If I click on a link sent to me, forewarned, by the police, and it downloads their files to my computer. How is this my crime? I also wonder if his demand was for the actual upload link?

Let me see if I can explain.

The cops come up to you and hand you a half million in stolen Louvre jewels. They then say 'oops' and ask for them back.

You say yes and return them, all is good. Only embarrassment remains.

You say no and don't return them asking for a reward or some other consideration, you get arrested.

Simples.

Why not? its data, its not like they deleted their copy. Also, wouldn't him emailing it back violate the GDPR and probably other criminal laws?

Opening an unexpected link -- that's dumb, even if the link appears to come from a trusted source. You could open it if the system you were working on was safe but then the person compounds the stupidity by asking for 'something in return' -- that is, declaring to the authorities that you intend to keep something of theirs that you're not entitled to.

Nothing to see here, folks......

I was doing a security review of a certain customer relationship we had with a Police force (nameless for the reason below).

We had a few issues, but the one that I had to remind our team of was that our network and 'the Internet' were not secure for the then protective marking of UK 'RESTRICTED', so we had to find some way to stop the client sending us in plain (i.e. unencrypted) over the internet a copy of their System Security Policy every time they updated it.

* is an anagram of "most curse".

Send them a note saying you'll invoice them for the additional costs and inconvenience incurred every time they do it? And copy it to GCHQ or wherever.

As long as you don't forward the link or the data with it..

The downloader behaved extremely stupidly by demanding "something in return" for returning the downloaded files. He deserves the trouble that he's getting.

OTOH, how were the Dutch police going to verify that the files were actually deleted? Do they have a remote shredder? :)

"Do they have a remote shredder? :)"

You say that in jest, but back in 2014 UK spooks forced the guardian to shred hard disks as evidence of destroying material they should not have had access to. The Guardian did point out that as the data was files on a disk, they could have been duplicated anywhere, but GCHQ was content with seeing hard disks destroyed, and brushed any suggestions from journalists that "they could have copied it a million times by now to any media in the world" comments.

https://www.theguardian.com/uk-news/2014/jan/31/footage-released-guardian-editors-snowden-hard-drives-gchq

If I received something "special", I would immediately send copies to a number of media outlets.

Having been notified you're holding someone else's property (even electronic) and then only wanting to return it in exchange for anything is probably going to fall under blackmail. If he had stated he'd delete it would just be a tad embarrassing, but by asking for something in exchange he has wandered into a different set of laws.

Now is pissing off law enforcement in general not a good move, but a judge will have almost no choice but to set exemplary consequences for this. Not a smart move.

As for your planned action, best avoid that if it is of government origin or you'd end up breaking the Official Secrets Act and that tends to get ugly fast, mistake or not.

How about if he had told them he'd "return" the data (And surely the police actually want the material deleted from his devices, not returned?) if he was reimbursed for time and materials? What if he then billed them for 4 hours at $500 an hour?

Not that I'd recommend that.

It's the police who need a lesson in link etiquette and it's very simple. If you're intending to send an upload link, send an upload link.

BTW, Has anyone seen Ms Streisand around here?

The guy was clearly in the wrong to allegedly blackmail the old Bill with his "Something in return" bait and thus probably deserved being nicked for non-compliance etc.

That said old Bill should be done for a classic GDPR breach, but I suppose that will be quietly swept under the carpet

Exactly. The charge should be blackmail. Not "hacking".

If he had instead sold it to a newspaper (if it was interesting enough to be newsworthy apart from the blunder itself) and then deleted it and told the cops that he had done so, then the bloke could've got his money and all we would be hearing about would be sacked police officers.

Not quite, due to the document ownership.

Yes, the cops need a smack on their fingers (but he who is without blame etc), but even if someone leaves the door to their house wide open it still doesn't give you the right to walk in and help yourself to whatever you find and then later blackmail the rightful owner for returning it.

I'm not sure how to tell the difference between a download link and an upload link? 20+ years in IT, I'm confused.

Unless they hyper linked with "Download" being the hotlink?

I do this a lot with error reports on Cisco switches.

They send me a link I upload files, I can see others files in the folder but as they relate to my ticket that is fine.

There is nothing to differentiate between a download or an upload link, it is just remote access to a file share.

The person who sent the link out needs to be disciplined and sent for retraining to make sure this does not happen again.

Yes, the officer shouldn't have sent the fileshare link*, but surely there should be some kind of a filter on their mail server so that mail to external domains is scanned for links to internal file shares and blocked when found?

* We're all human - could have been in a rush and sent the internal fileshare link by mistake instead of the public-facing evidence upload URL. But also how on earth were they able to access the file share without correct authentication?

If when you click on it, you feel compelled to say "We're in.", then it is a download link.

.. and you're in a Hollywood movie where "hacking" means guessing the name of someone's dog.

or favorite pr0n star. Was in a episode of Millennium.

Roedecker was here...

This is just supposition, but I wouldn't be surprised if whatever system they use to collect or distribute files displays a page when either type of link is pressed giving metadata about the file if it's a download link or an upload form if it's an upload link. That seems to fit their description of it being possible to determine that the link was wrong and not proceed.

Even if that's true, I don't think his action counts. Sure, a lot of people will know what that means, but not close enough to everybody that it's fair. I know people who don't know the difference between download and upload, some of whom would probably ignore the text and click the most obvious button that takes an action. I don't think laws on computer hacking cover that with enough certainty, and the crime committed seems to be extortion if something was demanded before he would delete data rather than intrusion into any system.

Dismiss the charges, arrest the officer who sent it in his place.

How bad is an IT structure if the cops cannot simply invalidate the download link?

The most reasonable approach was just skipped...

That wouldn't zap the files already downloaded..

I think a lot of you lot never finished the article. Yes, the first half makes it sound entirely the cops' fault... and it was! They gave him the link to the repository instead of the upload page.

So he downloaded a bunch of stuff. Which is... uhhh... okay, now we're getting shady. He knew he wasn't supposed to be downloading all this, but you can kind of excuse it because the cop gave him the link?

Then the cops figured out their cockup and said 'Uh, no, our bad, please delete those.' And this guy replied 'only if you give me a little sumthin sumthin capeesh?' (yes I'm sure this Nederlander had an italian mafia accent). That's when he got arrested. So just complete bungling all around.

Ai phinnisht reding phuhl artickl,

Including the stupid "ransom" point. Does not make the cop-fail any better. We ALL got it. We ALL read it. How dare you to imply otherwise. (Sending the cops to arrest for defamation, 'couse, wall, Ai no wer iur haus livs!)

I lived in NL and that's not Dutch!

Did he though?

We only have the police' vague claim that "he wanted something in return"*. It's somewhat odd that they didn't say what.

We also don't know what they demanded of him either. It's technically impossible to completely delete something from an SSD, so they may have demanded that he destroy his computer, or download and run some unknown data destruction software.

Both of which one would rightly refuse to do.

Given what we do know, this feels very much like they arrested him for embarrassing them.

* Note: this is a machine translation, my Dutch is worse than my German.

The translation is correct, [1]the original article indeed states " als hij 'er iets voor terug zou krijgen’ ", so " If he got 'something in return' ".

So, cops have just embarrassed themselves and then this chap tries to rub it in. Bad move. Stupid move, really.

[1] https://www.politie.nl/nieuws/2026/februari/13/07-man-aangehouden-voor-computervredebreuk-na-vergissing-politie.html

I wonder what he had in mind? Did he have a record that needed to be cleared? Surely he wasn't looking for "een muntje"

This not computer "hacking". The police fucked up. This their own fault. This is at most, accessing material he was not supposed to have access to, because the police messed up. He could have told the police that he had deleted the files and they would never had know, or just moved them to a removable usb stick or a external hard drive from his main computer (if this was not a mobile phone or a tablet). This man also got greedy and demanded, possibly money for deleting the files. That is only going to get him a jail sentence at most. I don't think the other stuff is going to stick, but I don't know how courts in the Netherlands work, so I might be wrong.