EU Cybercrime Bill Targets Anonymous: Makes It A Criminal Offense To Conduct 'Cyber Attack'
from the seems-a-bit-broad dept
While we’re still sorting through the crazy cybersecurity bill proposals in the US, it appears that some in the EU are going through a similar process. The EU Parliament’s “Civil Liberties Committee” has approved a legislative proposal concerning “cyber attacks,” which appears to ramp up criminal penalties for all sorts of broadly defined activities. It even applies criminal penalties to a company if an employee hacks into a competitor’s database (even if they weren’t told to do it). But where it gets scary is when it appears to directly target “hactivism” like what Anonymous does. While we still think Anonymous’ DDoS attacks are incredibly counterproductive, are they really criminal?
The Committee’s proposals would make it a criminal offence to conduct cyber attacks on computer systems. Individuals would face at least two years in jail if served with the maximum penalty for the offence.
A maximum penalty of at least five years in jail could apply if “aggravating circumstances” or “considerable damage … financial costs or loss of financial data” occurred, the Parliament said in a statement.
One aggravating circumstance in which the heavier penalty could be levied is if an individual uses ‘botnet’ tools “specifically designed for large-scale attacks”. Considerable damage may be said to have occurred through the disruption of system services, according to plans disclosed by the Parliament.
Even more ridiculous? Merely “possessing… hacking software and tools” could lead to criminal charges. Does that make everyone with a computer a criminal? This whole thing seems like a bad overreaction by politicians who are freaked out, but who clearly don’t understand the technology in question.
Filed Under: anonymous, cybercrime, european union, hactivism
Comments on “EU Cybercrime Bill Targets Anonymous: Makes It A Criminal Offense To Conduct 'Cyber Attack'”
And this is what we get for having laws pushed by hysterical media reports.
Proposed by the clueless, and punishing everyone.
Giving people power gives them brain damage, prove otherwise.
Re: Re:
Actually there are studies that show the more power someone has the less brainpower they put into their decisions. It’s really sad that in the study I remember, just being told what your position of power was in the decision tree determined whether you decided based on data or shiny advertising like a three year old.
And thus sets back European security research by decades
Since of course “hacking tools” will be interpreted (at the first available) opportunity to include anything that they want it to include. It’s only a matter of time until someone gets sent to prison for “ping” and “traceroute”.
Way to go, ignorant assholes.
Re: And thus sets back European security research by decades
+1
Revolution #9
Re: And thus sets back European security research by decades
Well whats worse is what do you think network security guys use to make sure their network is secure? In order to secure a network you have to find the holes and to find the holes you use the same “hacker tools” the bad hackers use.
So this law basically will make a criminal out of most network security professionals who will have to choose to be a criminal or change their job. They cannot do their job effectively without these tools and yet having them will be illegal.
On the other hand the true hackers will throw a party and run wild. Suddenly every hackers greatest enemy has been shut down by the government because the destructive hackers don’t care about the law.
Re: Re: And thus sets back European security research by decades
If you outlaw hacker tools only hackers will have… er wait…
If you outlaw hacker tools people will be cracking systems with slide rules.
Because we all know the usual idiots are going to accuse Mike of supporting Anonymous attacks...
I’m on record as saying that I think the activist hacking by groups like Anonymous, designed to take down websites in protest, are not particularly smart or useful.
Now, I’ve been very clear since Anonymous started this effort — shutting down various websites using what is effectively crowdsourced distributed denial of service attacks — that I think the strategy is really dumb.
I think that denial of service attacks are a pretty dumb idea.
I’ve been on record for a while now that I think the strategy of doing DDoS attacks on websites that people don’t like is a bad idea, that will lead to backlash.
Re: Because we all know the usual idiots are going to accuse Mike of supporting Anonymous attacks...
The way I see the DDOS attacks is, they’re the modern equivalent of picketing a business.
Their business is disrupted for a short time, people get their message out. (Most times DDOS attacks are followed with twitter or facebook announcements as to why the attack occured)
I get the idea behind the attacks, but it seems they’re leading to a more, and more locked-down internet for the rest of us who don’t participate in them, but protest these companies in our own ways.
With that said, they seem like the kids are having fun, but it’s all fun and games until the internet is no longer useful for the rest of us.
Cannot wait to read about investigators facing encrypted drives: Give us the password so we can put you in jail!
Re: Re:
This has happened already, there have been some big debates over the legality of demanding a password from someone. In the US at least we are protected from being forced to say anything incriminating. So the question is does that cover me with holding my password.
Re: Re: Re:
I think there was one ruling where the judge said it was ok to force someone to give up a password for a computer.
Re: Re: Re: Re:
No, it’s far more of a stretch than that. To route around the fifth amendment, the judge said the woman had to unencrypt the drive or face contempt of court charges, but since she wasn’t actually telling anyone the password, she wasn’t being forced to incriminate herself.
Re: Re: Re:2 Re:
I’m confused…
Giving up a password = the password protected stuff can now be accessed, where it couldn’t be before.
Unencrypting a HD = the encrypted stuff can now be accessed, where it couldn’t be before.
What kind of drugs was the judge on to think there is any difference at all between those two?
Re: Re:
Plead the 5th and ask for your lawyer.
Why you should never talk to the police EVER video.
http://www.youtube.com/watch?v=i8z7NC5sgik&feature=my_liked_videos&list=LLykP7pfCDlv4ksMbbYzbR4A
How can something be ?no less than three if it exceeds six?? I mean, six?s still more than three, right?
Re: Re:
I know right! That makes no sense. And did you know Justice is blind? I sure as heck didn’t.
“the heavier penalty could be levied is if an individual uses ‘botnet’ tools “specifically designed for large-scale attacks””
How would this apply to zombie botnets, I wonder?
“Merely “possessing… hacking software and tools” could lead to criminal charges. Does that make everyone with a computer a criminal?”
That would be the logical conclusion for anyone who knows what they’re talking about. I have Wireshark installed on my laptop, nmap and a live CD of Backtrack for diagnostics of my company network. Apparently I need to go to jail…
Re: Re:
Assume the position and stay where you are, they will be arriving by black helicopter shortly.
Soon we’ll have cops dropping flash drives with hack tools on them to run sting operations on people who pick them up.
It’s a modern day witch hunt.
“It has protruding wires, it must be a bomb!”
“There are musics there, it must be illegal!”
“I don’t understand this piece of software, it must be a hack!”
“You’re pretty knowledgeable with computers, you must be fluent in every piece of software.”
Re: Re:
Imagine the look on their face if the machine booted to AnonOS
Re: Re: Re:
lol! AnonOS is a honeypot.
Re: Re: Re: Re:
iknowright!
Write a hello world program?
That’s a tazing.
Re: Re:
Netsend? Oh you better believe that’s a tazing.
prison time!
I guess its time for everyone to just drop everything, and voluntarily walk to the nearest police station, and admit every crime we are all accused of.
After making your statements, you can walk straight to the mearest prison, do not pass the dole office, do not collect 70 quid.
"considerable damage ... financial costs or loss of financial data"
And how the hell are they going to determine what considerable damage is? The copyright trolls think downloading a single song causes them thousands of dollars of damage and the scariest thing is that judges agree with them sometimes. How much are corporations going to claim for being taken offline or having a damaging message up for several hours? If you don’t define the size of the stick they’re allowed to use to beat people up they’re gonna go for a trunk of a sequoia tree…
Re: "considerable damage ... financial costs or loss of financial data"
Buying legislation was cheaper than actually putting any security on their sites.
This way they can just sue the bad actors for whatever losses are caused by their failure to protect data in their care.
I like the part where you get more jail time if they have greater data loss. Make sure the company your attacking has good backups!
How nice of them to give all Pirate Parties in Europe a big boost!
and as per usual, everything that is detrimental to citizens or is done without the permission of citizens is ok. yet another law put into place by stupid old farts that have no fucking clue what the hell they are voting on, let alone for! about time for a complete change of age group in politics, letting the tech generation deal with things. if not, instead of making progress we will be regressing, not just stagnating.
Re: Re:
You realize how screwed up our governments are when a Civil Liberties Committee is writing laws to take away civil liberties.
Guyz
I have wireshark and visual studio installed on my computer. I’m fucked aren’t I?
They’re gonna come for me. 🙁
Hands need outlawing, too! And brains! ONLY ZOMBIES ARE SAFE FROM THE ABTI-HACKING BILL!!!
Oh, oh. What’s this bill going to do to my Warcraft matches?
– Peasants have hacking tools (for chopping down trees).
– Orcs have hacking tools too (for chopping down peasants).
– Considerable damage is happening all the time (it *is* war, after all), which, in turn, brings considerable financial loss (to your enemy, hopefully).
– I tend to play with AI players. Does ganging up on the enemy together with the AI count as using “botnets specifically designed for large-scale attacks”?
They are ABSOLUTELY criminal. As someone who champions the value of free speach and claims that removing content is a violation of constitutional rights you should be condemning ALL DOS attacks. The entire purpose of these attacks is to CENSOR websites. You complain about censorship when it’s the government doing it but you don’t think it is wrong when hackers do it? How can anyone take you seriously when you are so hypocritical.
Re: Re:
Whoosh!!!
That was the sound of both Mike’s opinion and the criticisms being made sailing above your head high enough to bring satellites out of orbit.
SOP, of course.
Re: Re: Re:
I agree with you, but show your work. If you don’t, you are as bad as the person you’re whooshing.
Re: Re: Re:
No his criticisms are not because of the censoring but because he felt their actions are ineffective if not counter-productive. He never complained that the DOS attacks censor content.
Even more ridiculous? Merely “possessing… hacking software and tools” could lead to criminal charges.
Define ‘hacking software and tools’.
The DOS prompt?
Telnet?
IP Scanners?
Ethernet Sniffers?
All of those – while being critical tools to ‘hack’ – are also have a quite legitimate and sometimes necessary role.
I sweep subnets often at work looking for Remote Access Controllers since they don’t register with DNS, and we don’t use WINS.
Ethernet Sniffers are sometimes the only way to track down rouge traffic on a LAN, situational, of course.
And some of these tools are on just about every windows/linux install – so they need to arrest everyone with a computer.
Re: Re:
They are not critical tools to hack in and of themselves. Used in normal means, they are not hacking tools, any more than a hammer is a weapon. But if you use that hammer to start whacking people in the head, it becomes a weapon.
You guys are way too literal for your own good sometimes.
Re: Re: Re:
You do realize that some of the tools that will be branded as hacking tools because they are “obviously” hacking tools (I’m looking at LOIC, here) actually do have practical uses? LOIC can be (and regularly is) used to stress test web servers.
So while yes, claiming that this will outlaw ping is hyperbole, it’s still an overreaching law written by those who know nothing about technology.
Re: Re: Re: Re:
Agreed. Also, pretty much anything considered a ‘hacking tool’ (including malware) can be and is used for stress testing and security audits.
I’ll even add another example for you. When Conficker was big, I infected a computer on my test network on purpose to test the removal tools for it. That way if it got past all of the safeguards that we put in place, I knew that I could remove it safely and effectively.
Re: Re: Re:2 Re:
exactly, but there is no provision in the law that differentiates “hacking tools” and “hacking tools with a legitimate purpose”. While the “intended purpose” of the law isn’t to go after those legitimate uses, laws with the ability to be abused will be, and there is no denying that.
Re: Re: Re:3 Re:
But it is not only tools that are affected. It might even chill legitimate research. Germany has the laws and because of that “A Bug Hunter’s Diary” http://nostarch.com/bughunter.htm lack the actual exploits. And occasionally the exploits are necessary to convince and embarrass vendors if they claim a DOS instead of a arbitrary code execution.
These people are mentally deranged and need to be dispatched to the looney bin post haste.
EFF had some comments also.
https://www.eff.org/sites/default/files/filenode/Submission-Parliament-Hacking-Tools-vf.pdf
And when "law enforcement" does it?
Is it still criminal when law enforcement does it? For example, will it be criminal for FBI or NSA or whoever it was to coordinate or pay a group from India to coordinate a DDoS against The Pirate Bay? Of course that was at the behest of Hollywood, but still.
Or is it as usual, laws only apply to non-governmental groups (ie: everyone not on tax-payer payroll)?
Re: And when "law enforcement" does it?
> will it be criminal for FBI or NSA or whoever
> it was to coordinate or pay a group from India
> to coordinate a DDoS against The Pirate Bay?
No.
This is a proposed EU law. If passed, it will only apply to EU member countries. Since neither the US nor India are EU member countries, nothing they do will be criminalized under this law.
Re: Re: And when "law enforcement" does it?
they will catch up. if theres one thing the US and india will never miss its a chance to screw people over.
Is UK law written by private jails too? Making it illegal to own a computer with ping/tracert/telnet sounds like it’d be an easy way for them to make a few extra million.
a hammer is not a weapon
Try that argument the next time you fly somewhere, and take along your hammer. Please can you get a friend to video the reaction of the security guards when you use the words, “whacking people in the head”.
If something can plausibly be used as a weapon, police may treat it as a weapon – so, your opinion is interesting, but not the one that ultimately matters.
Re: a hammer is not a weapon
Problem with that is given just a little time you can use anything as a weapon, so attempting to outlaw something because it might would be used illegally would be downright impossible, as it would apply to almost anything and everything in existence.
33.
To further your analogy. No it is not about tools like hammers, more like tools like knives. The country where I live it is illegal to carry a knife in public places unless I have specific legal reason to, like carpenters are allowed to if they are working in a public place. Now regardless of my intent to use it to hurt someone with said knife I still run the risk of being jailed up to six months.
This is a case where a tool like nmap would be classified as a cyber attack tool Possesion and/or distribution such a tool would carry to the risk iregardless of intent at least two years of jail time in a pound-you-in-the-ass prison.
Read the comments from about the intent(under the header mens rea) part from EFF https://www.eff.org/sites/default/files/filenode/Submission-Parliament-Hacking-Tools-vf.pdf
Goodbye White hats
Let’s see here:
1) White hat hackers driven away. Young hackers driven heavily towards black hat pursuits.
2) Supply of new security professionals drys up. Supply of black hat hackers increases.
3) Firesale/Nuke hack gets through the inadequate security.
4) Chaos, death, destruction.
5) Building a new world from the ashes, if anyone is left.
Conclusion:
Politicians are horrible strategists.
Re: Goodbye White hats
They kids could be driven to gray hat pursuits as well, not exactly legal, but not exactly sinister either.
Cybersecurity has become the new child porn of the censorship advocates…
Regulation is going cancerous.
Regulation is going cancerous.
In the future the aforementioned cancer and its carriers will likely be targeted and eradicated.
so the EU is going to arrest the entire internet?
im sure there terrified of the mean old politicians/possible pedophiles that wrote this.
I use nmap, traceroute, ping, GCC, binutils, bash, lighttpd and SSH on a daily basis for legitimate reasons.
I dare the government to arrest me since all of that is “hacker software”.
(If I need to check for holes in my config, I use nmap. If I need to test the network; ping/traceroute. Need to compile? GCC. Need to have a secure connection to a remote server? SSH and bash. IF I NEED A FUCKING WEB SERVER, I USE LIGHTTPD).
ffs, seriously
There was an incident in Britain, which already has a law similar to the CFAA in the US, where Glenn Mangham was sentenced several weeks ago to 8 months in jail for doing security research. He found a security vulnerability in Facebook and collected evidence (internal Facebook documents and code) to present to Facebook as proof of the vulnerability. Despite the judge in his case stating:
“I acknowledge … that you never intended to pass any information you got through these criminal offences to anyone else and you never did so, and I acknowledge that you never intended to make any financial gain for yourself from these offences,”
he was found guilty and sentenced to jail time under Computer Misuse Act despite having no criminal intent associated with his actions. The EU Cybercrime bill not only would allow this kind of abuse across all of Europe, it would be worse than the CMA or the US CFAA.
http://www.out-law.com/en/articles/2012/february/british-facebook-hacker-sentenced-to-eight-months-in-jail/
Re: Re:
Yeah, and the real question is. Does it make us as users safer? I don’t think so.
Arrests
When Anonymous attacks, there is a huge effort to stay anonymous….redundant sounding no? Making “cyber attacks” illegal means they have to find ways to arrest people they cannot even trace an IP address to.
They are trying to build a police state like the us. More of your tax money hard at work.
Unrelated but ....not
Am I reading this right?…Need an opinion…
http://www.guardian.co.uk/commentisfree/2012/apr/04/national-liberty-counter-terrorism-secret-courts
Compromise Amendments
I am still surprised to see these news almost 2 weeks after they initially hit the web, and even more surprised that people seems to either be unaware of the compromise amendments that doesn’t criminalize whitehats / ethical hackers.
You can read a debate along with the compromise amendment here:
http://forum.intern0t.org/security-news-feeds/4177-update-existing-eu-cyber-law-makes-worse-good-guys.html
(The compromise amendment comes directly from the Europa Parlament)