Over the past days a lot has been said and written on counter hacking by enforcement agencies. The cause is a letter Dutch Minister I. Opstelten, Security & Justice, sent to parliament (click here). Pros and cons were debated and exchanged. Despite the fact that I perfectly understand the frustration of enforcement agencies of having to find actionable data and evidence that gets criminals convicted in a borderless, amorphous environment, a line seems to be crossed with this idea presented to Dutch parliament. Where are we?
Two things stand out for me in this discussion: information can be extremely hard to find on and around the Internet; national and international cooperation is apparently very hard to achieve.
a. Researching the Internet
The first is that it is often unclear where criminal activities, spam, hacks, espionage, etc. on the Internet really comes from. This all has to do with flaws in soft and hardware, the ease with which Internet resources can be acquired, hosting companies that specialise in bullet proof hosting and borders in the real world, that do not exist online and many, many more. Most of the options to change this lie beyond the grasp of governments, in the private realm.
The second is that national and international cooperation is very hard to establish, as the report of De Natris Consult shows (click here). In other words receiving data and evidence from abroad takes time, effort and at times is completely impossible as some agencies and countries are not able to or flatly refuse to cooperate. People that state that this need to be bettered, are spot on, but also need to realise that this is going to take years if not decades to realise. If ever. At the same time: start working on it today, right after reading this blog post. Don’t lose another second to start achieving it.
I’m not even bringing in coordination of effort between different entities at national and international level here, as it is too far beyond the reality of most people. One of the answers to a securer Internet does lie here though.
Both these approaches are in the realm of governments, so why do most not make haste to better the positions of agencies to investigate and their ability to have more success at what they are meant to do in the first place?
We have to conclude that the two roads presented here to a safer Internet at present do not present a solution.
So, back to hacking. The public person advocating it most loudly is Ronald Prins, CEO of Fox IT, accused on Twitter by ex-parliamentarian Femke Halsmema of having a commercial interest in the matter. Whether true or not, is not really relevant here as the idea is embraced by a Dutch minister (and his advisers). I want to go back to crossing lines. What if we reverse the subject?
In a dictatorship there are many laws that are not acceptable in a democracy. Still, they are the applicable law in those states. So here we are, hacking away and at some stage a dictatorship decides to do so also and manages to hack into a server, in this country, of a secure hosting company hosting the domain of subversive elements (free speech advocates in our vocabulary) within the dictatorship. As a result it arrests the whole organisation and executes most members after a show process. Soon after the executions the dictatorship reports the hack to The Netherlands’ government as part of an investigation on the basis of laws X and Y. This is only reciprocal, right? (I would not be surprised if this is not already standard practice, illegally, unannounced, without anyone knowing. Making it standard practise is another matter.) It’s not something that a country like The Netherlands wants to see happening.
In a democracy the rule of law is the standard. If a country is to allow hacks nationally or internationally, it could only be after due judicial process before the hacking and checks afterwards. Nationally I’d say that this is and should be the standard. The law allows it or not and has obligatory, standardised procedures before it is allowed.
Internationally international law and agreements kick in immediately. The question whether a hack could ever produce actionable data and evidence is a principal one. But even if this hurdle is taken, the circumstances should be the same as nationally. Any other way the rule of law is undermined, with all the negative consequences to a democracy. So if hacks are to be allowed, not without due judicial process in The Netherlands and elsewhere. The circumstances and specifics must be very well defined, when any country wants to go this way. A sort of last resort when all else fails.
Securing a nation
An element that I think is seriously overlooked in this discussion, is how does a country want to protect its citizens, institutions and industry from online threats? By counter hacking surely not. Even if copying actionable data and evidence from servers and computers situated abroad is to be allowed, if the criminals are active from an unwilling country, not much changes. I have more confidence in another approach, on which more at a later stage on this blog. It will take cooperation, international cooperation even.
Yes, I do believe that, under the proper circumstances, hacking could be a tool used in investigations. E.g. to determine the location of a server when this is unclear. It ought to be a sort of last resort though. If not it is going to be easier and easier for enforcement agencies to cross lines further and further, invading privacy further and deeper, “as we have nothing to hide”. A descending scale. It did not work this way in the past and shouldn’t in the future. Innocent until proven guilty seems to become a burden, but this is one of the bold underscores of democracy. Also in times of the Internet. Again: do not do a digital something just because you can, without discussing consequences!
Wout de Natris, De Natris Consult
Leiderdorp, 22 October 2012