This article is also available in:
Deutsch: Entwicklerrechte schützen!
The European Parliament is preparing to discuss the European Commission's proposal on a draft Directive on Attacks Against Information Systems. EDRi-member Electronic Frontier Foundation (EFF) has submitted its remarks urging the legislators not to create legal woes for researchers who expose security flaws.
EFF is concerned with the Commission's attempt to criminalize what it determines to be attacks on information systems. EFF believes the text is largely duplicative of the Convention on Cybercrime, which itself is riddled with problems. In its remarks, EFF opposed the wholesale criminalization of security tools and the restrictions of security researcher's free expression rights.
The main so-called "novelty" of the draft directive is the criminalization of the use, production, sale, or distribution of tools to commit attacks against information systems. EFF explains that while these tools can be used for malicious purposes, they are also crucial for research and testing, including for "defensive" security efforts to make systems stronger and to prevent and deter attacks. Thus the focus should be on the intent behind using the tool, rather than mere possession, use, production, or distribution of such tools.
EFF asked the EP to protect researchers who access a computer system without explicit permission when the perpetrator does not have a criminal intent, as a safeguard to security researchers' rights to free expression and innovation. Examining computers without the explicit permission of the owner is necessary for a vast amount of useful research, which might never be done if obtaining prior permission was a legal requirement.
Another demand was to protect security researchers' right to free expression. Their ability to freely report security flaws is crucial and highly beneficial for the global online community. Public disclosure of security information enables informed consumer choice and encourages vendors to be truthful about flaws, repair vulnerabilities, and improve upon products.
For example, in early February 2012, two German security researchers reported a vulnerability in two encryption systems that could allow eavesdropping on hundreds of thousands of satellite phone calls. Public disclosure of this kind of research allows consumers to be better informed and aware that their communications are not actually protected, which in turn lets them make thoughtful choices about the technology they use.
EFF Submission to the European Parliament on the Draft Directive on Attacks
against Computer Systems (8.02.2012)
https://www.eff.org/Directive-Attacks-against-Computer-Systems
Draft Directive on Attacks Against Information Systems
http://ec.europa.eu/home-affairs/policies/crime/1_EN_ACT_part1_v101.pd...
Satellite phone encryption cracked (3.02.2012)
http://www.telegraph.co.uk/technology/news/9058529/Satellite-phone-enc...
(Thanks to Katitza Rodriguez - EDRi member Electronic Frontier Foundation)