Evading online surveillance is becoming easier as more tools offering anonymous encrypted storage and communication become available. But the trend is starting to worry authorities.
Last week, the government in the Netherlands proposed a new law that would help it circumvent encryption by hacking into computers and infiltrating servers. In a lengthy letter, the country’s security and justice minister, Ivo Opstelten, said police were having difficult tracking down pedophiles posting images of child abuse online because they were allegedly using the anonymizing tool Tor. Tor allows users to mask their IP address by routing connections through a network of virtual tunnels.
Many law enforcement agencies today, including the FBI, have used spyware tools to monitor suspects. But what Opstelten is proposing is different. He doesn’t just want federal police in the Netherlands to have the power to install spyware to secretly intercept data before they are encrypted. He wants the county’s police to have the power to infiltrate servers and destroy data on computers even if they are potentially located in foreign jurisdictions. While there are already mutual legal assistance protocols in place across most Western democracies for such purposes, the rules differ from country to country. And in some cases, because suspects are using tools like Tor, it’s not actually possible to determine their location. So if Dutch police find a hidden Tor server containing “very harmful pornographic material,” for instance, Opstelten wants the authority to take control of the server and “render inaccessible” the data stored on it.
Such powers will have to be authorized beforehand by a magistrate, and the suspected crimes must be serious enough to carry a sentence of four or more years. However, granting police the ability to assert such control over the Web will sound alarm bells for Internet freedom advocates. The danger is that though the authorities say they want to target child abusers, down the line there could be a mission creep, with authorities using the same powers to infiltrate and take control over servers wherever they find content deemed offensive.
Many countries are anxious about their ability to effectively conduct surveillance when their suspects are increasingly using encrypted communication tools or cloud storage services located in foreign jurisdictions. Back in August I reported for Future Tense that a shift was underway to “harmonize” lawful interception laws across borders. This move is rapidly climbing up the political agenda, evidenced last week when a U.N. report called for universally agreed-upon data retention laws across member states. A report by the International Chamber of Commerce in September said the same but went further in recommending a centralized communications interception regime, with regulations and standards made to be consistent internationally.
So this is not only about the Netherlands. Domestic police forces pushing for more cross-border powers when it comes to surveillance and cybercrime will soon become the norm. In that sense, Opstelten’s proposal is a glimpse into the future.