Leaked Document Shows EU Approach To Cybercrime Is Completely Misguided

from the that's-not-going-to-work dept

We didn't pay as much attention to the new proposals in the EU to ratchet up penalties for "cybercrime" in part because they came out just about the same time that the NSA surveillance information started leaking. However, someone who shall remain anonymous passed along to us a "group briefing" document from the EU Parliament team that came up with the latest cybercrime directive, which highlights a bit of the approach and some of the problems. The document is actually from a year ago, but it's definitely reflected in the final product. The entire focus of the document is on harsher penalties, even though there's no evidence that such penalties do any good or act as a deterrent. And, while the document does note that protecting "white hat hackers" is important for achieving "cybersecurity," apparently they had a lot of trouble agreeing on what to do to protect them:
As regards protecting "white hat hackers" as integral part of the internet's immune system we managed to achieve a very weak recital (6a bis) compared to the initial LIBE orientation vote. It is made clear that reporting of threats, risks, and vulnerabilities is crucial and needs incentives. The crucial last sentence, however, is not clear enough and far away from creating obligations for member states... Therefore there is no serious protection for white hat hackers who find vulnerabilities in other peoples' information systems and report them. we did howeveR start a debate at all and getting the whole EP united behind this.

[....] We managed to get a number of important safeguards in, and the fundamental debate on better IT security is opened. However the direct is in many ways worse than the old framework decision. Higher penalties and the criminalisation of more practices and even tools not only mainly symbolic, but even risks criminalising well-intended "white hat hackers" and curious teenagers. The problem was Council and a too weak negotiation strategy of the rapporteur at the very end.
From the details of the directive that came out, it appears that not many of these flaws have been fixed. Jan Philipp Albrecht, who was a part of the effort, clearly is not at all happy with how it came out:
But Albrecht attacked the directive, saying, "The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks.

"Top cyber criminals will be able to hide their tracks, whilst criminal law and sanctions are a wholly ineffective way of dealing with cyber attacks from individuals in non-EU countries or with state-sponsored attacks.

"Significantly, the legislation fails to recognise the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security.

This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.

"The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."
The equation here is pretty simple. Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.

End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

That's not good for anyone. But, it fits with the technically clueless "law enforcement above all else" mentality we see too often in government these days, which seems to think that "great enforcement" and "greater punishment" is the answer to any wrong, no matter how much evidence suggests that's untrue.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Zakida Paul (profile), Jun 26th, 2013 @ 1:32am

    It seems no one in government or law enforcement of any country knows how to deal with cyber crime. Perhaps they should find experts who know what the hell they are talking about.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 26th, 2013 @ 3:04am

    End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

    That's not good for anyone.


    Isn't it? Keep in mind how incredibly popular malware is with governments these days. The likes of the NSA want vulnerabilities to remain unfixed, because they exploit them.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 26th, 2013 @ 3:13am

    Setting Examples

    The examples of history show massive over-punishment does not work, that crafting laws that crush skill development are wrong, these lawyers who sit in government should Know Better, you only need a good dose of clear thinking to see throwing your technically competent people in jail for-ever, Hopeing the Micro$ofts of this world fix their bugs in a timely fashion is No defense for a computer system, check NSA access to Windows Exploits and slow M$ bug fixes.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Jun 26th, 2013 @ 3:20am

    Well, isn't it the new trend? To have incredibly harsh penalties for even the pettiest crimes? Or to swipe all the filth under the rug by blocking the 3rd-party providing a channel or going after the low-hanging fruit?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Not an Electronic Rodent (profile), Jun 26th, 2013 @ 5:39am

      Re:

      To have incredibly harsh penalties for even the pettiest crimes?
      Not quite. The idea is to have incredibly harsh penalties for the pettiest crimes that have any potential to inconvenience or take small amounts or imaginary amounts of money from an entity with truck loads of it, while generating a comparative slap on the wrist for serious crimes.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 26th, 2013 @ 3:32am

    all countries and all governments are only interested in doing the easy bits. they want to punish the ordinary people for things that only those with malicious intent and extreme knowledge of how the internet works, how to 'hack' into various systems and how to glean whatever information they want so as to use it in whatever way they wont to do damage or harm. i suppose the idea being that if they can screw over enough ordinary people, eventually they will catch a serious 'hacker' and deter like that or the deterrent will be in the number of people sentenced for doing nothing other than using the 'net' in the way intended. the answer is to go after the serious ones concerned, but that would take time, money and sense, the last one being largely missing from those that make the decisions!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 26th, 2013 @ 4:24pm

    Cyber bullshit.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    JackOfShadows (profile), Jun 28th, 2013 @ 1:40pm

    DMCA bad enough...

    The DMCA is bad enough here about some of the standard tools that anybody in systems security has. Now the EU off and goes to criminalize the rest of the standard kit. I guess I won't be traveling anywhere.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This