Watch Out, White Hats! European Union Moves to Criminalize ‘Hacking Tools’

Photo: mysouthborough/Flickr

The European Union is continuing a push to criminalize the production or sale of “hacking” tools, a move that civil liberties advocates argue could make criminals out of legitimate security researchers.

The proposal is intended to create stiffer penalties across Europe for hacking and denial of service attacks, imposing a maximum sentence of up to five years for hacking into a site or using a botnet to flood a site with fake traffic.

The proposed law, which was passed by the European Commission’s Civil Liberties Committee last week, still has a ways to go before going into effect — but the EFF’s international rights director Katitza Rodriguez says now is the time to raise awareness about the proposal.

“There are times when security researchers need to access systems without permission with no criminal intent,” Rodriguez said, citing an example of researchers in India who discovered flaws in e-voting machines. “The language in these proposals could undermine legitimate research.”

Rodriguez argues the law must take into account intent before criminalizing software possession or creation.

The text of the newest version of the proposal has not yet been made public, but the summary published by the committee indicates that prohibition on ‘hacking tools’ remains.

The proposal also targets tools used to commit offenses: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offenses.

While the law seems aimed at blackmarket tools that can be used to create malware infested sites, it’s also likely to criminalize tools used by researchers, developers and black hats alike – including tools like fuzzers, the Metasploit penetration testing tool and the wi-fi sniffing tool Wireshark. (Perhaps even the command line would be outlawed.)

U.S. law remains murky or outright dangerous for security researchers, hacktivists and curious citizens. Provisions in the Digital Millennium Copyright Act make it a crime to get around encryption built into products, with only a few exceptions. And federal prosecutors have tried to prosecute citizens under federal anti-hacking laws for violating the terms of service on a social network.

The E.U. ban could, if enacted, have consequences across the pond. Recently, the U.K. approved extradition of one of its citizens to the U.S. to face copyright infringement charges for a site that linked to online television shows.

Such favors often need to be re-paid.