Using espionage software Pegasus, developed by the Israeli company NSO Group, authoritarian regimes monitor journalists, activists and lawyers. When this became known, moral outrage was heard from all corners of society – and rightly so. But we must realize that the Dutch government, by using gebruiken zero-days – one of the most important ingredients of the Pegasus software – is jointly responsible.
Zero-day vulnerabilities are vulnerabilities that are still unknown to the maker in a new piece of software. Pegasus uses these vulnerabilities, for example in iOS or Android, to get into mobile phones. This is useful for the government in catching crooks, but disadvantageous for billions of innocent internet users who have the same vulnerability in their software. Because not only crooks use iOS and Android. A zero-day vulnerability affects everyone.
Within the security world, everyone therefore agrees that it is best for a safe internet if everyone who finds a zero day reports it immediately to the maker of the software. The potential advantage that can be gained by catching a few criminals does not outweigh the disadvantage of billions of innocent internet users who have the same vulnerability in their software. That means a safer internet, but harder to catch crooks.
For a few years now, the Dutch government has been allowed to use hacking software, of course only to hack serious criminals. She buys this software. It is not known whether it does business with the NSO Group, but otherwise it certainly does with its competitors. With this, the Dutch government pays companies to actively search for zero-days, and then not to report them to the makers. Although the coalition agreement does state that business may not be done with companies that supply dubious regimes, this can be moderately monitored; NSO Group also had integrity measures in place.
During the discussion of the law on hacking software (Computer Crime Act III) this problem was considered, but the chosen solution is unsatisfactory. It is regulated by law that a zero-day must be reported to the maker of the software, and that this can only be postponed after judicial approval. A reasonable compromise in itself, but it only works for zero-days that the government finds itself. If she buys a ready-made spy software package, it is unknown which vulnerabilities that package exploits.
Also read this interview with Hungarian investigative journalist Szabolcs Panyi: ‘I can see exactly when I’m ‘pegasused’
Kees Verhoeven (D66) submitted a motion that would solve the problem: do not buy hacking software that uses zero-days. A large majority of the House of Representatives rejected the motion.
So it may well be that the Dutch government uses its hacking powers correctly, but by purchasing hacking software, it finances companies that have made it their business model to weaken the security of the entire internet. The Netherlands should therefore no longer use hacking software based on zero-days.
At a time when criminals have to be traced electronically, this is not a popular position, but it is necessary. After all, the Pegasus scandal is exactly what was feared when the hacking authority was introduced: innocent people are hacked with vulnerabilities that were already known to the government, but that have not been closed for the convenience of catching criminals.