Hacking Tools, a criminal offence?

Benjamin Henrion (FFII.org), 22 Oct 2012

● Foundation for a Free Information Infrastructure eV● Active on many law related subjects:

■ ACTA■ Software Patents directive, now Unitary Patent■ IPRED1 (civil) and IPRED2 (criminal)■ Data retention■ Network of software companies and developers

● Personal■ zoobab.com @zoobab■ VoIP industry■ HackerSpace.be■ JTAG and reverse-engineering

About

● Judicial cooperation in criminal matters: combatting attacks against information systems (COD 2010/0273)

● Repealing Framework Decision JHA 2005● Lisbon treaty: new criminal competences for EU● First reading, deal between Council and Parliament

Proposed EU directive

"The proposal also target tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences."

Parliament press release

"[...] it will include new elements: (a) It penalises the production, sale, procurement

for use, import, distribution or otherwise making available of devices/tools used for committing the offences."

EESC opinion

● Tools are "neutral"● "Hacking" tools have positive/negative use● Intent: criteria for a judge● Following this logic, knifes or hammers should be

banned?● Publication of exploits is a crime● Level of security is lowered● Exodus of security companies abroad, attackers

from foreign countries are safe

Problems

Amendment example - Final art7

Amendment example - Final art8

Responsabilité des fabriquants"Les États membres prennent les mesures nécessaires afin de garantir que les fabricants soient tenus pour pénalement responsables de la production, de la mise sur le marché, de la commercialisation, de l'exploitation, ou du défaut de sécurité suffisante, de produits et de systèmes qui sont défectueux ou qui présentent des faiblesses de sécurité avérées qui peuvent faciliter des cyberattaques ou la perte de données."

Amendment example - Art 8bis

● "Many other German security researchers, meanwhile, have pulled their proof-of-concept exploit code and hacking tools offline for fear of prosecution."

German law of 2007

Kismac WiFi scanner

● Deal in secret closed doors Tri-logue (EC, EP, CM)● June 2012● Orientation vote in LIBE● Blocked because of Schengen discussions● Formality in LIBE● Formality in Plenary?

Status of the proposed directive

● Deal in secret closed doors Tri-logue (EC, EP, CM)● June 2012● Orientation vote in LIBE● Blocked because of Schengen discussions● Formality in LIBE● Formality in Plenary?

Status of the proposed directive

● Extracts● "Intent"● "Aiding abetting inciting" examples● Still ambiguous● "Minor act" not defined● Liability for IT systems vendors gone● Etc...

Compromise deal