The way in which the government of the botnet Bredolab offline took, was in conflict with the privacy. That argues a student Aid in her master’s thesis. The AGENCY hackte last year computers of victims as well as a suspect.
According to Charlie King, who, with her thesis about the Bredolab affair graduated in a master in information law, was the ‘hack back’ of victims in breach of privacy laws. The AGENCY did that to warn users that they were infected with malware and were part of a botnet. The police installed a program that they doorverwees to a warning page. According to King do the good intentions, however, nothing to the fact that it’s simply not allowed.
“At this time, is that not allowed,” says King against Tweakers.net. She notes that the police huge amount about citizens can know if they their hacking computers. “It is a very drastic measure. There are other less intrusive options to users to alert”, she states. The AGENCY had, for example, internet service providers can enable to alert users. In addition, the Dutch police outside the territory of the Netherlands does not have privileges.
The police broke into the computers of infected Bredolab-victims, by the so-called command-and-control servers of the botnet to penetrate. It also allowed the defendant administrator behind the botnet are being spied. Also that was not in line with privacy laws, suggests King. “The problem is that there are no rules for it. The AGENCY has, but what has been done,” she says. For other powers of the investigation authorities, such as picking up a suspect or the penetration of a house, are built-in safeguards that excesses should be avoided, but that are missing in the ‘hack back’ by the AGENCY.
In addition, there are also no rules that the hack back to identify yourself: nowhere in the law has the police been given the authority to hack it. The Public Ministry is in favour of such a power, but according to King, is yet to prove whether it is not in conflict with the European convention on human rights, where the Netherlands has to follow. An article of that treaty concerns the protection of privacy of citizens.
King contradicts also according to her ‘spectacular’ claims that the government did in the dismantling of the botnet. The botnet would not be 143 commandoservers have had, as was claimed, but only six. The other servers would still be used for cybercrime, but not specifically for Bredolab.
Also the claim of 30 million infections that the Public Prosecutor was, according to the researcher based on a questionable calculation. It has 3 million infections found and taken as the basis in order to calculate back. Through extrapolation, it came TO a final number of 30 million. According to King, the TO however, linearly corrected from 3 million, while botnets grow exponentially. The number of infections was in fact likely to be much lower, she concludes.