At the beginning of May 2013, the Dutch government proposed a new law that brought fresh impetus to an old idea: law enforcement’s right to hack back. “The controversial proposal”, said Dutch cyber rights organization Bits of Freedom, “doesn’t only allow the hacking of mobile phones and computers, it extends to spying on users and the deletion of data. It would also include devices which are located abroad. Furthermore, keeping your password secret from the police and fencing on the internet becomes, to a certain degree, punishable.”
This proposal has precedent. Three years ago the Dutch police took over Bredolab command-and-control (C&C) servers, and from there deposited a warning notice on the infected PCs that had phoned home to the servers. One of the notices was in English, suggesting that the police were aware they were interfering with PCs outside of the Netherlands. At the time, Yaman Akdeniz (a former associate professor at the School of Law at Leeds University and now professor of law at Istanbul University) commented, “There is no ‘good hacker’ or ‘ethical hacker’ defence built into the Computer Misuse Act 1990, nor into the provisions of the Council of Europe CyberCrime Convention, for example. So, whatever their intentions are, the access by the Dutch Police into the infected PCs of computer users would be unauthorised in the UK.”