Last year, the Dutch police performed 28 hacks the devices of suspects. In 23 cases, the supplier of the software used was able to access suspect data. This is made evident by an inspection by the national ministry of Justice and Security.
In 2019, the Dutch police force gained new ways to hack devices. The national Computer Crime Act III allows police to legally hack devices on suspicion of a serious criminal offence. Hacks are carried out by a specialist team. One condition is that the entire process is documented. For example, by recording the screen of a device during the hack.
A government inspection regularly reviews whether police comply with the rules. At the beginning of 2021, police records proved to be incomplete. The police were instructed to improve documentation. Now, new records demonstrate that the data of hacked suspects is accessible to commercial software suppliers.
In 23 of the 28 cases in 2021, the police used commercial software to hack into suspects’ devices. The software supplier could potentially access hacked data. Officially, the supplier is only allowed to log in with police approval. The problem is that nobody knows whether the rules are being followed. Neither police nor the inspector knows exactly how the software works. That clashes with the law, which stipulates that only designated officials should have access to hacked data.
In its report, the inspector emphasizes that “authorisation management is deficient”. Remarkably, the inspector adds that “no major technical security risks have been identified”. In business, a lack of authorization management is undoubtedly seen as a major security risk. In some enterprises, it’s unthinkable to give software suppliers access to customers’ personal data. That’s precisely how data leaks occur.
The inspector has an advisory role. The authority cannot impose measures. The Dutch Minister of Justice and Security can. However, there is little chance of short-term improvement. The inspector has known about the lack of authorization management since 2021. The problem has been raised repeatedly, but is yet to be solved. For Dutch residents hacked on suspicion of a serious offence, there’s no guarantee that the police are the only ones watching.