Home > All, Security Issues, Security News > Dutch Police infect users with trojan – legal or illegal; good thing or bad thing?

Dutch Police infect users with trojan – legal or illegal; good thing or bad thing?

October 27, 2010 Leave a comment Go to comments

Over the last couple of days we have been hearing news about the seizure of more than 100 servers by the Dutch police. These servers were involved in the control of a huge number of Bredolab bots; so this can only be seen as a Good Thing.

However, the problem with taking down Command & Control servers is that it leaves the botnet itself in place. It can spring to life again when the criminals set up new C&C servers. So the real solution is to find and cleanse the bots themselves.

Well, the Dutch police attempted to do just this. With help from the Dutch Infosec company Fox-IT and the ISP LeaseWeb, the authorities uploaded their own code – effectively their own trojan – to the infected PCs. The payload is obviously benign. It simply sends the users to a Dutch Police page that explains that they are infected, and provides a link to information on removing the infection. By removing the bots rather than just the servers, the botnet is well and truly dismantled.

 

Click for full size

Landing page from the police trojan

 

Well, I know nothing about Dutch law. But notice that the landing page is in English (there is, of course, also a Dutch version). It is perfectly clear, then, that the Dutch authorities were well aware that they would be ‘infecting’ PCs outside of The Netherlands – and quite likely some in the UK. So, for people in the UK, we are able to look at this from a UK point of view, and not just a Dutch point of view.

And what I want to know is whether the Dutch police action is legal, and/or acceptable. Most people in the security industry will automatically say it is acceptable. After all, it is their job to protect us, and this is a good way of going about it. And the security industry has been ‘infecting’ command and control servers for years – so this is just a small expansion from the servers to the bots. But I’m not so sure it is acceptable – and I’m pretty certain that in the UK it is illegal: that is, the Dutch authorities have broken UK laws if they have infected any UK PCs.

Nicholas Bohm

Nicholas Bohm

I asked leading lawyer Nicholas Bohm for his view. “Infecting a computer with a trojan would involve offences under the Computer Misuse legislation,” he explained, “unless carried out with some form of lawful authority.  In the UK this is available under Part III of the Police Act 1997 (as amended).  Authority may be given by chief constables, and others of equivalent rank.

“These powers were primarily introduced to cover the installation of viewing or listening devices in the premises or vehicles of suspects, but they seem to me capable of extending to planting trojans, keystroke loggers etc.”

Yaman Akdeniz, Associate Professor of Law, Faculty of Law, Istanbul Bilgi University, and Director, Cyber-Rights.Org, has similar concerns under the Computer Misuse Act: “Well, there is no ‘good hacker’ or ‘ethical hacker’ defence built into the Computer Misuse Act 1990, nor into the provisions of the Council of Europe CyberCrime Convention for example. So, whatever their intentions are, the access by the Dutch Police into the infected PCs of computer users would be unauthorised in the UK.

Yaman Akdeniz

Yaman Akdeniz

“On top of that their ‘modification’ of the content of the infected PCs can also be regarded in breach of the CMA 1990. So, from a legal point of view I find this approach problematic. What if they damage the computers? One may argue that the damage is already done with the initial infection but the access remains unauthorised whether by the bad guys or the good guys.”

So, on balance, the CMA forbids the covert installation of trojans, even if with the best of intentions by the good guys, but could be overridden by ‘chief constables, and others of equivalent rank’ under the Police Act 1977. But Bohm doesn’t believe that the Dutch police behaviour is automatically or necessarily bad. “Some such powers seem to me necessary, just as search warrants are.  But I would rather see them controlled judicially – I am unconvinced by the use of retired judges as commissioners to supervise them, and would prefer the decisions involved to be subject to judicial review.”

It seems to me, then, that the Dutch police have broken UK law if they have uploaded their friendly trojan to any UK PCs; and have probably broken other laws all round the world. Judicial oversight may make such behaviour more acceptable; but without it, it should be abhorred. Accepting such behaviour from the authorities, who will always say ‘it is for your own good’ is a dangerous step. Every software developer in the world is aware of the dangers of ‘feature creep’. This sort of behaviour by the authorities is equally subject to feature creep – otherwise known as the slippery slope into authoritarianism.

  1. Paul
    October 28, 2010 at 5:17 pm

    If the police notice the front door of a house has been broken down and a criminal actively robbing a house, they have an obligation to not just arrest the criminal, but also secure the premises reasonably before leaving. They can’t just arrest the bad guy, then leave the broken front door wide open. They would, and should, take reasonable efforts to secure the premises until the owner returns. The same should be true in the digital world.

    Like

    • October 28, 2010 at 6:16 pm

      Are there not wider issues here? This is the police force of a foreign nation ‘invading’ (I don’t mean to be inflammatory, but the word is accurate) the property of UK citizens in breach of UK law. I have as yet seen no suggestion anywhere that the Dutch police got the ‘lawful authority’ mentioned by Nicholas Bohm – so the overriding likelihood is that UK law has been broken. The police are there to uphold the law, not to break it.

      But the big danger is not necessarily what has been done this time; but that both we and the police become complacent with such behaviour. Using your own analogy, the police requirement to protect the property, if unchecked, could ultimately lead to the permanent installation (à la HIDOPI proposals: “According to the document, French Internet users could soon be required to install spyware on their PCs tracking down their searching habits and analysing the applications installed on their PCs, in order to prevent ‘file-sharing piracy’.” – EDRI) of a trojan that would call home (to the police) whenever anything suspicious is observed. Now, you may indeed be content with such an idea under our current regime – but just imagine what could be done in 10 years time if the extreme right, or the extreme left, comes into power.

      As Nicholas Bohm suggests, some form of intrusive capability by the police may be necessary; but it must absolutely be limited by judicial overview. (A separate issue, of course, is that the judiciary must be kept independent of the executive and legislature for it to be effective.)

      Like

  1. December 28, 2015 at 7:01 am
  2. December 27, 2015 at 12:23 pm
  3. April 9, 2015 at 2:14 pm
  4. November 8, 2014 at 10:05 pm
  5. March 17, 2014 at 11:35 am
  6. October 29, 2010 at 3:58 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s