European Digital Rights discusses cybercrime in LIBE Committee

By EDRi · October 5, 2011

This article is also available in:
Deutsch: [Computerkriminalität: EDRi referiert im Innenausschuss des EP |]

On 4 October 2011, European Digital Rights, as well as EDRi Member Chaos
Computer Club (Germany), made presentations to the Civil Liberties Committee
(LIBE) of the European Parliament on the new draft Directive on Attacks
Against Computer Systems. The hearing was organised by German
parliamentarians Monika Hohlmeier (EPP), who is in charge of the Directive
in the Civil Liberties Committee and Christian Ehler (EPP), who is
responsible for the Opinion of the Industry, Research and Energy Committee.

The draft Directive is essentially a pasting together of elements of the
2001 Council of Europe Cybercrime Convention and the 2005 EU Council
Framework Decision on attacks against computer systems. There is a limited
number of additions, such as criminal penalties and the introduction of
“aggravating circumstances”.

The speech from CCC’s Florian “Scusi” Walther was concentrated on the
limited positive impact that one can expect from the new Directive – arguing
that the main problem is faulty software and bad security practices and this
is where efforts at improving security should be focussed.

EDRi’s presentation welcomed the diligence with which the Parliament,
Commission and Council are working on the dossier, pointing out the main
points of the current draft that would need to be eliminated in order to
avoid a negative impact from the Directive. The bulk of our presentation was
dedicated to the fact that there is a major contradiction in the approach of
the European Commission to attacks against computer systems. On the one
hand, it is calling for the criminalisation of the “rendering inaccessible
without right” of computer data. On the other, it has done absolutely
nothing to protest against the increasing activity of the United States to
undertake extra-territorial – and even privatised – attacks against computer
data in Europe, through the revocation of domain names.

The two best-known examples of attacks against European computer data were
against a travel agency based in Spain and, more recently, the revocation of
the domain name of Roja Directa, also a Spanish enterprise. As the US has
nolegal authority over Spanish citizens (and the respective companies didn’t
breake the Spanish law), the disabling of access to the websites would be a
criminal act under the definitions in the draft Directive. The European
Commission, instead of protesting against these attacks, has supported the
United States. It has even started discussions in an EU/US project on
revoking not just domain names, but also IP addresses. The EU General
Affairs Council adopted a political position last year that the EU should
give itself the power to revoke IP addresses “in third countries”. The only
way that this policy could be implemented is by using the Netherlands-based
regional Internet registry (RIPE) to remove IP addresses from ISPs and
companies in the countries like Russia or Georgia – rendering them
inaccessible… without right.

Does the EU support cyber-attacks or does it oppose them?

Draft Directive

Council of Europe Cybercrime Convention

2005 Framework Decision

Hearing programme (4.10.2011)

Travel agency domain name revocation (4.03.2008)

EDRi-gram: Spanish sports streaming domain seized by US authorities without
warning (9.02.2011)

Council Conclusions on revoking domain names and IP addresses (26.04.2010)

EDRi’s presentation (4.10.2011)

(Contribution by Joe McNamee – EDRi)