We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
EU nations may criminalise creation of hacking tools

EU nations may criminalise creation of hacking tools

Critics say definition of offence is too loose

Article comments

Justice Ministers across Europe want to make the creation of "hacking tools" a criminal offence, but critics have hit back at the plans, saying that they are unworkable.

Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include "the production and making available of tools for committing offences".

This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions "malicious software designed to create botnets or unrightfully obtained computer passwords," but goes no further in attempting to clarify what "tools" might be subject to criminal sanctions.

For example, the distinction between a password cracker and a password recovery tool is not specified. Nor is there any mention of legitimate use for testing. Many tools that could be used for hacking in the wrong hands, are used by system administrators and security consultants to probe for vulnerabilities in corporate systems.

Illegal access, illegal system interference and illegal data interference as well as instigating, aiding, abetting and attempting to commit offences are already crimes under current EU law. However, ministers want to harmonise penalties for illegal interception of computer data, and see the imposition of a minimum two year sentence for the most serious crimes. They also want to oblige member states to collect basic statistical data on cybercrimes and to respond to urgent requests for information by other member states within eight hours.

The creation of hacking tools is already a criminal offence in the United Kingdom under the Computer Misuse Act, and in Germany under the 202C law, and is also cited in the Budapest Cybercrime Convention. But if included in an EU directive, all 27 member states would be required to ban production of these so-called "tools" in national law.

The introduction of the laws in Germany in 2007 and the UK in 2008 met with fierce criticism. In Germany many legitimate websites shut down or moved over fears that they might be prosecuted.

German PHP security professional Stefan Esser wrote on his blog at the time that the law was not clearly written and allows too much interpretation. "While our government says that they do not want to punish, for example, hired penetration testers, this is not written down in the law," Esser wrote.

The ministers' proposals will now be put to the European Parliament, which must approve the text before it can become law. It is likely that MEPs will question some of the ministers' assumptions and will seek to better define what is meant by "tools".

Share:

Comments

Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *