Leaked Document Shows EU Approach To Cybercrime Is Completely Misguided

from the that's-not-going-to-work dept

Tue, Jun 25th 2013 10:57pm — Mike Masnick

We didn't pay as much attention to the new proposals in the EU to ratchet up penalties for "cybercrime" in part because they came out just about the same time that the NSA surveillance information started leaking. However, someone who shall remain anonymous passed along to us a "group briefing" document from the EU Parliament team that came up with the latest cybercrime directive, which highlights a bit of the approach and some of the problems. The document is actually from a year ago, but it's definitely reflected in the final product. The entire focus of the document is on harsher penalties, even though there's no evidence that such penalties do any good or act as a deterrent. And, while the document does note that protecting "white hat hackers" is important for achieving "cybersecurity," apparently they had a lot of trouble agreeing on what to do to protect them:

As regards protecting "white hat hackers" as integral part of the internet's immune system we managed to achieve a very weak recital (6a bis) compared to the initial LIBE orientation vote. It is made clear that reporting of threats, risks, and vulnerabilities is crucial and needs incentives. The crucial last sentence, however, is not clear enough and far away from creating obligations for member states... Therefore there is no serious protection for white hat hackers who find vulnerabilities in other peoples' information systems and report them. we did howeveR start a debate at all and getting the whole EP united behind this.

[....] We managed to get a number of important safeguards in, and the fundamental debate on better IT security is opened. However the direct is in many ways worse than the old framework decision. Higher penalties and the criminalisation of more practices and even tools not only mainly symbolic, but even risks criminalising well-intended "white hat hackers" and curious teenagers. The problem was Council and a too weak negotiation strategy of the rapporteur at the very end.

From the details of the directive that came out, it appears that not many of these flaws have been fixed. Jan Philipp Albrecht, who was a part of the effort, clearly is not at all happy with how it came out:

But Albrecht attacked the directive, saying, "The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks.

"Top cyber criminals will be able to hide their tracks, whilst criminal law and sanctions are a wholly ineffective way of dealing with cyber attacks from individuals in non-EU countries or with state-sponsored attacks.

"Significantly, the legislation fails to recognise the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security.

This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.

"The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."

The equation here is pretty simple. Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.

End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

That's not good for anyone. But, it fits with the technically clueless "law enforcement above all else" mentality we see too often in government these days, which seems to think that "great enforcement" and "greater punishment" is the answer to any wrong, no matter how much evidence suggests that's untrue.

Attack Information Systems Group Briefing June 2012 (PDF)Attack Information Systems Group Briefing June 2012 (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybercrime, eu, security, whitehat hackers

8 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Zakida Paul (profile), 26 Jun 2013 @ 1:32am

It seems no one in government or law enforcement of any country knows how to deal with cyber crime. Perhaps they should find experts who know what the hell they are talking about.
[ link to this | view in chronology ]
Anonymous Coward, 26 Jun 2013 @ 3:04am

End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

That's not good for anyone.

Isn't it? Keep in mind how incredibly popular malware is with governments these days. The likes of the NSA want vulnerabilities to remain unfixed, because they exploit them.
[ link to this | view in chronology ]
Anonymous Coward, 26 Jun 2013 @ 3:13am

Setting Examples
The examples of history show massive over-punishment does not work, that crafting laws that crush skill development are wrong, these lawyers who sit in government should Know Better, you only need a good dose of clear thinking to see throwing your technically competent people in jail for-ever, Hopeing the Micro$ofts of this world fix their bugs in a timely fashion is No defense for a computer system, check NSA access to Windows Exploits and slow M$ bug fixes.
[ link to this | view in chronology ]
Ninja (profile), 26 Jun 2013 @ 3:20am

Well, isn't it the new trend? To have incredibly harsh penalties for even the pettiest crimes? Or to swipe all the filth under the rug by blocking the 3rd-party providing a channel or going after the low-hanging fruit?
[ link to this | view in chronology ]
- Not an Electronic Rodent (profile), 26 Jun 2013 @ 5:39am
  
  Re:
  To have incredibly harsh penalties for even the pettiest crimes?
  Not quite. The idea is to have incredibly harsh penalties for the pettiest crimes that have any potential to inconvenience or take small amounts or imaginary amounts of money from an entity with truck loads of it, while generating a comparative slap on the wrist for serious crimes.
  [ link to this | view in chronology ]
Anonymous Coward, 26 Jun 2013 @ 3:32am

all countries and all governments are only interested in doing the easy bits. they want to punish the ordinary people for things that only those with malicious intent and extreme knowledge of how the internet works, how to 'hack' into various systems and how to glean whatever information they want so as to use it in whatever way they wont to do damage or harm. i suppose the idea being that if they can screw over enough ordinary people, eventually they will catch a serious 'hacker' and deter like that or the deterrent will be in the number of people sentenced for doing nothing other than using the 'net' in the way intended. the answer is to go after the serious ones concerned, but that would take time, money and sense, the last one being largely missing from those that make the decisions!
[ link to this | view in chronology ]
Anonymous Coward, 26 Jun 2013 @ 4:24pm

Cyber bullshit.
[ link to this | view in chronology ]
JackOfShadows (profile), 28 Jun 2013 @ 1:40pm

DMCA bad enough...
The DMCA is bad enough here about some of the standard tools that anybody in systems security has. Now the EU off and goes to criminalize the rest of the standard kit. I guess I won't be traveling anywhere.
[ link to this | view in chronology ]