Leaked Document Shows EU Approach To Cybercrime Is Completely Misguided

from the that's-not-going-to-work dept

We didn’t pay as much attention to the new proposals in the EU to ratchet up penalties for “cybercrime” in part because they came out just about the same time that the NSA surveillance information started leaking. However, someone who shall remain anonymous passed along to us a “group briefing” document from the EU Parliament team that came up with the latest cybercrime directive, which highlights a bit of the approach and some of the problems. The document is actually from a year ago, but it’s definitely reflected in the final product. The entire focus of the document is on harsher penalties, even though there’s no evidence that such penalties do any good or act as a deterrent. And, while the document does note that protecting “white hat hackers” is important for achieving “cybersecurity,” apparently they had a lot of trouble agreeing on what to do to protect them:

As regards protecting “white hat hackers” as integral part of the internet’s immune system we managed to achieve a very weak recital (6a bis) compared to the initial LIBE orientation vote. It is made clear that reporting of threats, risks, and vulnerabilities is crucial and needs incentives. The crucial last sentence, however, is not clear enough and far away from creating obligations for member states… Therefore there is no serious protection for white hat hackers who find vulnerabilities in other peoples’ information systems and report them. we did howeveR start a debate at all and getting the whole EP united behind this.

[….] We managed to get a number of important safeguards in, and the fundamental debate on better IT security is opened. However the direct is in many ways worse than the old framework decision. Higher penalties and the criminalisation of more practices and even tools not only mainly symbolic, but even risks criminalising well-intended “white hat hackers” and curious teenagers. The problem was Council and a too weak negotiation strategy of the rapporteur at the very end.

From the details of the directive that came out, it appears that not many of these flaws have been fixed. Jan Philipp Albrecht, who was a part of the effort, clearly is not at all happy with how it came out:

But Albrecht attacked the directive, saying, “The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks.

“Top cyber criminals will be able to hide their tracks, whilst criminal law and sanctions are a wholly ineffective way of dealing with cyber attacks from individuals in non-EU countries or with state-sponsored attacks.

“Significantly, the legislation fails to recognise the important role played by ‘white hat hackers’ in identifying weaknesses in the internet’s immune system, with a view to strengthening security.

This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.

“The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems.”

The equation here is pretty simple. Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for “cybercrime” and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.

End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

That’s not good for anyone. But, it fits with the technically clueless “law enforcement above all else” mentality we see too often in government these days, which seems to think that “great enforcement” and “greater punishment” is the answer to any wrong, no matter how much evidence suggests that’s untrue.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Leaked Document Shows EU Approach To Cybercrime Is Completely Misguided”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Setting Examples

The examples of history show massive over-punishment does not work, that crafting laws that crush skill development are wrong, these lawyers who sit in government should Know Better, you only need a good dose of clear thinking to see throwing your technically competent people in jail for-ever, Hopeing the Micro$ofts of this world fix their bugs in a timely fashion is No defense for a computer system, check NSA access to Windows Exploits and slow M$ bug fixes.

Not an Electronic Rodent (profile) says:

Re: Re:

To have incredibly harsh penalties for even the pettiest crimes?

Not quite. The idea is to have incredibly harsh penalties for the pettiest crimes that have any potential to inconvenience or take small amounts or imaginary amounts of money from an entity with truck loads of it, while generating a comparative slap on the wrist for serious crimes.

Anonymous Coward says:

all countries and all governments are only interested in doing the easy bits. they want to punish the ordinary people for things that only those with malicious intent and extreme knowledge of how the internet works, how to ‘hack’ into various systems and how to glean whatever information they want so as to use it in whatever way they wont to do damage or harm. i suppose the idea being that if they can screw over enough ordinary people, eventually they will catch a serious ‘hacker’ and deter like that or the deterrent will be in the number of people sentenced for doing nothing other than using the ‘net’ in the way intended. the answer is to go after the serious ones concerned, but that would take time, money and sense, the last one being largely missing from those that make the decisions!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...