Saturday, 7 April 2012

The EU wants to make me a criminal

A proposed law has just been presented to the European Parliament. If it passes and is implemented by EU states then I will be made a criminal.

Let me explain.

The law is an anti-hacking law - despite the fact that hacking is already illegal in all EU states.

But, if you look deeper into the law this is what you find:
The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.
Now, the problem with this might not be apparent to someone without a technical background but trust me, there's a massive problem with this.

You see, hacking tools have two purposes. The first is for hackers to break into things. The second is for security professionals to test IT systems to make sure that they're secure. In fact, a term used in hacking is "Black Hat" and "White Hat". Black Hat being criminal hackers and White Hat being security experts who attempt to hack systems in order to find weaknesses so that they can then be fixed. But both groups use the same tools. And both groups would be criminalised by this law.

These kind of tools are also used by law enforcement and intelligence agencies to check computers and phones seized from criminals in order to look for evidence - because, surprisingly, most people with incriminating evidence on their computers tend not to be happy to give the police their passwords.

An example of how this works is a company like CCL Forensics - who I found through a quick google search. They're a private company that acts as a contractor for various police forces. If there's, for example, a murder enquiry where the police think that there might be texts from the murderer on the victim's phone, but the phone is locked with a password, then they'll send it off to a company like CCL who will use a program to break the password and get the evidence off the phone.

But this law would make all of that illegal. And an offence under this law would carry a minimum prison sentence of two years. So that means that hundreds of innocent people, using software for legitimate purposes, would be criminalised.

Now, I found about this law through my work. I am not able, or willing, to go into detail about the kind of work I do or who I work for but, suffice to say, if this law was passed and implemented, I'd be facing either two years in prison or losing my job.

A law similar to this was passed in Germany a few years back and the result of it was that a hell of a lot of IT and security specialists simply upped and left the country or gave up working completely. And IT security in Germany suffered as a result. Because hackers already face a prison sentence for what they do so they're hardly going to stop what they're doing because of a new law. But now, in Germany, they don't have to worry as much about security experts hampering their work. So all the law accomplished was to make the lives of hackers easier.

And now the EU wants to repeat this across the whole continent. Brilliant.

I'd like to hope that someone in the EU parliament will see this massive flaw with the law and get it changed. Unfortunately, however, someone already tried to amend this law to change it to only punish people who possessed tools for the purpose of committing a criminal offence - but the amendment was killed during committee.

Of course the real problem here is that, just like with plans by the UK government to snoop on people's internet use, these are laws about technical matters being made by politicians and civil servants with absolutely no technical backgrounds whatsoever.

Now, I'll probably try writing to an MEP about this and see if there might not be someone with a bit of sense but that's about all I can do. Other than that I'll just have to trust in the collective sense of the European Parliament and hope that I don't find myself on the way to prison. Bloody brilliant.

2 comments:

  1. George,

    As Chair of our Region's Campaign for the European Elections I am very interested in this and wuold like to discuss it further with you.

    I can't see your contact details- can you email me on antony @ antonyhook.com

    Best wishes.

    ReplyDelete
    Replies
    1. Hi Antony,

      Thanks - I've just sent you an email. Would you also like me to delete this comment so that spammers can't pick up your email?

      Delete

I'm indebted to Birkdale Focus for the following choice of words:

I am happy to address most contributions, even the drunken ones if they are coherent, but I am not going to engage with negative sniping from those who do not have the guts to add their names or a consistent on-line identity to their comments. Such postings will not be published.

Anonymous comments with a constructive contribution to make to the discussion, even if it is critical will continue to be posted. Libellous comments or remarks I think may be libellous will not be published.

I will also not tolerate personation so please do not add comments in the name of real people unless you are that person. If you do not like these rules then start your own blog.

Oh, and if you persist in repeating yourself despite the fact I have addressed your point I may get bored and reject your comment.

The views expressed in comments are those of the poster, not me.