Friday, February 25, 2005

EU Council Adopts Anti-Hacking Legislation

On Thursday the Council of the European Union officially adopted the Framework Decision on Combating Serious Attacks against Information Systems. This "anti-hacking" legislation determines that intentional access, without right, to the whole or any part of an information system is punishable as a criminal offence where the conduct constitutes a serious attack". Also the hindering and interruption of the functioning of a computer system by, for example, transmitting and inputting, deleting, damaging and altering computer data or making computer data inaccessible, will constitute a punishable attack.

The Framework Decision has been criticized for being overbroad, and possibly also criminalizing legitimate security research(ers). The Council has taken a proposal for a security researcher's privilege to test computer systems without having to fear punishment out of the original version of the European Commission. Under the adopted legislation it becomes unsure if and when the disclosure of system weaknesses becomes punishable. As this Heise article (German) on the subject points out, systems will not get more secure by introducing jail time for hackers, but by patching the security holes they might exploit and/or expose. The Framework Decision seeks to counter serious disruptive hacking and "cyberterrorism", but in its growing fear of the last it may also criminalize attempts to foster what it seeks to secure: the internet.

0 Comments:

Post a Comment

<< Home