“Counter-productive”, “stupid”, a “danger to Europe”: the computer security experts interviewed by OWNI did not mince their words when describing the proposed EU directive that aims to crack down on hacking in Europe. Hacking, the term used for the creative use of technology, and as such nothing illegal in and of itself.
In summary, the proposed directive states that:
Cyber attacks on communication systems would become a criminal offense punishable by at least two years in prison. Possessing or distributing hacking software and tools would also be an offence, and companies would be liable for cyber attacks committed for their benefit.
Despite perhaps the greatest of intentions, the draft directive presented by the Civil Liberties Committee of the European Parliament looks very much like technocratic nonsense, the origins of which go back several years.
Ralf Bendrath is a policy advisor to the Green MEP Jan Philipp Albrecht, and shadow rapporteur for the directive (and incidentally a former hacker). He offers a quick recap of recent history is this area.
The general approach of fighting cyber-crime and attacks against information systems with criminal law and repression against attackers is based on the Convention on Cybercrime agreed by the Council of Europe in 2000, and the new directive updates an earlier implementing decision of the EU Justice and Home Affairs ministers from 2005.
Sword of Damocles
On certain important points the text is vague, leaving considerable room for interpretation by a judge. Bendrath deplores the fact that policies with pernicious effects continue to be pursued.
We have argued from the beginning that if you think that raising a few penalties and introducing a few new aggravating circumstances in some criminal code will have any impact on the bad guys out there, you are just naive.
In this sense, the directive will not make much difference. The danger is more provisions that could also affect the “white hackers” (the “friendly hackers”), those who identify and repair security flaws. We need them because they are the immune system of the information society, and Article 7 which outlaws hacking tools or Article 8 of the incentive to certain attacks may also interfere.
A sword of Damocles, then, hangs over European hackers. Eric Filiol, a French researcher specialising in information security, and director of the ESIEA research centre, is equally concerned.
This could ultimately involve many people – hackers, researchers, those people who actually work in information security. It’s open to being influenced by the various interests. The text is draconian.
Innovation comes from below
Opponents of the text are concerned that the interests protected are primarily those of large companies in the sector, who would benefit from exemptions. The Swedish Pirate Party MEP Amelia Andersdotter explains.
As long as authorization is required for the use of networking tools, it’s of course very beneficial for already established companies in the security sector – they have the administrative capacity to get authorised, while someone who mostly fiddles around with technology in their free time does not.
However, Andersdotter thinks the proposal is not completely in the interest of the heavyweights of the security business.
I suspect the lobby knows this as well, if people aren’t allowed to work up their skills in their free time, security companies won’t actually have an employee base.
Philippe Langlois, organiser of the Hackito Ergo Sum festival, which last week gathered the cream of hackers to Paris, is also concerned. He believes the directive will be a huge impediment to innovation.
We risk building a new system where the arms and security heavyweights have the unwritten right to have hostile security tools. Except that the innovators in security are not the big companies, but the little 14-year-old kid that tears everything down, whose identity is a mystery.
Some are questioning the role of the European Network and Information Security Agency (ENISA), the agency of the European Union dedicated to cyber security, which has been charged with encouraging “best practices”. ENISA did not respond to any of our requests to contribute to this article. Philippe Langlois:
What’s the point of ENISA, do they get paid for this? Thinking about the consequences of their actions, why did they not explain why this is moronic?
Delay
The corollary of this two-tier system, continues Eric Filiol, is that “hackers will take refuge in an Internet underground, they will use BBS, encrypt their communications, hide their discoveries“. Filiol sees the draft law as the result of pressure from American lobbyists who would benefit from its implementation.
This will be a major setback, while we are already working for many of their US companies. VUPEN (a French company specializing in finding vulnerabilites in security systems), for example, already has American companies as major clients. This is a danger for Europe. And this will only encourage hackers to work for questionable interests, for big commercial enterprises.
In Germany, where a similar law was introduced in 2007, the effect was immediate. In the months that followed, projects were relocated or shut down rather than risk incurring penalties. While Ralf Bendrath also fears similar negative consequences, he doesn’t see the directive as the result of US lobbying.
As far as I know, there was no special pushing for this directive, because it is part of the renovation of a number of home affairs and criminal law regulations, for which the EU has a new legal basis now with the Lisbon Treaty.
Your move, European hackers
The Greens are working hard to influence the law, managing to insert “some safeguards in the European Parliament’s position” against the risk of undermining the work of amateur hackers. Negotiations between the European Commission, the European Parliament and the Council of Ministers will begin on April 23, with a plenary session this July. Ralf Bendrath is appealing to the community.
It would be helpful if IT security experts and hackers from different European countries could speak with their MEPs and administrations in the next weeks to make sure we get the best result possible, which in this case means keeping the most stupid and dangerous provisions out of the final law.”
Eric Filiol looks to a famous Germany example as a model for a different approach.
Germany has acted in an intelligent way, in developing their community of hackers. The Chaos Computer Club is the storefront. It is healthy to have an active community.
Image Credits: Christopher Dombres CC-BY ; Tsevis CC-BY-NC-ND
💬 Discussion
No comments yet. Be the first to comment!