Legislation filed late last week in the European Parliament that could broadly reform how convicted cybercriminals are prosecuted, fails to adequately differentiate good hackers from bad hackers, a political group argued today.
Jan Philipp Albrech, a spokesman for the Greens/European Free Alliance group, called out the proposed legislation in an editorial on PublicServiceEurope.com this morning. For Albrech, the problem stems from how the government would handle ethical, proactive hackers and their research.
“The blunt new rules on criminalizing cyber-attacks take a totally flawed approach to Internet security,” Albrecht wrote, going on to defend the role white hat hackers can have “identifying vulnerabilities and thereby serving as the Internet’s immune system.”
For example, how would independent white hats researching and disclosing vulnerabilities in software be treated under the law? Reputed white hat Apple hacker Charlie Miller was exiled from the company’s developer program in 2011 after uploading a bogus proof-of-concept application to its App Store. Miller had hoped to demonstrate a code signing vulnerability in the App Store at a future talk, using the harmless application as proof but was booted from the program immediately. While Miller was merely trying to point out a flaw in Apple’s App Store, it’s unclear what the repercussions would be if it had happened in Europe under these proposed laws.
Albrecht pulled no punches in the editorial, calling the legislation “heavy-handed and misdirected” and insisting that under the new rules, minor or non-malicious attacks could result in criminal penalties. He also argued that the laws will deter vendors from adding necessary protections in their software. “Vendors and manufacturers will stay wholly irresponsible for product defects and security threats, with no incentive to invest in safer systems,” he said.
The Greens/European Free Alliance group, the fourth largest group in the European Parliament, is composed of progressive Members of European Parliament (MEPs) and was founded in 1999.
The reaction comes several days after the EU voted to endorse new legislation (.PDF) that would greatly increase penalties against hackers across the union’s 27 member states.
The rules would enforce a maximum sentence of two years in prison for “illegal information system access, illegal system interference, illegal data interference, and illegal interception.”
The draft directive would also up jail time for botnet operators – enforcing at least a three-year sentence for those who cause serious damage to information systems by either running or utilizing botnets, with even more intensified penalties, at least five years in prison, levied against those who attack critical infrastructure or carry out hacks via a criminal organization.
The directive also ensures that each member state would have an “operational point of contact” to respond to cyber-attack concerns within eight hours of their initial reporting, 24 hours a day, seven days a week.
While the Parliament’s Committee on Civil Liberties, Justice and Home Affairs has already approved the legislation, the draft directive needs to be voted on by the Parliament in July, shortly after the EU instates its 28th member state, Croatia. From there it would need to be implemented by each state.
The Electronic Frontier Foundation has urged the European Parliament in the past to make it easier for researchers who help expose security flaws. When asked today, the EFF pointed out an entry from the group’s Deeplinks blog in 2012 that argued in favor of researchers’ freedom and “coder’s rights.”
“Their ability to freely report security flaws is crucial and highly beneficial for the global online community,” the group asserted, arguing that the researchers should have some sort of “breathing room.”
“Public disclosure of security information enables informed consumer choice and encourages vendors to be truthful about flaws, repair vulnerabilities, and improve upon products.”