EU pact criminalising security research?

At Def Con in Amsterdam, computer security experts say the draft of Europe's Cybercrime Treaty could spark a 21st century witch hunt
Written by Bob Sullivan, Contributor

Meet the world's newest class of persecuted artists: computer hackers. European Union nations, and perhaps even the United States, are about to make nearly any form of hacking -- even security research -- illegal by treaty.

The possibility scares European computer security experts gathered this week for Def Con Europe -- so much so that one hacker called it "the witch hunt of the 21st century".

Use the term "computer hacker" and you've already touched off a battle of semantics that leaves many scratching their heads.

That's part of the problem with The Council of Europe's draft Cybercrime Treaty, authored by the 41-nation body in consultation with the US Department of Justice. The pact could be signed as early as December.

To computer scientists, "hacking" merely means research by disassembly. The end result of hacking is understanding how something works and occasionally suggesting an improvement. Using such knowledge to break into computers to steal information is, well, stealing -- not hacking -- according to purists. Computer hackers say the distinction was lost upon the Council of Europe earlier this year when it agreed in principal to the draft of the Cybercrime Treaty. The treaty makes it illegal to write or possess hacking software. Currently, both are legal in the United States.

The treaty also includes aiding and abetting rules that appear to make the publishing of software vulnerabilities or "exploits" illegal, according to US cyberlaw expert Jennifer Granick. That could make vulnerability mailing lists, such as BugTraq and NTBugTraq -- both with well over 30,000 subscribers -- illegal, she said.

"They are just afraid of things they don't understand, things that they cannot control," said Stefen Buerger, a Germany-based security professional. "Yes, we might end up chasing witches."

At Def Con in Amsterdam, where experts are discussing technical computer security issues, Granick's discussion of the treaty drew a swift, emotional response.

"This would have a terrible, chilling effect on security research," said Scott Blake, a Boston-based security professional.

Blake belongs to a research group that sent letters of protest to the Council of Europe when the draft treaty was first released in April. A revised version of the treaty, which was to have included updates based on an open public comment period, was released last month with no changes on the hacking software issue.

"They basically just ignored us," Blake said.

It's hard to find an appropriate comparison to determine whether mere possession of software should be illegal. In the United States, possession of drug paraphernalia, even for novelty, is illegal in most states. Ownership of some kinds of lock-picking devices is illegal, whereas possession of bomb-making recipes is not.

Take me to Pt II/ Illegal software possession

Take me to Hackers

To have your say online click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards