Lessons from abroad regarding the use of hacking tools in the Netherlands

Earlier studies showed bottlenecks exist in the implementation of hacking power in the Netherlands, such as the inspection of hacking tools used by the police. This inspection guarantees the quality of the data that is collected using those tools. This new WODC study has resulted in a number of scenarios that provide guidelines for dealing with these bottlenecks. Several countries were compared during the comparative law study. The scenarios offer the Netherlands lessons from abroad, both regarding inspection and monitoring of the use of hacking power.

The Dutch police were granted hacking power of 1 March 2019. In principle, the police may only use a hacking tool (‘technical tool’) if it has been inspected and approved by an independent testing authority before it is implemented. The objective is to guarantee the quality (reliability, traceability and integrity) of the data collected using the hacking tool. Both the Inspectorate of Justice and Security and the WODC concluded in earlier studies that the implementation and inspection of tools are not fully in compliance with the legal framework. 

Inspection of commercial products

One of the obstacles in the Dutch inspection process is the fact that the testing authority, when inspecting commercial products used by the police for hacking purposes, is not offered full insight into their operation (the source code). Nor can it be guaranteed that the supplier of such a product will not at some point gain access to the collected data. The WODC study showed that in Switzerland insight into the source code of a product has to be provided. And a supplier may not have access to the collected data. The study did not make clear to what extent the Swiss authorities have been able to realise both requirements. Should Switzerland have come up with a workable solution, it would be useful for the police, the Public Prosecution Service and the policy makers in the Netherlands to explore how this can be achieved in our country in a similar way.

Focus on risk analyses

Several European countries inspect the quality of the collected data in a different manner than is the case in the Netherlands. For example, they have less detailed instructions as to the requirements a hacking tool has to comply with. As far as known, however, their method of operation has not resulted in any fundamental discussions in court. This may enable the development of customised testing requirements. For example, by focussing more on risk analyses during testing, as is the case in Germany. Those involved in the investigative practice are of the opinion that the Dutch investigation practices focus too much on the approval of (all) testing requirements instead of on determining the risk posed should a certain requirement not be met.

Monitoring the use of hacking power

In addition to an inspection of the tools used, monitoring is also important in the context of the quality of the data. Monitoring of the hacking power has been an issue ever since the development of the legislation. In Belgium and France an examining magistrate monitors implementation of the hacking power. Their method eliminates the Dutch problem of a number of cases not being presented in court. The Swedish supervisory authority SIN monitors both the activities of the police and of the Public Prosecution Service. This distinguishes SIN from the Dutch Inspectorate of Justice and Security that only monitors the police. A supervisory authority such as SIN eliminates the problem of a number of cases not being presented in court and a judge not always being substantively sufficiently able to consider the presented evidence.

The geographical map below shows which countries have hacking power and which do not.

Deze geografische kaart geeft aan in welke landen sprake is van hackbevoegdheid en waar niet
Image: ©WODC