By EDRi

This article is also available in:
Deutsch: [Entwicklerrechte schützen! | https://www.unwatched.org/EDRigram_10.4_Entwicklerrechte_schuetzen?pk_campaign=edri&pk_kwd=20120229]

The European Parliament is preparing to discuss the European Commission’s
proposal on a draft Directive on Attacks Against Information Systems.
EDRi-member Electronic Frontier Foundation (EFF) has submitted its remarks
urging the legislators not to create legal woes for researchers who expose
security flaws.

EFF is concerned with the Commission’s attempt to criminalize what it
determines to be attacks on information systems. EFF believes
the text is largely duplicative of the Convention on Cybercrime,
which itself is riddled with problems. In its remarks, EFF opposed
the wholesale criminalization of security tools and the restrictions
of security researcher’s free expression rights.

The main so-called “novelty” of the draft directive is the criminalization
of the use, production, sale, or distribution of tools to commit attacks
against information systems. EFF explains that while these tools can be used
for malicious purposes, they are also crucial for research and testing,
including for “defensive” security efforts to make systems stronger and to
prevent and deter attacks. Thus the focus should be on the intent behind
using the tool, rather than mere possession, use, production, or
distribution of such tools.

EFF asked the EP to protect researchers who access a computer system without
explicit permission when the perpetrator does not have a criminal intent, as
a safeguard to security researchers’ rights to free expression and
innovation. Examining computers without the explicit permission of the owner
is necessary for a vast amount of useful research, which might never be done
if obtaining prior permission was a legal requirement.

Another demand was to protect security researchers’ right to free
expression. Their ability to freely report security flaws is crucial and
highly beneficial for the global online community. Public disclosure of
security information enables informed consumer choice and encourages vendors
to be truthful about flaws, repair vulnerabilities, and improve upon
products.

For example, in early February 2012, two German security researchers
reported a vulnerability in two encryption systems that could allow
eavesdropping on hundreds of thousands of satellite phone calls. Public
disclosure of this kind of research allows consumers to be better informed
and aware that their communications are not actually protected, which in
turn lets them make thoughtful choices about the technology they use.

EFF Submission to the European Parliament on the Draft Directive on Attacks
against Computer Systems (8.02.2012)
https://www.eff.org/Directive-Attacks-against-Computer-Systems

Draft Directive on Attacks Against Information Systems
http://ec.europa.eu/home-affairs/policies/crime/1_EN_ACT_part1_v101.pdf

Satellite phone encryption cracked (3.02.2012)
http://www.telegraph.co.uk/technology/news/9058529/Satellite-phone-encryption-cracked.html

(Thanks to Katitza Rodriguez – EDRi member Electronic Frontier Foundation)