The Dutch Minister of Justice has sent a letter with its policy framework for law enforcement in the context of Cybercrime to the Dutch Parliament. The framework consists of 5 pillars: public-private co-operation with regard to prevention of cybercrime(1), more and different deployment of police and justice authorities (2), strengthening of international co-operation (3), bringing up to date of legal instruments, and acknowledgement and signaling of developments.
I do hope the Dutch Parliament will seriously discuss this framework, because it is flawed on a number of points.
Of course, one of the pillars should be the respect for constitutional safeguards such as due process, freedom of expression and information and privacy. The framework does not take these issues serious enough. In fact it often ignores them or clearly advocates a reconsideration of their merits. A few examples:
1. The letter promotes filtering by internet service providers. It specifically declares the filtering of child pornography by ISP/Cable operator UPC a success. This is rather awkward. The effectiveness is currently being investigated by academic researchers. But more importantly, last week, a leading Dutch national newsshow showed that UPC does not block a range of horrible child pornography websites and it does block websites hosted by a Dutch provider. This provider should be easy to reach for the same police department (KLPD) that put the website on the list used by UPC. But it is worse. On top of that that the Dutch police declared in an email to LeaseWeb, the hosting provider of that particular site on the filtering list, that there was not enough evidence that the blocked site was unlawful.
In my opinion, the proposed public-private co-operation clearly introduces the wrong incentives. Instead of fixing the issue, the Justice department talks to all providers to make them do the same as UPC. Hopefully KPN and XS4All will stick to their demands that for any filtering to take place there has to be (1) judicial oversight over the list, (2) the content has to be outside the reach of Dutch law enforcement, and it has to be (3) restricted to child pornography.
2. With regard to the ‘balance between security and privacy‘, the report is rather vague, but it calls for a reconsideration of this balance nonetheless, or better to say an evaluation of the merits of a right to respect for private life in a society that is seen to be under constant and severe attack. Currently a commission is doing this analysis. Their assignment wasn’t very promising and I am not so sure that the results will be very balanced. Another official report that warned the government for being biased and disregardful of privacy and related issues has been professionally wiped off the table.
3. It completely ignores a recommendation adopted a few weeks ago by the Council of Europeâ€™s Committee of Ministers. The recommendation deals with “measures to promote the respect for freedom of expression and information with regard to Internet filters”. The recommendation and the underlying report acknowledge the ways in which Internet filters can impact on freedom of expression and information and stipulate the requirements of Article 10 ECHR in this context. The recommendation calls upon the Member States to take measures with regard to Internet filters in line with a set of guidelines promoting user notification, awareness, and control of Internet filters and accountability of the private and public parties involved. The Dutch government should coordinate, because this filtering recommendation is rather relevant and could provide soem useful and hard needed guidance.
4. Its discussion of Notice and Takedown (NTD) is Kafkaesque. It first defines NTD as a voluntary act of making inaccessible by an internet service provider, at the request of a third party. It concludes that this type of self-regulation is favourable over coercion by the State. I would argue that penal law is all about state coercion and rightfully so. In case of Child pornography, who wouldn’t like to see the government take responsibility and act independently of other ‘stakeholders’, if possible. So a bit further, the letter states that if necessary, the public prosecutor can issue an NTD-order on the basis of Article 54a of the Dutch Penal Code. This provision vaguely implements the criminal liability exceptions for intermediaries, an implementation of the horizontal safe harbours in Article 12-14 of the Directive on Electronic Commerce. Article 54a provides that an online intermediary such as a hosting provider is not liable if he takes down or prevents access to illegal content at the request of a public prosecutor, with judicial oversight. So why not use this privision? Because “this provision is not obviously an easy and quickly applicable way to realize the removal of undesirable (sic!) or illegal material. Also a legal analysis of the University of Tilburg points to bottlnecks. The researchers are of the opinion that there are questions about the legal basis of a NTD order.” (By the way, I cannot find that research report.) Summarizing, the justice department would rather see no coercive government involvement with regard to the Internet and illegal material. For as much as it has to, it would rather make it seem that the State is like any other private party pointing to illegal and UNDESIRABLE material that should be taken down, without any special applicable safeguards. It does not use its current powers so much because they are not easy and quick enough. It would rather put websites on a black list and have them filtered, than send a legal requests to (Dutch) hosting providers of publishers of illegal material.