In September 2010 the European Commission published a new proposal to fight cybercrime called the ‘proposal for a Directive on attacks against information systems and repealing Council Framework Decision 2005/222/JHA’. It took some time for the media to pick up on it, but last week (April 6 2012) Wired Magazine, among others, published an article on their website with the alarming headline: “Watch Out, White Hats! European Union Moves to Criminalize ‘Hacking Tools’. People fear that security professionals can’t do their job properly anymore when hacking tools are criminalised. This blog post briefly analyses the proposal.

The proposal for the Directive on attacks against information systems is for a large part the same as the Council Framework Decision 2005/222/JHA which criminalises the illegal access, illegal system interference and illegal data interference of information systems. These articles in the Framework Decision are in turn largely the same as those in the Convention on Cybercrime of the Council of Europe. A directive is necessary however, since the European Commission can’t force member states to implement Framework Decisions and and 9 (!) out of 27 EU member states did not ratify the Convention on Cybercrime (namely Austria, Belgium, Czech Republic, Greece, Ireland, Luxembourg, Malta, Poland and Sweden). The European Commission also feels that the Framework Decision ‘does not fully address the potential threat posed to society by large scale attacks and does not take sufficient account of the gravity of the crimes and sanctions against them’. Therefore when certain aggravating circumstances exist the maximum prison term for certain offences is raised to at least 5 years, for example when botnets (a network of infected computers which can be controlled remotely) are used by a criminal organization or when attacks are launched on a significant number of information systems.

Article 7 of the proposal criminalises the use of ‘tools’ for committing the offences of illegal access, illegal system interference and illegal data interference. This raises some concern by security professionals and ethical hackers (also called ‘white hat hackers’), because some of these tools are used by security professionals who need these for their work (e.g. testing the security of IT systems). The problem is that the same tools can be used both by criminals and security professionals. My belief is that in most cases it is clear that IT security professionals use these tools for their jobs and not ‘intentionally and without right for the purpose of committing an offence’ as stipulated in article 7 of the proposal. Therefore they can’t be punished for it.

In the Dutch Criminal Code we have a similar provision (article 139d (2)(a)), but I can’t think of any problematic cases arising from this article. It is conceivable, however, that the line between legal or illegal tools gets blurred and an undesirable situation arises. It would be unfortunate (to say the least) when for example websites are taken down that provide these tools for security professionals, because the same tools could be used by criminals. Therefore I hope law enforcement agencies and judicial authorities will use this article responsibly.

In short, my belief is that the EU should welcome the proposal since it forces member states to consider their laws with regard to cybercrimes. The obligation of the creation of a 24/7 contact point (including an obligation to react within 8 hours to urgent requests) also assists in providing speedy legal aid between member states. However, I understand the concerns regarding criminalising the use of tools for committing certain computer offences. Hopefully in practice it won’t create any problems.