Recent reports from AD and Security.NL reveal that Dutch police have employed advanced hacking techniques to gain real-time access to suspects’ iPhones. This unprecedented level of surveillance allows law enforcement to monitor a suspect’s phone activity as it happens. The use of such intrusive methods raises significant questions about privacy, judicial oversight, and the ethical implications of deploying “commercial hacking tools” in criminal investigations.
The hacking of a suspect’s iPhone, reportedly in a drug trafficking investigation around 2022, allowed Dutch police to observe the suspect’s real-time phone activities. This capability is part of the Wet computercriminaliteit III (Computer Crime Act III) and is described as an “extremely rarely used” investigative tool, according to the AD report (Security.NL, 2026). The specific methods remain classified, with the police keeping the exact workings secret.
A study by the Wetenschappelijk Onderzoek- en Datacentrum (WODC) indicates that between April 2021 and April 2024, initial hacking orders were issued in 89 investigations, targeting 105 devices, primarily phones (Security.NL, 2026; Security.NL, 2026). The police predominantly utilize “commercial tools” for these operations, the names of which are not disclosed by the WODC (Security.NL, 2026). This reliance on commercial solutions has been a recurring theme, with the Volkskrant previously reporting in 2022 that the AIVD (Dutch General Intelligence and Security Service) used Pegasus spyware in the investigation of Ridouan T. (Security.NL, 2022). Pegasus spyware, developed by NSO Group, is capable of monitoring microphones, cameras, and communications across various applications like WhatsApp, Gmail, and Telegram, and can determine location (Security.NL, 2022).
Concerns have been raised regarding the judicial oversight of these hacking powers. The WODC found that judges rarely engage in substantive review of the hackbevoegdheid’s (hacking authority’s) deployment, which is critical given the intrusive nature of these tools (Security.NL, 2026). Furthermore, the initial requirement for police to use only pre-approved technical aids has been relaxed, meaning law enforcement can now use tools that are not fully certified (Security.NL, 2023). This shift places more responsibility on public prosecutors to establish tactical safeguards and on judges to assess the reliability of the evidence obtained (Security.NL, 2026).
The frequent use of commercial products, often described as “extreme” or “exceptional,” appears to be becoming the norm rather than the exception (Security.NL, 2026). This raises questions about whether the Dutch government’s approach inadvertently stimulates the market for zero-day exploits, as these commercial tools often exploit vulnerabilities not reported to developers like Apple (Security.NL, 2023). In response, the government plans to allow police to reuse commercial hacking software across multiple cases, a change aimed at increasing effectiveness in combating serious and organized crime, cybercrime, terrorism, and child sexual abuse (Security.NL, 2023).
The revelations surrounding the Dutch police’s use of real-time iPhone hacking capabilities highlight a growing tension between national security interests and individual privacy rights. The reliance on undisclosed “commercial tools” and the apparent lack of rigorous judicial oversight, as noted by the WODC, suggest a potential gap in accountability. While the intent to combat serious crime is understandable, the move away from exclusively approved hacking tools and towards the reuse of commercial software for multiple cases could erode public trust and open doors to potential abuses. The secretive nature of these operations, while perhaps tactically necessary, makes independent verification and assessment of their impact challenging. The discussion around these capabilities needs to extend beyond their effectiveness in catching criminals to a broader examination of their societal implications and the robust legal frameworks required to govern their use.
The Expanding Scope of Law Enforcement Hacking
- Police are actively utilizing advanced hacking capabilities, including real-time surveillance of mobile devices, as part of criminal investigations.
- This authority is granted under the Wet computercriminaliteit III, emphasizing its legal basis in Dutch law.
Reliance on Commercial Hacking Tools
- Law enforcement agencies frequently employ “commercial tools” or “commercial intrusion software” for hacking operations, such as the Pegasus spyware.
- The specifics of these tools are often kept confidential, leading to transparency concerns.
Challenges in Oversight and Accountability
- Judicial review of hacking authorizations has been found to be limited, with judges rarely engaging in substantive evaluations of their deployment.
- The previous requirement for pre-approved technical aids has been loosened, allowing for the use of uncertified tools under certain conditions.
Evolving Policy and Future Implications
- The Dutch government is adapting policies to permit the reuse of commercial hacking software across multiple investigations.
- This policy shift aims to enhance effectiveness in combating various forms of serious crime but also intensifies debates on privacy and state surveillance.
The increasing sophistication of digital forensics and surveillance tools presents a double-edged sword for democratic societies. While empowering law enforcement to tackle complex criminal networks, it also necessitates a commensurate strengthening of oversight mechanisms and public discourse to prevent potential overreach. The ongoing developments in the Netherlands serve as a crucial case study, underscoring the delicate balance between security imperatives and the fundamental rights of citizens in an increasingly digital world.