Obviously, this is awesome on countlessly many levels, which is why I've used this case from time to time pour encourager les autres. Especially in criminal law, where the principle of nulla poena sine lege reigns surpreme, the law must be interpreted carefully, based first and foremost on the (plain) meaning of the words used by the legislator. Just because something is, in the words of the Court of Appeals, "socially undesireable", that doesn't mean the Court should therefore stretch the meaning of the law beyond its plain meaning.
For what follows, however, it should be noted that the statute in question is not exactly a paragon of clarity. For the Dutch readers, it says the following:
Art. 138a lid 1 (oud) Sr
Met gevangenisstraf van ten hoogste een jaar of geldboete van de vierde categorie wordt, als schuldig aan computervredebreuk, gestraft hij die opzettelijk en wederrechtelijk binnendringt in een geautomatiseerd werk of in een deel daarvan. Van binnendringen is in ieder geval sprake indien de toegang tot het werk wordt verworven:
a. door het doorbreken van een beveiliging,
b. door een technische ingreep,
c. met behulp van valse signalen of een valse sleutel, of
d. door het aannemen van een valse hoedanigheid.
Art. 80sexies SrI'm not even going to attempt a translation. Suffice it to say that the list in the end is clear enough. It lists four things that at least qualify as hacking. The problem, both generally and for this case, is the term "geautomatiseerd werk", which I've never heard or seen anywhere else before or since, and which is clearly meant to refer to computers and such like without actually using the word computer or any other word that might be meaningful to the average Dutch speaker. Hence the problem of working out whether a router qualifies. Even the definition of art. 80sexies, which says that a "geautomatiseerd werk" is a tool used for storing, processing and transferring data electronically doesn't help as much as one might like.
Onder geautomatiseerd werk wordt verstaan een inrichting die bestemd is om langs elektronische weg gegevens op te slaan, te verwerken en over te dragen.
Therefore, the Court of Appeals, like a good Continental court, looked at the legislative history and found that the intention of the legislature was particularly to protect "those who, by using security measures, have indicated that they wished to shield their data from nosy intruders". Given that a router doesn't hold data, the court argued that the legislative history supported the view that they don't count.
Last December, Advocate-General Vellinga had fairly little difficulty supporting this view. After summing up the history of the case and the law, he simply noted that courts are allowed to base their interpretation of the law on statements made in parliament at the time the law was enacted and, citing the same passage from the parliamentary transcripts as the Court of Appeals, he concluded that that court had been correct.
(Interesting side-note: the Attorney-General's appeal brief and the Advocate-General's opinion on this point were both formulated in terms of the Rechtsgut that was allegedly protected by art. 138a Sr. That's a topic I encountered only a few days ago talking about the possibility of a criminal prosecution of Thilo Sarrazin in Germany on the Volokh Conspiracy.)
The High Council (= Supreme Court), however, quoted more generously from the legislative history, focusing particularly on the word "inrichting", which I translated loosly as "tool" earlier. The Court deduced from the transcripts it quoted that the law was intended to protect not only separate devices, but also networks and parts of networks. In other words, while the three activities of storing, processing and transferring data are cumulative, they do not have to be met by each and every single potentially hackable device, only by the totality of the network or group of devices that the device in question belongs to. It follows that routers, too, can be hacked.
While this is a plausible reading, I still think that the Court of Appeals' approach is less forced. After all, the High Council did not address the Rechtsgut problem: Which interests, exactly, was art. 138a Sr enacted to defend? Just because the High Council quoted legislative history does not mean that they engaged in teleological interpretation. They didn't, because they didn't say a word about the intentions of the lawmaker. In fact, if I had to categorise their approach with one of the classic models of legislative interpretation, the only thing I can think of is plain textualist interpretation, except that they used the legislative history instead of a dictionary to discover the meaning of "inrichting". That, I would think, is not something we would want to encourage. If we are going to focus on the meaning of the words in the statute, we should rely on the meaning that ordinary Dutch speakers give those words, or the meaning that can be found in a dictionary. If the legislature wants to deviate from the normal meaning of words, they should write a definition into the law. The fact that they did so here, but not very well, should be no concern of the courts.
Moreover, I think this result violates the principle of in dubio pro reo. Given that there were two plausible interpretations of the statute, the Court should have preferred the one that favoured the defendant. When in doubt, no one goes to jail.
P.S. To clarify: Given that using your neighbour's unsecured wifi does not involve doing any of the four things specifically listed in art. 138a (oud) Sr, nor anything comparable, I would imagine it is still legal. That said, you should consult your lawyer before engaging in anything that is potentially a crime, just to be sure.