The use of policeware to hack electronic evidence in Germany and the Netherlands

Abstract

Hacking as manipulation of software, data, computer system or network without the knowledge and permission of the user constitutes an act of criminal offence. However, given that certain technological tendencies make it difficult/impossible to collect electronic evidence, the question arises as to whether the authorities responsible for detecting and proving criminal offenses should be authorized to hack, i.e. to conduct investigations in the digital environment in such a way that they would be authorized to exploit technical, systemic and human vulnerabilities within the IT system, without knowledge and permission of the user, in order to gain a remote access to protected system and conduct further actions. Although a state authorities' hacking with the aim of collecting electronic evidence carries immense risks for information security and human rights and freedoms with it, one cannot dispute that the deployment of such techniques might be useful in criminal investigations. However, the application of hacking technique would not per se violate the right to privacy and other guaranteed rights and freedoms, only as far as such interference is properly regulated. Hence, the legal framework should explicitly regulate the lawful hacking as a special investigative measure, especially the conditions that should be met and mechanisms that should be applied. As hacking for the purposes of criminal investigation may be performed through various techniques, this paper focuses on a hacking technique based on a malware, and its regulations in two countries with explicit provisions - Germany and the Netherlands.