This document discusses a proposed EU directive that would criminalize the production and distribution of hacking tools. It summarizes concerns that this could penalize security researchers and lower overall security. The directive aims to combat cyberattacks but could restrict beneficial security research and testing. It may force some security companies to move abroad and leave EU countries less protected against attackers. The document outlines amendments being considered and the status of negotiations between the EU Council, Parliament, and Commission on the final language.
1. Hacking Tools, a criminal
offence?
Benjamin Henrion (FFII.org), 22 Oct 2012
2. About
● Foundation for a Free Information Infrastructure eV
● Active on many law related subjects:
■ ACTA
■ Software Patents directive, now Unitary Patent
■ IPRED1 (civil) and IPRED2 (criminal)
■ Data retention
■ Network of software companies and developers
● Personal
■ zoobab.com @zoobab
■ VoIP industry
■ HackerSpace.be
■ JTAG and reverse-engineering
3. Proposed EU directive
● Judicial cooperation in criminal matters:
combatting attacks against information systems
(COD 2010/0273)
● Repealing Framework Decision JHA 2005
● Lisbon treaty: new criminal competences for EU
● First reading, deal between Council and Parliament
4. Parliament press release
"The proposal also target tools used to commit
offences: the production or sale of devices such as
computer programs designed for cyber-attacks, or
which find a computer password by which an
information system can be accessed, would constitute
criminal offences."
5. EESC opinion
"[...] it will include new elements:
(a) It penalises the production, sale, procurement
for use, import, distribution or otherwise making
available of devices/tools used for committing the
offences."
6. Problems
● Tools are "neutral"
● "Hacking" tools have positive/negative use
● Intent: criteria for a judge
● Following this logic, knifes or hammers should be
banned?
● Publication of exploits is a crime
● Level of security is lowered
● Exodus of security companies abroad, attackers
from foreign countries are safe
9. Amendment example - Art 8bis
Responsabilité des fabriquants
"Les États membres prennent les mesures nécessaires
afin de garantir que les fabricants soient tenus pour
pénalement responsables de la production, de la mise
sur le marché, de la commercialisation, de
l'exploitation, ou du défaut de sécurité suffisante, de
produits et de systèmes qui sont défectueux ou qui
présentent des faiblesses de sécurité avérées qui
peuvent faciliter des cyberattaques ou la perte de
données."
10. German law of 2007
● "Many other German security researchers,
meanwhile, have pulled their proof-of-concept
exploit code and hacking tools offline for fear of
prosecution."
12. Status of the proposed directive
● Deal in secret closed doors Tri-logue (EC, EP, CM)
● June 2012
● Orientation vote in LIBE
● Blocked because of Schengen discussions
● Formality in LIBE
● Formality in Plenary?
13. Status of the proposed directive
● Deal in secret closed doors Tri-logue (EC, EP, CM)
● June 2012
● Orientation vote in LIBE
● Blocked because of Schengen discussions
● Formality in LIBE
● Formality in Plenary?
14. Compromise deal
● Extracts
● "Intent"
● "Aiding abetting inciting" examples
● Still ambiguous
● "Minor act" not defined
● Liability for IT systems vendors gone
● Etc...
