EU Cybercrime Bill Targets Anonymous: Makes It A Criminal Offense To Conduct 'Cyber Attack'

from the seems-a-bit-broad dept

Wed, Apr 4th 2012 3:34am — Mike Masnick

While we're still sorting through the crazy cybersecurity bill proposals in the US, it appears that some in the EU are going through a similar process. The EU Parliament's "Civil Liberties Committee" has approved a legislative proposal concerning "cyber attacks," which appears to ramp up criminal penalties for all sorts of broadly defined activities. It even applies criminal penalties to a company if an employee hacks into a competitor's database (even if they weren't told to do it). But where it gets scary is when it appears to directly target "hactivism" like what Anonymous does. While we still think Anonymous' DDoS attacks are incredibly counterproductive, are they really criminal?

The Committee's proposals would make it a criminal offence to conduct cyber attacks on computer systems. Individuals would face at least two years in jail if served with the maximum penalty for the offence.

A maximum penalty of at least five years in jail could apply if "aggravating circumstances" or "considerable damage ... financial costs or loss of financial data" occurred, the Parliament said in a statement.

One aggravating circumstance in which the heavier penalty could be levied is if an individual uses 'botnet' tools "specifically designed for large-scale attacks". Considerable damage may be said to have occurred through the disruption of system services, according to plans disclosed by the Parliament.

Even more ridiculous? Merely "possessing... hacking software and tools" could lead to criminal charges. Does that make everyone with a computer a criminal? This whole thing seems like a bad overreaction by politicians who are freaked out, but who clearly don't understand the technology in question.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymous, cybercrime, european union, hactivism

65 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That Anonymous Coward (profile), 4 Apr 2012 @ 3:50am

And this is what we get for having laws pushed by hysterical media reports.
Proposed by the clueless, and punishing everyone.

Giving people power gives them brain damage, prove otherwise.
[ link to this | view in chronology ]
- Lord Binky, 4 Apr 2012 @ 7:38am
  
  Re:
  Actually there are studies that show the more power someone has the less brainpower they put into their decisions. It's really sad that in the study I remember, just being told what your position of power was in the decision tree determined whether you decided based on data or shiny advertising like a three year old.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 3:50am

And thus sets back European security research by decades
Since of course "hacking tools" will be interpreted (at the first available) opportunity to include anything that they want it to include. It's only a matter of time until someone gets sent to prison for "ping" and "traceroute".

Way to go, ignorant assholes.
[ link to this | view in chronology ]
- gorehound (profile), 4 Apr 2012 @ 5:18am
  
  Re: And thus sets back European security research by decades
  +1
  Revolution #9
  [ link to this | view in chronology ]
- Machin Shin (profile), 4 Apr 2012 @ 5:45am
  
  Re: And thus sets back European security research by decades
  Well whats worse is what do you think network security guys use to make sure their network is secure? In order to secure a network you have to find the holes and to find the holes you use the same "hacker tools" the bad hackers use.
  
  So this law basically will make a criminal out of most network security professionals who will have to choose to be a criminal or change their job. They cannot do their job effectively without these tools and yet having them will be illegal.
  
  On the other hand the true hackers will throw a party and run wild. Suddenly every hackers greatest enemy has been shut down by the government because the destructive hackers don't care about the law.
  [ link to this | view in chronology ]
  - That Anonymous Coward (profile), 4 Apr 2012 @ 5:49am
    
    Re: Re: And thus sets back European security research by decades
    If you outlaw hacker tools only hackers will have... er wait...
    If you outlaw hacker tools people will be cracking systems with slide rules.
    [ link to this | view in chronology ]
[citation needed or GTFO], 4 Apr 2012 @ 3:51am

Because we all know the usual idiots are going to accuse Mike of supporting Anonymous attacks...
I'm on record as saying that I think the activist hacking by groups like Anonymous, designed to take down websites in protest, are not particularly smart or useful.

Now, I've been very clear since Anonymous started this effort -- shutting down various websites using what is effectively crowdsourced distributed denial of service attacks -- that I think the strategy is really dumb.

I think that denial of service attacks are a pretty dumb idea.

I've been on record for a while now that I think the strategy of doing DDoS attacks on websites that people don't like is a bad idea, that will lead to backlash.
[ link to this | view in chronology ]
- Silence8, 4 Apr 2012 @ 12:26pm
  
  Re: Because we all know the usual idiots are going to accuse Mike of supporting Anonymous attacks...
  The way I see the DDOS attacks is, they're the modern equivalent of picketing a business.
  
  Their business is disrupted for a short time, people get their message out. (Most times DDOS attacks are followed with twitter or facebook announcements as to why the attack occured)
  
  I get the idea behind the attacks, but it seems they're leading to a more, and more locked-down internet for the rest of us who don't participate in them, but protest these companies in our own ways.
  
  With that said, they seem like the kids are having fun, but it's all fun and games until the internet is no longer useful for the rest of us.
  [ link to this | view in chronology ]
felsby (profile), 4 Apr 2012 @ 3:54am

Cannot wait to read about investigators facing encrypted drives: Give us the password so we can put you in jail!
[ link to this | view in chronology ]
- Machin Shin (profile), 4 Apr 2012 @ 6:26am
  
  Re:
  This has happened already, there have been some big debates over the legality of demanding a password from someone. In the US at least we are protected from being forced to say anything incriminating. So the question is does that cover me with holding my password.
  [ link to this | view in chronology ]
  - Watchit (profile), 4 Apr 2012 @ 8:41am
    
    Re: Re:
    I think there was one ruling where the judge said it was ok to force someone to give up a password for a computer.
    [ link to this | view in chronology ]
    - The Infamous Joe (profile), 4 Apr 2012 @ 9:49am
      
      Re: Re: Re:
      No, it's far more of a stretch than that. To route around the fifth amendment, the judge said the woman had to unencrypt the drive or face contempt of court charges, but since she wasn't actually telling anyone the password, she wasn't being forced to incriminate herself.
      [ link to this | view in chronology ]
      - That One Guy (profile), 4 Apr 2012 @ 4:03pm
        
        Re: Re: Re: Re:
        I'm confused...
        
        Giving up a password = the password protected stuff can now be accessed, where it couldn't be before.
        
        Unencrypting a HD = the encrypted stuff can now be accessed, where it couldn't be before.
        
        What kind of drugs was the judge on to think there is any difference at all between those two?
        [ link to this | view in chronology ]
- Pwdrskir (profile), 4 Apr 2012 @ 7:05pm
  
  Re:
  Plead the 5th and ask for your lawyer.
  
  Why you should never talk to the police EVER video.
  http://www.youtube.com/watch?v=i8z7NC5sgik&feature=my_liked_videos&list=LLykP7pfCDlv 4ksMbbYzbR4A
  [ link to this | view in chronology ]
Jeremy Lyman (profile), 4 Apr 2012 @ 3:55am

How can something be �no less than three if it exceeds six?� I mean, six�s still more than three, right?
[ link to this | view in chronology ]
- Jareth Cutestory, 4 Apr 2012 @ 5:27am
  
  Re:
  I know right! That makes no sense. And did you know Justice is blind? I sure as heck didn't.
  [ link to this | view in chronology ]
PaulT (profile), 4 Apr 2012 @ 4:08am

"the heavier penalty could be levied is if an individual uses 'botnet' tools "specifically designed for large-scale attacks""

How would this apply to zombie botnets, I wonder?

"Merely "possessing... hacking software and tools" could lead to criminal charges. Does that make everyone with a computer a criminal?"

That would be the logical conclusion for anyone who knows what they're talking about. I have Wireshark installed on my laptop, nmap and a live CD of Backtrack for diagnostics of my company network. Apparently I need to go to jail...
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 4 Apr 2012 @ 4:22am
  
  Re:
  Assume the position and stay where you are, they will be arriving by black helicopter shortly.
  
  Soon we'll have cops dropping flash drives with hack tools on them to run sting operations on people who pick them up.
  [ link to this | view in chronology ]
Keii (profile), 4 Apr 2012 @ 4:20am

It's a modern day witch hunt.

"It has protruding wires, it must be a bomb!"

"There are musics there, it must be illegal!"

"I don't understand this piece of software, it must be a hack!"

"You're pretty knowledgeable with computers, you must be fluent in every piece of software."
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 4 Apr 2012 @ 4:35am
  
  Re:
  Imagine the look on their face if the machine booted to AnonOS
  [ link to this | view in chronology ]
  - Michael, 4 Apr 2012 @ 5:32am
    
    Re: Re:
    lol! AnonOS is a honeypot.
    [ link to this | view in chronology ]
    - That Anonymous Coward (profile), 4 Apr 2012 @ 5:41am
      
      Re: Re: Re:
      iknowright!
      [ link to this | view in chronology ]
abc gum, 4 Apr 2012 @ 4:31am

Write a hello world program?
That's a tazing.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Apr 2012 @ 8:16pm
  
  Re:
  Netsend? Oh you better believe that's a tazing.
  [ link to this | view in chronology ]
izzitme101, 4 Apr 2012 @ 4:35am

prison time!
I guess its time for everyone to just drop everything, and voluntarily walk to the nearest police station, and admit every crime we are all accused of.
After making your statements, you can walk straight to the mearest prison, do not pass the dole office, do not collect 70 quid.
[ link to this | view in chronology ]
Dionaea (profile), 4 Apr 2012 @ 4:37am

"considerable damage ... financial costs or loss of financial data"
And how the hell are they going to determine what considerable damage is? The copyright trolls think downloading a single song causes them thousands of dollars of damage and the scariest thing is that judges agree with them sometimes. How much are corporations going to claim for being taken offline or having a damaging message up for several hours? If you don't define the size of the stick they're allowed to use to beat people up they're gonna go for a trunk of a sequoia tree...
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 4 Apr 2012 @ 4:55am
  
  Re: "considerable damage ... financial costs or loss of financial data"
  Buying legislation was cheaper than actually putting any security on their sites.
  This way they can just sue the bad actors for whatever losses are caused by their failure to protect data in their care.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 4:42am

I like the part where you get more jail time if they have greater data loss. Make sure the company your attacking has good backups!
[ link to this | view in chronology ]
Squig (profile), 4 Apr 2012 @ 4:58am

How nice of them to give all Pirate Parties in Europe a big boost!
[ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 5:42am

and as per usual, everything that is detrimental to citizens or is done without the permission of citizens is ok. yet another law put into place by stupid old farts that have no fucking clue what the hell they are voting on, let alone for! about time for a complete change of age group in politics, letting the tech generation deal with things. if not, instead of making progress we will be regressing, not just stagnating.
[ link to this | view in chronology ]
- Chuck Norris' Enemy (deceased) (profile), 4 Apr 2012 @ 6:17am
  
  Re:
  You realize how screwed up our governments are when a Civil Liberties Committee is writing laws to take away civil liberties.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 6:10am

Guyz
I have wireshark and visual studio installed on my computer. I'm fucked aren't I?

They're gonna come for me. :(
[ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 6:16am

Hands need outlawing, too! And brains! ONLY ZOMBIES ARE SAFE FROM THE ABTI-HACKING BILL!!!
[ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 6:24am

Oh, oh. What's this bill going to do to my Warcraft matches?

- Peasants have hacking tools (for chopping down trees).
- Orcs have hacking tools too (for chopping down peasants).
- Considerable damage is happening all the time (it *is* war, after all), which, in turn, brings considerable financial loss (to your enemy, hopefully).
- I tend to play with AI players. Does ganging up on the enemy together with the AI count as using "botnets specifically designed for large-scale attacks"?
[ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 6:43am

They are ABSOLUTELY criminal. As someone who champions the value of free speach and claims that removing content is a violation of constitutional rights you should be condemning ALL DOS attacks. The entire purpose of these attacks is to CENSOR websites. You complain about censorship when it's the government doing it but you don't think it is wrong when hackers do it? How can anyone take you seriously when you are so hypocritical.
[ link to this | view in chronology ]
- PaulT (profile), 4 Apr 2012 @ 6:51am
  
  Re:
  Whoosh!!!
  
  That was the sound of both Mike's opinion and the criticisms being made sailing above your head high enough to bring satellites out of orbit.
  
  SOP, of course.
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Apr 2012 @ 8:11am
    
    Re: Re:
    I agree with you, but show your work. If you don't, you are as bad as the person you're whooshing.
    [ link to this | view in chronology ]
  - Anonymous Coward, 4 Apr 2012 @ 8:41am
    
    Re: Re:
    No his criticisms are not because of the censoring but because he felt their actions are ineffective if not counter-productive. He never complained that the DOS attacks censor content.
    [ link to this | view in chronology ]
Overcast (profile), 4 Apr 2012 @ 6:47am

Even more ridiculous? Merely "possessing... hacking software and tools" could lead to criminal charges.

Define 'hacking software and tools'.

The DOS prompt?
Telnet?
IP Scanners?
Ethernet Sniffers?

All of those - while being critical tools to 'hack' - are also have a quite legitimate and sometimes necessary role.

I sweep subnets often at work looking for Remote Access Controllers since they don't register with DNS, and we don't use WINS.

Ethernet Sniffers are sometimes the only way to track down rouge traffic on a LAN, situational, of course.

And some of these tools are on just about every windows/linux install - so they need to arrest everyone with a computer.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Apr 2012 @ 7:25am
  
  Re:
  They are not critical tools to hack in and of themselves. Used in normal means, they are not hacking tools, any more than a hammer is a weapon. But if you use that hammer to start whacking people in the head, it becomes a weapon.
  
  You guys are way too literal for your own good sometimes.
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Apr 2012 @ 7:38am
    
    Re: Re:
    You do realize that some of the tools that will be branded as hacking tools because they are "obviously" hacking tools (I'm looking at LOIC, here) actually do have practical uses? LOIC can be (and regularly is) used to stress test web servers.
    
    So while yes, claiming that this will outlaw ping is hyperbole, it's still an overreaching law written by those who know nothing about technology.
    [ link to this | view in chronology ]
    - Anonymous Coward, 4 Apr 2012 @ 8:15am
      
      Re: Re: Re:
      You do realize that some of the tools that will be branded as hacking tools because they are "obviously" hacking tools (I'm looking at LOIC, here) actually do have practical uses? LOIC can be (and regularly is) used to stress test web servers.
      
      Agreed. Also, pretty much anything considered a 'hacking tool' (including malware) can be and is used for stress testing and security audits.
      
      I'll even add another example for you. When Conficker was big, I infected a computer on my test network on purpose to test the removal tools for it. That way if it got past all of the safeguards that we put in place, I knew that I could remove it safely and effectively.
      [ link to this | view in chronology ]
      - Watchit (profile), 4 Apr 2012 @ 8:53am
        
        Re: Re: Re: Re:
        exactly, but there is no provision in the law that differentiates "hacking tools" and "hacking tools with a legitimate purpose". While the "intended purpose" of the law isn't to go after those legitimate uses, laws with the ability to be abused will be, and there is no denying that.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 4 Apr 2012 @ 11:41am
        
        Re: Re: Re: Re: Re:
        But it is not only tools that are affected. It might even chill legitimate research. Germany has the laws and because of that "A Bug Hunter's Diary" http://nostarch.com/bughunter.htm lack the actual exploits. And occasionally the exploits are necessary to convince and embarrass vendors if they claim a DOS instead of a arbitrary code execution.
        [ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 6:58am

These people are mentally deranged and need to be dispatched to the looney bin post haste.
[ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 7:15am

EFF had some comments also.

https://www.eff.org/sites/default/files/filenode/Submission-Parliament-Hacking-Tools-vf.pdf
[ link to this | view in chronology ]
Robert (profile), 4 Apr 2012 @ 7:24am

And when "law enforcement" does it?
Is it still criminal when law enforcement does it? For example, will it be criminal for FBI or NSA or whoever it was to coordinate or pay a group from India to coordinate a DDoS against The Pirate Bay? Of course that was at the behest of Hollywood, but still.

Or is it as usual, laws only apply to non-governmental groups (ie: everyone not on tax-payer payroll)?
[ link to this | view in chronology ]
- btr1701 (profile), 4 Apr 2012 @ 10:44am
  
  Re: And when "law enforcement" does it?
  > will it be criminal for FBI or NSA or whoever
  > it was to coordinate or pay a group from India
  > to coordinate a DDoS against The Pirate Bay?
  
  No.
  
  This is a proposed EU law. If passed, it will only apply to EU member countries. Since neither the US nor India are EU member countries, nothing they do will be criminalized under this law.
  [ link to this | view in chronology ]
  - lol, 4 Apr 2012 @ 11:16am
    
    Re: Re: And when "law enforcement" does it?
    they will catch up. if theres one thing the US and india will never miss its a chance to screw people over.
    [ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 7:35am

Is UK law written by private jails too? Making it illegal to own a computer with ping/tracert/telnet sounds like it'd be an easy way for them to make a few extra million.
[ link to this | view in chronology ]
Pete Austin, 4 Apr 2012 @ 7:42am

Re: a hammer is not a weapon
Try that argument the next time you fly somewhere, and take along your hammer. Please can you get a friend to video the reaction of the security guards when you use the words, "whacking people in the head".

If something can plausibly be used as a weapon, police may treat it as a weapon - so, your opinion is interesting, but not the one that ultimately matters.
[ link to this | view in chronology ]
- That One Guy (profile), 4 Apr 2012 @ 4:20pm
  
  Re: Re: a hammer is not a weapon
  Problem with that is given just a little time you can use anything as a weapon, so attempting to outlaw something because it might would be used illegally would be downright impossible, as it would apply to almost anything and everything in existence.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 8:00am

33.

To further your analogy. No it is not about tools like hammers, more like tools like knives. The country where I live it is illegal to carry a knife in public places unless I have specific legal reason to, like carpenters are allowed to if they are working in a public place. Now regardless of my intent to use it to hurt someone with said knife I still run the risk of being jailed up to six months.

This is a case where a tool like nmap would be classified as a cyber attack tool Possesion and/or distribution such a tool would carry to the risk iregardless of intent at least two years of jail time in a pound-you-in-the-ass prison.

Read the comments from about the intent(under the header mens rea) part from EFF https://www.eff.org/sites/default/files/filenode/Submission-Parliament-Hacking-Tools-vf.pdf
[ link to this | view in chronology ]
Cowardly Anonymous, 4 Apr 2012 @ 8:40am

Goodbye White hats
Let's see here:

1) White hat hackers driven away. Young hackers driven heavily towards black hat pursuits.

2) Supply of new security professionals drys up. Supply of black hat hackers increases.

3) Firesale/Nuke hack gets through the inadequate security.

4) Chaos, death, destruction.

5) Building a new world from the ashes, if anyone is left.

Conclusion:
Politicians are horrible strategists.
[ link to this | view in chronology ]
- Watchit (profile), 4 Apr 2012 @ 8:54am
  
  Re: Goodbye White hats
  They kids could be driven to gray hat pursuits as well, not exactly legal, but not exactly sinister either.
  [ link to this | view in chronology ]
Ninja (profile), 4 Apr 2012 @ 8:40am

Cybersecurity has become the new child porn of the censorship advocates...
[ link to this | view in chronology ]
Ure O'Peanonion, 4 Apr 2012 @ 10:32am

Regulation is going cancerous.
Regulation is going cancerous.

In the future the aforementioned cancer and its carriers will likely be targeted and eradicated.
[ link to this | view in chronology ]
lol, 4 Apr 2012 @ 10:40am

so the EU is going to arrest the entire internet?
im sure there terrified of the mean old politicians/possible pedophiles that wrote this.
[ link to this | view in chronology ]
Tux (profile), 4 Apr 2012 @ 11:47am

I use nmap, traceroute, ping, GCC, binutils, bash, lighttpd and SSH on a daily basis for legitimate reasons.

I dare the government to arrest me since all of that is "hacker software".

(If I need to check for holes in my config, I use nmap. If I need to test the network; ping/traceroute. Need to compile? GCC. Need to have a secure connection to a remote server? SSH and bash. IF I NEED A FUCKING WEB SERVER, I USE LIGHTTPD).

ffs, seriously
[ link to this | view in chronology ]
aldestrawk (profile), 4 Apr 2012 @ 12:28pm

There was an incident in Britain, which already has a law similar to the CFAA in the US, where Glenn Mangham was sentenced several weeks ago to 8 months in jail for doing security research. He found a security vulnerability in Facebook and collected evidence (internal Facebook documents and code) to present to Facebook as proof of the vulnerability. Despite the judge in his case stating:

"I acknowledge ... that you never intended to pass any information you got through these criminal offences to anyone else and you never did so, and I acknowledge that you never intended to make any financial gain for yourself from these offences,"

he was found guilty and sentenced to jail time under Computer Misuse Act despite having no criminal intent associated with his actions. The EU Cybercrime bill not only would allow this kind of abuse across all of Europe, it would be worse than the CMA or the US CFAA.

http://www.out-law.com/en/articles/2012/february/british-facebook-hacker-sentenced-to-eight -months-in-jail/
[ link to this | view in chronology ]
- Anonymous Coward, 4 Apr 2012 @ 1:05pm
  
  Re:
  Yeah, and the real question is. Does it make us as users safer? I don't think so.
  [ link to this | view in chronology ]
Wally (profile), 4 Apr 2012 @ 1:51pm

Arrests
When Anonymous attacks, there is a huge effort to stay anonymous....redundant sounding no? Making "cyber attacks" illegal means they have to find ways to arrest people they cannot even trace an IP address to.
[ link to this | view in chronology ]
Anonymous Coward, 4 Apr 2012 @ 3:00pm

They are trying to build a police state like the us. More of your tax money hard at work.
[ link to this | view in chronology ]
pesti (profile), 4 Apr 2012 @ 11:18pm

Unrelated but ....not
Am I reading this right?...Need an opinion...

http://www.guardian.co.uk/commentisfree/2012/apr/04/national-liberty-counter-terrori sm-secret-courts
[ link to this | view in chronology ]
MaXe, 11 Apr 2012 @ 5:33am

Compromise Amendments
I am still surprised to see these news almost 2 weeks after they initially hit the web, and even more surprised that people seems to either be unaware of the compromise amendments that doesn't criminalize whitehats / ethical hackers.

You can read a debate along with the compromise amendment here:
http://forum.intern0t.org/security-news-feeds/4177-update-existing-eu-cyber-law-makes-worse-g ood-guys.html

(The compromise amendment comes directly from the Europa Parlament)
[ link to this | view in chronology ]