Laws such as the UK’s Computer Misuse Act and the various European data protection laws exist to protect the law-abiding user. The problem is those same laws can be said to protect the criminal. NATO and ENISA have collaborated in a report to analyze the legal implications for those involved in the takedown of one of today’s biggest cyber problems: Legal Implications of Countering Botnets.
The report looks specifically at the legal situation in Estonia and Germany, but notes that since both countries are members of the European Union with cyber laws largely influenced by the Council of Europe Cybercrime Convention, “many of the problems which are addressed and their proposed solutions can be quite universal, especially in the context of the European Union.”
The extent of the legal complications can be seen in what the report calls ‘one of the first and logical steps’ when a botnet infection is known or suspected: packet inspection. On the one hand, it notes, packet inspection monitors the traffic and not the content of messages and should not breach that part of the European data protection laws. But on the other hand, the IP address is a far more complex issue – and both data protection and telecommunications secrecy laws need to be considered. There is a current debate over whether a user’s IP address constitutes personal data, and the report does not enter that debate. It notes, however, that if an IP address is personal data, then “capturing and analyzing the traffic would, under § 10 of the Estonian Personal Data Protection Act, need the consent of the data subject;” something highly unlikely if the data subject is a cyber criminal.
The actual takeover is equally worrying. Referring specifically to current German law, the report notes that “the benevolence of the actor is not relevant, because whoever gathers information or produces or acquires (hacking) tools with the intention to gain unjustified access to somebody else’s data is punishable by §§ 202c and 202a of the German Penal Code.” However, even if the botnet’s C&C servers are taken over or taken down, the individual infected bots remain infected. A couple of years ago the Dutch police famously took over a BredoLab botnet and used the C&C servers to send messages to the infected computers. That’s as far as they could go. “The preparation, infiltration and disinfection of the bots fulfills the conditions for data tampering, as set forth in § 303a of the German Penal Code, even if only the infection is removed and the original state restored,” says the report.
This report does not set out to solve the botnet takedown problems – merely highlight some of the issues and complications involved since “many botnet countermeasures addressed in this report are neither explicitly permitted nor prohibited by the law.” It warns that any individuals or companies involved in the botnet infiltrations should seek “appropriate legal advice beforehand.” And concludes that, “The legislators, on the other hand, should use their mandate to shape national laws so that they support rather than hinder the fight against botnets.”