Digital Detectives in Holland
Special powers to snoop on the Internet; the influence of ILETS; bugs in keyboards; an assault on anonymity on the Net
For some time now, the fight against cybercrime is a hot item on the political agenda all over the world. In the Netherlands, law enforcement agencies have also made the virtual world their hunting ground. New legislation gives the police the power to intercept the Internet and conduct investigations on the Internet. To avoid problems with encrypted communications, the police is allowed to placed bugs on the keybord of suspects. A report from the low lands.
In August 2000, Dutch Internet service providers are legally obliged to make their installations interceptible for the law enforcement agencies. This obligation was part of the new Telecommunication Bill, which came into force in 1998. But for the internet service providers, this obligation was postponed for two years, because they were short of time to prepare themselves for the interception task. The technical, financial and legal consequences of the interception obligation were not clear. The interception standards the service providers had to implement, were an exact copy of the technical requirements formulated in the European Union in 1995.
Internal documents of the ministry of justice and the ministry responsible for telecommunications, confirm that these requirements are in fact written by the so called International Law Enforcement Telecommunication Seminair (ILETS), a group of European and American experts.
A civil servant of the ministry responsible for Telecommunications said, according to the minutes from the 'working group on interception', a deliberative body of the authorities and the telecom industry, that were released under the Duth Freedom of Information Act: "The content of the Council Resolution of 1995 has been tuned in with global market parties and representatives of the US, Canada and Australia, in the framework of the Ilets-conference." According to papers of the ministery of justice, "many of the topics discussed in the European working group on police cooperation have their origin in the so called Ilets-consultations." (see also: ILETS AND THE ENFOPOL 98 AFFAIR)
How to implement those requirements on an operational level was not clear for the service providers, nor the Dutch authorities. The minutes from the 'working group on interception' show some of the problems. The representative of the Dutch Internet service providers branche (NLIP) stated for example during a meeting in 1999: "There are only two or three American companies that produce interception equipment for the Internet. It takes two years or more before equipment will be available for Internet interception." Besides that, there was disagreement on the interception protocol that has to be used. The so called Justice Interception Standard (JTS), that is currently in use in the Netherlands, is not appropriate for the interception of high speed data transmission, like xDSL and ATM. The protocol that is being developed by the European Telecommunication Standardisation Institute (ETSI), that will be serving as the protocol for all European telco's, does not yet fit all the requirements of the Dutch authorities. This European interception protocol is still under negotiations of the European governements. The Dutch telecom companies were reluctant to make adjustments on their equipment to fit the Dutch JTS, with the risk of having to make new adjustments (and new investments) when the European protocol is finally agreed on.
Market mechanism
The big Dutch providers have by now finished the technical and organizational adjustments to make their equipment interceptible. They installed so called black boxes, which are interception devices, on central points in their installations. In this way, they are able to intercept some 95% of the Internet traffic on their servers. For the remaining 5%, for instance direct client-client communication, a solution still has to be found. The service providers are reluctant to do this, because it is very expensive. For smaller internet service providers, the whole interception obligation is a financial burden.
The providers and the authorities are still negotiating the number of connection points that have to be interceptible at the same time. There is a proposal not to require a legal minimum, but to let providers decide on that by themselves. However, the providers are obliged to fullfil interception orders by the authorities, under penalty of a huge fine. So this is something like introducing market mechanisms in the field of interception. For the authorities this is a favorable solution, because the government doesn't have to establish exact norms, with the risk of setting a norm that will be too low for future enforcement needs. It is a flexible solution that leaves room for a high level of interception orders.
The black box is managed by the service providers. They are the only ones who can turn the switch on, when requested by a legal interception order. Random fishing expeditions by the authorities are not possible - for now. But the danger lies in the step-by-step approach. If all providers have integrated permanent interception devices in their equipments, there are no technical bounders to stretch the authority to order interception. Interception solutions still have to be found for cable-operators and high speed Internet traffic. Especially the huge amount of data each user can generate, remains a problem.
Reconnaissance patrols
The interception of Internet traffic is not the only power the Dutch authorities have in combatting cybercrime. In the proposition for the Computercrime Act II, which is now for Dutch parliament, the police is given powers to investigate the cyberworld. Officers are allowed, just as ordinairy citizens, to travel freely in cyberspace, without having to identify themselves. They also may download information and store it temporarly in police registers. The 'Act on special investigative powers', that is in force since february 2000, gives the police the authority to use special investigation techniques on the Internet. Officers are allowed to infiltrate in news groups, gather in a systematic way information on subjects (for instance in a newsgroup), run front stores on the Internet or pretend they are interested in illegimate deals.
Also, the police got the power to conduct 'reconnaissance patrols' on the Internet, the so called pro-active investigation. This is, according to an explanatory note on the Act, an investigation on "a group of subjects to find out in which way in this group crimes are being conducted or contrived." The explanatory note also says it is "thinkable" that "certain parts of the Internet community will be object of such a pro-active investigation."
The 'Act on special investigative powers' also contains articles relating to the use of cryptography. The Dutch governement stated in 1998, after failed attempts to forbid or regulate the use of cryptography, that the use of cryptography is free. But they introduced other means to tackle what they see as the problem of cryptography. Suspects cannot be forced to hand over their keys, but 'third parties' of which it seems 'reasonable' they have acces to the keys, can be forced to decrypt communication. This obligation applies for instance for Trusted Third Parties, or telecom operators who encrypt the communication of their clients, but also for the reciever of encrypted messages.
The police have also got the power to bug the houses and offices of suspects under the special investigative powers Act. The governement stated explicitly that this was meant to tackle the problem of cryptography. "Recording the confidential communication is especially important in situations where suspects use encrypted e-mail. The authority to bug, means among other things that an interception device may be placed on the keyboard, so confidential communication can be intercepted before encryption takes place," the explanatory note says.
Cooperation with the intelligence service
The Dutch police have now seven interregional 'offices of digital expertise', which give support to investigations in which information technology plays a role. The Centrale Recherche Information dienst (CRI), a national unit that plays a coordinating role in investigations, has created a special unit of cybercops, who actively investigate the Internet for crime. "We investigate as a team certain items, like childporn, the smuggling of drugs, trafficking in human beings, false documents, fraud and stolen art trade," the leader of the unit, Richard Vriesde, told the Dutch weekly Vrij Nederland.
The police is also looking for support in the scientific world and the bussines community, for developing tools that enhance Internet investigations or crack cryptography. "For research purposes, law enforcement agencies have to find partners in the business community, the scientific world and the academic world. In that way, the necessary knowledge can be obtainded for the enhancement of investigation and persecution," the CRI wrote in a report. An important partner of the CRI is the Judicial Laboratory, the organisation specialized in cryptography. This laboratory for instance developed a programme that is capable of cracking the codes of electronic diaries. This software not only is a regular part of the equipment of the Dutch police computer specialists, but also a main export product of the Dutch police. The lab is capable of cracking the safety codes and cryptography codes of common programmes like Word or Excell from Microsoft.
The Judicial Laboratory is working closely with the Dutch Navy Intelligence service and the Internal security service on cryptography. The CRI also wants to be part of this cooperation. "Besides legislation and rules, initiatives are necessary aimed at the technical possibilities to disentangel cryptographic techniques. Cooperation between police and intelligence agencies should, also in this sensitive area, be made subject of discussion," says the above mentioned report of the CRI.
Anonimity on the Internet
With this approach, the Dutch are following international developments. The interception requirements are a copy of the European requirements, as prompted by the experts of the ILETS. The approach to cryptography also resembles international developments. More and more governments consider a strictly control on cryptography a lost case. Instead, alternative powers are created, like bugging the keyboard.
The authorities next target will most certainly be anonymity on the Internet. The police already put out some feelers. One of their proposals is to make the use of caller ID compulsary. At this moment it is possible to switch off this identification number that makes it possible to trace the telephone account that is being used to get acces to the Internet. An other proposal is to introduce a 'license number' for Internet users. Each user should have a fixed, registered IP number, which will be stored in a national register. Police should have 'lawfull access' to this register.
One thing however still seems to be very unclear: how real is the threat of cyber crime and the use of cryptography? Many wild stories circulate, but there's little proof. A recent study of a police consultancy (Bureau In pact), shows that there's little problem with the use of cryptography, for instance.
"Digital detectives run rearly in cases where methods are used to encrypt or scramble data. According to these officers, encryption is not a real threat at the moment, although they expect the use of encryption will strike root in the future. The detectives told us that protected files are often easy to approach, because many suspects have written down their passwords somewhere, for instance on a piece of paper next to their computer, or tell the password when asked."
So far for the dangerous Dutch cyber criminals. It seems the authorities are stressing the threat of an uncontrolled and dangerous cyber space mostly to get more powers for datasurveillance, interception and investigation.