EU pact criminalising security research? Pt II

Illegal software possession
Written by Bob Sullivan, Contributor

Hacking software poses special challenges because most of the tools have two equal uses, Granick said. For example, a popular hacking tool called nMap connects to a remote computer and tells the user if that computer has any open ports that can be used to establish a connection. Finding such a port is often the first step in a computer attack, making nMap popular among attackers. But the program is equally popular with network administrators who want to check their own systems for open ports.

The Council of Europe has promised to provide a list of exceptions to the treaty, and professional network administrators will likely end up exempt. But hackers at the Amsterdam conference were still worried about the plight of the thousands of hobbyists who currently research vulnerabilities in their spare time and in good faith. And software writers -- such as the author of nMap -- would likely be offered no legal protection.

The wide-ranging draft treaty also includes extradition agreements and other controversial elements, such as requirements for Internet service providers and network administrators to help police by maintaining detailed logs of all network activity.

European police agencies say they desperately need some kind of help to stem a tidal wave of this new, borderless cybercrime. Stuart Hyde, chief superintendent of police in West Yorkshire, England and a British cybercrime expert, told the hackers that European nations need new laws to deal with complicated issues like jurisdiction and evidence transportation.

"In part because of the ingenuity of lawyers and the ingenuity of [computer criminals] to get around the laws we've got, the laws we've got aren't sufficient," Hyde said. "The draft convention... will make it much easier for people to investigate. It will have an immense impact."

Not every hacker found the law offensive. One system administrator compared the discussion to the gun control debate familiar to US residents.

"It's like arms control," said a German-based hacker, who requested anonymity. "Saying you can't walk around with a loaded gun produces safety. You can compare an exploit to a fully loaded weapon. Making exploits illegal could decrease the number of hacked boxes."

But others openly questioned the existence of a massive cybercrime outbreak requiring bold legislation.

"Cybercrime just doesn't pay," said one hacker who requested anonymity.

"Other forms of criminal activity are much more lucrative. And if you are a hacker, you are smart enough to know that any crime which would pay you'd have to deal with people who could hurt you. All the hackers who could do this have good paying jobs they wouldn't want to lose."

Instead, another hacker suggested, the "cybercrime outbreak" is nothing more than noisy teenagers committing high-profile, low-impact Web site hacks. But those crimes are being used as rationale by governments and law enforcement agencies to pass highly restrictive laws.

"There is a certain hysteria about cybercrime," the hacker said. "But I don't think anyone has stolen money from a bank using the Internet yet."

Granick fears the Council of Europe, in an effort to create consensus, has rushed forward and created a legal document "with far-reaching ramifications, but without far-reaching insight".

Go back to Pt I/ Criminalising security research?

Take me to Hackers

To have your say online click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards