NakedSecurity reports today that “The European Parliament last week approved a draft of the proposal and will vote on it in July.” In fact it was the Civil Liberties, Justice and Home Affairs committee (LIBE) that voted and approved the draft, which will make the vote by the full parliament in July, and subsequent adoption within Europe, more of a formality.
But the vote by LIBE was not unanimous: 36 votes in favour, 8 nays, and 0 abstentions. The European Greens oppose the legislation because it does not differentiate between different types of breaches and hackers; and we can assume that Jan Philipp Albrecht (Greens justice spokesman and a member of LIBE) was one of the eight opposing votes.
NakedSecurity notes, “The directive is clear about distinguishing attacks that lack criminal intent, which would cover testing or protection of information systems and thereby shield whistleblowers.” The first part of this has always been the case: it is legal to hack a system with the approval of the owner of the system. However, the protection of whistleblowers is far from clear, and in fact one of Albrecht’s main reservations.
“The blunt new rules on criminalizing cyber attacks endorsed today,” he said in a statement immediately after the vote, “take a totally flawed approach to internet security. The broad strokes approach to all information system breaches, which would apply criminal penalties for minor or non-malicious attacks, risks undermining internet security.” His concern is that the directive does not differentiate between white hat hackers and black hat criminal hackers. “Significantly,” he says, “the legislation fails to recognize the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security. This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.”
The likely result of this will be a scenario similar to that acted out in the US under the Computer Fraud and Abuse Act, where it is supposedly used by law enforcement in ‘prosecutorial overreach’ against particular targets (Aaron Swartz, Jeremy Hammond and Andrew Auernheimer are recent examples). More specifically, Albrecht is concerned that independent security researchers will feel unable to disclose vulnerabilities they discover for fear of prosecution as a hacker. This will leave vendors in a position of strength in the full/partial/non-disclosure debate, making it less essential for rapid patching. “The result,” warns Albrecht, “will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems... The result is a heavy-handed and misdirected law that will do little to improve internet security.”