This article is also available in:
Deutsch: Computerkriminalität: EDRi referiert im Innenausschuss des EP
On 4 October 2011, European Digital Rights, as well as EDRi Member Chaos Computer Club (Germany), made presentations to the Civil Liberties Committee (LIBE) of the European Parliament on the new draft Directive on Attacks Against Computer Systems. The hearing was organised by German parliamentarians Monika Hohlmeier (EPP), who is in charge of the Directive in the Civil Liberties Committee and Christian Ehler (EPP), who is responsible for the Opinion of the Industry, Research and Energy Committee.
The draft Directive is essentially a pasting together of elements of the 2001 Council of Europe Cybercrime Convention and the 2005 EU Council Framework Decision on attacks against computer systems. There is a limited number of additions, such as criminal penalties and the introduction of "aggravating circumstances".
The speech from CCC's Florian "Scusi" Walther was concentrated on the limited positive impact that one can expect from the new Directive - arguing that the main problem is faulty software and bad security practices and this is where efforts at improving security should be focussed.
EDRi's presentation welcomed the diligence with which the Parliament, Commission and Council are working on the dossier, pointing out the main points of the current draft that would need to be eliminated in order to avoid a negative impact from the Directive. The bulk of our presentation was dedicated to the fact that there is a major contradiction in the approach of the European Commission to attacks against computer systems. On the one hand, it is calling for the criminalisation of the "rendering inaccessible without right" of computer data. On the other, it has done absolutely nothing to protest against the increasing activity of the United States to undertake extra-territorial - and even privatised - attacks against computer data in Europe, through the revocation of domain names.
The two best-known examples of attacks against European computer data were against a travel agency based in Spain and, more recently, the revocation of the domain name of Roja Directa, also a Spanish enterprise. As the US has nolegal authority over Spanish citizens (and the respective companies didn't breake the Spanish law), the disabling of access to the websites would be a criminal act under the definitions in the draft Directive. The European Commission, instead of protesting against these attacks, has supported the United States. It has even started discussions in an EU/US project on revoking not just domain names, but also IP addresses. The EU General Affairs Council adopted a political position last year that the EU should give itself the power to revoke IP addresses "in third countries". The only way that this policy could be implemented is by using the Netherlands-based regional Internet registry (RIPE) to remove IP addresses from ISPs and companies in the countries like Russia or Georgia - rendering them inaccessible... without right.
Does the EU support cyber-attacks or does it oppose them?
Draft Directive
http://ec.europa.eu/home-affairs/policies/crime/1_EN_ACT_part1_v101.pd...
Council of Europe Cybercrime Convention
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
2005 Framework Decision
http://register.consilium.eu.int/pdf/en/04/st15/st15010.en04.pdf
Hearing programme (4.10.2011)
http://register.consilium.eu.int/pdf/en/04/st15/st15010.en04.pdf
Travel agency domain name revocation (4.03.2008)
http://www.nytimes.com/2008/03/04/us/04bar.html
EDRi-gram: Spanish sports streaming domain seized by US authorities without
warning (9.02.2011)
http://www.edri.org/edrigram/number9.3/rojadirecta-domain-name-seized-...
Council Conclusions on revoking domain names and IP addresses (26.04.2010)
http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/1...
EDRi's presentation (4.10.2011)
http://www.edri.org/files/Libe_041011_final.pdf
(Contribution by Joe McNamee - EDRi)