Tor/VPN connections across all of the world's jurisdictions until it comes back to your own neighborhood.

The way it's phrased, they're positioned to take down entire networks of pedophiles. Compromise a host, then compromise anything connecting to it, etc.

It's ugly but makes a lot of sense, and there really isn't a better solution short of limiting networks to national borders. Anybody who leads a long enough wild goose chase across the world is more untouchable than Pedo Sandiego. This cuts through the shenanigans.

And unfortunately will be abused in time, but it solves the problems of today.


I have exactly zero faith that this will solve anything. It will allow them to round up some people, make a big fuzz about it in the press, and then the people they're chasing will simply adapt which is what always happens. Then, all that's left will be diminished rights for innocent people.


I agree, but look on the bright side-- you now know what to expect. They're being honest with you.

In the US, they'd do this stuff and make up an elaborate story about how they came to discover the evidence they illegally obtained.


Yes. This simply makes it legal for the Dutch government to hack their citizens. It doesn't matter what the intentions or purported rules are, if they are self-regulating then there are no limits. The publicly stated intentions and rules only give some naive people peace of mind.


Coming from the State that did not yet resolved one of the worst scandals ever...And from the Prime Minister that deleted official government data for years...

"Dutch scandal serves as a warning for Europe over risks of using algorithms" - https://www.politico.eu/article/dutch-scandal-serves-as-a-wa...

"Dutch PM has been deleting text messages daily for years: report" - https://nltimes.nl/2022/05/18/dutch-pm-deleting-text-message...


Don't overreact, they just kidnapped a few thousand kids from their families and placed them with foster parents due to some bureaucratic hick-ups. No biggy.

/s


That is not even the worst...The government resigned because of the scandal. The article below is a "sad face" of the prime minister at the time. I leave it as exercise for the curious reader a comparison with the current prime minister...

"Dutch government resigns over child benefits scandal" - https://www.theguardian.com/world/2021/jan/15/dutch-governme...


its funny how when its "government" that does atrocities in the name of "government" and "democracy", its simply a "scandal", but if you or I stormed in and kidnapped the children of members of parliament, it would be a "viscious attack on democracy".

I wonder, at what point does a government become and enemy of the people, and defending oneself is legitimate? is it when the storm troopers comes to take your children based on false premises? if no, what is is then?

im sure a "scandalized government" will say that its "never", but really, when as criminals ever agreed that going against them is okay?


And the same government is in place they just switched some roles around. The PM is still the same.


  > kidnapped a few thousand kids from their families
What is this?



A sarcasm if you take into account "no biggy" part


And those fuckers are not in prison? And then they talk about "our democracy" and teaching other countries how to "respect human rights".



I get it. But I think there should be some limits. Otherwise they can do just about anything and walk away. Taking away children on a basis of pure speculation I think is plain and clear crime from which they should not be absolved.


True, and that has happened, of course. But luckily, immunity can also be revoked.


Author here - I mirrored the page on https://berthub.eu/articles/posts/dutch-intel-law-about-inte... since y'all managed to take out the about:intel server!


Blimey watch what you share in your tweets man. It's not like we need to explain loud balancing to you?


The author of the article is Bert Hubert, starred frequently on HN [1] and has expertise in many fields, including the world of intelligence agencies.

[1]: https://news.ycombinator.com/from?site=berthub.eu


Well I try to :-)


Now I’m star-struck. Thanks for your work.


Thank you and please keep trying, Bert!


I'm having issues loading the page. https://archive.is/J3ieO if it helps anyone.


Assuming a security analyst is allowed to look at content that's been identified as malicious beyond some threshold like 99.9%...

And in order to address emerging threats, they should be able to apply their judgement based on threat indicators like known bad hashes, origin from known bad email addresses or IPs, etc. to call something malicious beyond that threshold...

Does that mean that if they know your account is under attack they can just read all of your emails?

I would give that a big "no" because unless your account has 999 malicious emails in it for every benign one, they have not met the criteria.


>Does that mean that if they know your account is under attack they can just read all of your emails?

If they "suspect" it is more like it in practice, suspecting also meaning "when they want to target you".


My point is that unless they can make a case that some random email from your inbox is 99.9% likely to be malicious, then they should not be able to read it. Yes they have a button that lets them read it, but they should not press that button, and if they do they should get their ass sent to the clink.


>but they should not press that button, and if they do they should get their ass sent to the clink

They'll be the ones helping send others to the clink and being best buddies with those who do, so fat chance of that restraint or punishment getting to them.


It sounds really scary, but it’s so they can actually collect evidence. Now they target a hacking group but can’t break in with their targets to actually collect evidence.

They still need a judge to provide a warrant, there is still oversight.

In practice not much will change, except they only have to ask for 1 warrant instead of 10 like they do now.


One example of where this would apply is for instance against criminals whose medium of information exchange has been compromised. Yes, they are 'victims', but they are also perps and probably in much worse crimes than the original hack of their comms.

An example of such a situation is the EncroChat hack.


It also applies to all victims of hackers, irrespective of whether the victims themselves are supposedly criminals or not. So if you get hacked, then suddenly the government can hack you too.

No amount of hypothetical "it could also be used against criminals" balances out the bonkers overreach this represents.


In theory yes, but in practice this hasn't happened and I really don't expect it to happen. I've seen enough of LE in NL up close to have an idea of how it all hangs together and this article definitely has a point: the law should be worded more carefully but at the same time it isn't going to get out of hand the way the article would have you believe. Plenty of oversight here and judges that take conflicting laws fairly seriously (such as the GDPR, but also laws regarding the gathering of evidence and such).

NL has lots of problems, but lack of judicial oversight over both the police and the intelligence services isn't one of them, in fact you could make a pretty good argument that the degree of oversight actually hinders going after tech savvy criminals. But better too much than too little. This law won't change that by much as far as I can see.


"Going dark" is a scam - https://crimesciencejournal.biomedcentral.com/articles/10.11... for instance found that there was no difference in conviction rate for cases involving E2EE encryption vs those that didn't in the Netherlands. The government just wants the halcyon period of surveillance from late 1900s to the early 2000s back but these supposed tech savvy criminals almost never turn out to exist.


That's a different context entirely.

Obviously the intelligence services would love to be able to tap phones the way they were able to in the past as well as to read all of your mail.

But in practice the network analysis is as much or even more efficient than reading the mail itself in the investigation phase of a case.


You say "this hasn't happened" and "plenty of oversight", but the president of the review committee just resigned because of this. And she isn't allowed to inform the public nor parliament of what has already been happening, even before this change. As in, examples of the type of surveillance already happening have been redacted from the annual report of the review committee [0]. The annual report was specifically made to omit operational details and only inform of the general picture, but parts have been declared state secret. The now ex-president of the review committee stated she could not inform parliament because she did not want to go to prison for 15 years [1].

0: https://www.tweedekamer.nl/kamerstukken/detail?id=2023Z05165...

1: https://debatdirect.tweedekamer.nl/2023-03-30/binnenlandse-z...


The thing is, is that we've had an oversight commission who reacted quickly to decide in those cases. That worked, it provided oversight.

Now they want free reign to spy on everyone.


Wanting something and getting it aren't the same thing and it wouldn't be the first time that something like this gets enacted and then gets shut down again.

My main worry would be journalists, those are at some danger from stuff like this especially when they are protecting their sources. If this ever gets abused that's where I would expect it to happen.


I don't follow your logic. It seems to be a circular way of downplaying the laws potential for harm.

I am sure you are right, harmful laws have been passed, and then on the basis of their harm, repealed.

But if we are to be reassured that since the law is harmful it will be repealed, that is an illusionary reassurance. Clearly not all harmful laws are repealed, even if some are.

And even repealed harmful laws are likely not repealed until the harm they cause is very evident. Meaning great harm has been done.


That's not how I read the law with the supplied context.

It basically reads like this - translation/interpretation errors are mine: Any machine that is compromised by a hacker and that leads to other machines that are also compromised by this hacker are fair game in the process of an investigation.

This ensures that the typical chain of wrapped connections can be pierced, even if some of those systems may well be compromised outside of the owners knowledge. Yes, they are also victims, but their unsecured systems and accounts that are currently under the control of the hacker makes them a part of the investigation.

It's no secret that hackers tend to use many layers of obfuscation in order to reach their ultimate target and this attempts to put a stop to that, with the nice side benefit that if one of the machines en-route is a communications server that other accounts found there are fair game (such as what happened with EncroChat, but there are also other examples).

From what I can see this is all relatively straightforward, and as long as the usual safeguards are in place I do not see a problem with it. Investigators are often laughed at for their lack of digital chops, this doesn't match my own experience, the thing I do see is that they are almost always outmatched because of the constraints placed on their ability to investigate when it comes to digital crime. Some balance should be found here and given a relatively careful weighing of the interests of society and law enforcement I think this proposal really does its best to achieve such a balance. If and when it is abused I fully expect that abuse to be smacked down, as has happened numerous times.

There always will be a tension between LE on the one side and society on the other, LE only has as much power as we collectively grant them and oversight is the ultimate arbiter of what is and what isn't permissible.

As for the context: this is NL we're talking about where such oversight really seems to work well, in other countries that may be a completely different story.


Removing huge legal safeguards, vastly expanding law enforcement's legal freedom, without adding back more nuanced safeguards, makes no sense.

The history of good behavior of NL law enforcement took place, itself, under legal safeguards!

What would have been abuses today, will no longer be abuses. So LE can now act in good faith in a far more pervasive manner.

Unless you think the previous safeguards were superfluous, because of LE good sense, there should still be legal safeguards. More nuanced safeguards of course, that take into account the new LE freedoms. But still explicit legal safeguards.

Otherwise, we are not just depending on LE to act in good faith, but to define good faith. Which is not a good system, or the system before, when safeguards were explicit.


This all presupposes that LE is acting in bad faith, which - so far - has not been my experience. There definitely have been exceptions and those have rightfully been smacked down, both AIVD and the regular police forces have seen judgments against them for trying to expand the envelope to the point that it was clear that was not the intent of the law.

Those 'huge legal safeguards' in practice work out to a fairly loosely specified set of laws that are then interpreted as widely as possible by LE and subsequently tested in court whenever a party feels that they have overstepped the line. This method seems to work well enough that it has become standard procedure and of course new laws will be tested in a similar way. The current investigative process is often very dynamic, far more dynamic than the usual warrant process provides for and in that sense I can see the frustration about seeing a crime in progress and not being able to something about it as something that would need addressing. The international nature of the net and the speed with which these situations develop would mean that the online equivalent of 'skipping state lines' would be enough for a perp to always get away with it. This is an undesirable situation. It is also undesirable that law enforcement would be handed tools that give them too much leeway. Whether this tool is one of those or not will depend very much on how it plays out, given what I know about how the oversight system here works I have very good confidence that if there is abuse that it will be stopped. Dutch LE has learned a lot from various incidents in the past, which led to various backlashes. So they stand to lose as much as they stand to gain here.


The PRIMARY purpose for safeguards, is to document what good faith means, so it has some objective agreed upon ethical meaning.

(The fallback purpose for safeguards is for when bad faith occurs, to provide a documentable reason for taking corrective action.)

"Good faith" with legally defined safeguards is a much clearer and safer situation than "good faith" without a clear definition of what standards, if any, impact what "good faith" could possibly mean.


I'm worried about minorities; our government has a terrible record in recent years.

They'll use this to hound poor people and anyone who isn't white.


That's a fair criticism, they really do, and any kind of law tends to disproportionally target minorities.

That said, I fail to see how this particular law could be abused in that way, after all, the typical hacking investigation doesn't really know much about the perp until the moment of apprehension. It's after that moment that most of the concern for minorities should kick in, because most of the real life trouble has to do with abusive treatment by the authorities once someone became an identified target. Racial profiling and all kinds of other abuses have been heaped upon minorities time and again, but in the context of hacking suspects prior to apprehension I have no evidence that this has happened.

Usually the problem that this phase of an investigation focuses on (the access to systems that are compromised) is when the hacker is still unknown other than that the authorities are aware they exist.

But I don't doubt that if someone does get arrested and they happen to be a minority that the system will not treat them equally compared to someone who is not a minority. This is a systemic problem that needs addressing, but it isn't directly connected to this law.


That's one of the prime real uses cases they'd care about...


Yes, and clearly there should be a very pointed note about journalists in this law if it is to be put into practice. But for the likes that use(d) EncroChat I'm all for it.

Btw, both lawyers and journalists have quite a few special protections under Dutch law and it isn't clear to me that this proposal would trump those protections, in fact if challenged I would expect the judiciary to affirm that those protections carry the most weight.


Author here - the protections remain in theory, but will not longer be active beforehand. It is possible that the oversight committee finds the time to check afterwards, but they aren't obliged to do so. Also, by then the damage is done.


Yes, that's the risk, but: similar issues have been flagged in the past and in the end oversight won out so I'm not quite as worried as you are.

A typical scenario is that a hacker is using a series of nested accesses to compromised systems, if the original warrant allows for tracking the hacker on the first system then there is no time to obtain warrants for the systems that are uncloaked as the result of the investigation, this happens pretty much in real time. So this provision allows the investigation to proceed and will have a reasonable time allowed to 'catch up'.

It definitely is possible that it will be abused, but that will lead to this provision being disbanded, as has happened in the past when dutch LE overstepped their authority. I'm fairly sure that those lessons - and the cases thrown out as a result - have been learned, but of course it is very well possible that we'll see a re-run.

I'm on the fence on this one, I'd say let's see where it leads because it is clear to me that the digital world is moving much faster than law enforcement can normally speaking keep up with and a lot of crime is perpetrated because of that. The risk of abuse of such methods is always present, and 'protections in theory' that are abused tend to find very unsympathetic judges in this country. It's fairly clear that something will have to change if LE is to keep up with the increase in online crime, whether this overshoots the mark or not remains - in my view - to be seen. It definitely has that risk, but then again, so would every other proposal short of the status quo and that clearly isn't effective enough.


>Yes, that's the risk, but: similar issues have been flagged in the past and in the end oversight won

Did it? If anything the history is riffe with cases that oversight was totally lost...

And of course, if it comes to "trusting oversight" the Overton window has already moved to accepting such kind of surveillance.


It did in NL, both regular police and AIVD (the Dutch secret service) have been smacked down repeatedly in court.


Another example are opposition's politicians.


The omitted detail is that it's "NL national security [from its people] ..." The state, and those individuals in unholy union with it, understands very well that it's different from its people and in order to defend from its people all measures are justifiable.


They are simply jealous of Hitler, Putin, Xi and other upstanding individuals.


I suspect this is also to provide a legal framework to automatically remove malware from victim's computers, as has been done before by Dutch authorities without any law permitting such actions, and removing malware is obviously good for society.


All adblock extensions, torrent software and end-to-end-encryption systems will now be classified as 'malware'.


> automatically remove malware from victim's computers,

Like uninstall Windows without permission?


And of course it can also be used for gaining entry to hackers systems by infiltrating c&c servers on third party hardware, which also had been done before by Dutch authorities without any existing legal framework to allow this.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: