Antivirus firms "won't co-operate" with PC-hacking police
By Nicole Kobie
Posted on 3 May 2013 at 15:49
Dutch police are set to get the power to hack people's computers as part of investigations - but antivirus experts say they won't help police reach their targets.
A bill before the Dutch government will give police the power to hack computers, read email and other files, and install spyware, according to the BBC. It would also give police the power to legally hack into overseas servers, if they were part of a denial-of-service attack, for example.
Mikko Hypponen, chief research officer at F-Secure, said such requests won't only come from Dutch police, as authorities in other countries will increasingly ask for such powers - not least as most investigations already involve looking through smartphones or PCs.
"This isn't going to go away, it's only going to get more and more important. All countries will be wanting rights and regulations," he told PC Pro. "But the Dutch already had an unusually strong powers for the local police. They seem to be the forerunners in Europe, in how much rights police have to fight crime."
Hypponen said it's understandable why police want such powers, and admitted few would complain if it's used sparingly and only against guilty parties. However, there's no question that innocent people would get caught up in police investigations, making transparency key.
"They should have to have serious enough crimes to even request such strong tools to be used," he said. "And then, they should have to get a judge or court order, and even more importantly, they should afterwards make public how many citizens were hacked, and how many turned out to be guilty or innocent."
Find out moreThe zero-day bounty hunters
That last point is the most important, Hypponen said. "This is the key thing: if the police hack into your systems, the public needs to know," he said, calling for police to disclose what type of crimes the powers are used on, whether the police were successful in their hacking, and whether the targets turned out to be guilty or innocent.
He doesn't see such investigative hacking powers leading to an "arms race" between police and criminals, but between police and all citizens. "There will be guilty citizens and innocent citizens, and they will both be wanting to keep malware away from their computers."
That raises a problem for antivirus firms like his own, with antivirus firms potentially asked to cooperate with authorities to let an attack reach the target. So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request, and said his own firm wouldn't want to take part. Purely for business reasons, it doesn't make sense to fail to protect customers and let malware through "regardless of the source".
Whether police have the skills to successful hack into computers isn't clear, but Hypponen said it wouldn't be ideal for them to outsource such tasks. However, it's likely police would follow the lead of other government agencies - such as intelligence and security - and buy vulnerabilities from third-party firms.
"It’s not just government in this picture," he said. "Many of the exploits being stockpiled are actually being developed by third parties, such as defence contractors or private companies looking for vulnerabilities." And they, of course, have no motivation to hand flaws in software over to the affected companies.
"I don’t like this development in general," he said. "It used to be black and white. If you were breaking into systems, you were the bad guy – you were the evil one. Now, over the past five years, the situation is changing very rapidly, with governments entering the picture."
He is right...
If an AV company co-operated with the police and it came out, they would be out of business inside a week!
By big_D on 3 May 2013
" and admitted few would complain if it's used sparingly and only against guilty parties"
So they would only be able to use the powers AFTER the case has gone to court.
Seems a little pointless.
By qpw3141 on 3 May 2013
Not subject to Dutch law
Another thing to note is that because NONE of the antivirus companies are headquartered in the Netherlands, they are NOT SUBJECT to Dutch laws. So there is no way the Dutch police could force any anti-virus firm to cooperate.
Becuase F-secure is in Finland they are only subject to Finnish law, and NOT SUBJECT to Dutch laws. The Dutch police have no jurisdiction in Finland.
By AlphaCrucisRadio on 5 May 2013
This isn't going to happen
Way too many privacy issues and international questions. I don't think any av firm will cooperate. One comment above is inaccurate. AVG Technologies is headquartered in the Netherlands. If a suspected crime were taking place within a given country, and the individual was operating in that country, you could argue that this was like a wire tap.
By ckensek on 7 May 2013
The idea of local Police needing these kinds of powers seems a little odd.
Surely the type of crimes where these steps are required should be covered at the new Europol Cybercrime EC3 division.
Going above that the CIA et al have been on with this for decades, with backdoors into everything from AOL, Windows, Firefox, etc. etc.
By Gindylow on 7 May 2013
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords