Coders have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, coders are able to improve security for every user who depends on information systems for their daily life and work. Yet this week, European Parliament will debate a new draft of a vague and sweeping computer crime legislation that threatens to create legal woes for researchers who expose security flaws.
On Thursday, the European Parliament will discuss the latest agreement between European Parliament and Council of a draft Directive on Attacks Against Information Systems. In our submission to the European Parliament earlier this year, EFF opposed the wholesale criminalization of tools that can be used to commit attacks against information systems. While they can be used for malicious purposes, they are also crucial for research and testing, including for "defensive" security efforts to make systems stronger and to prevent and deter attacks. EFF also told the European Parliament that their initial draft jeopardized coders' rights to conduct essential security research. The current version, while better, still doesn't address this problem.
As currently written, the latest version of the Draft Directive threatens coders’ ability to access information systems for security testing without explicit permission. If the European Parliament moves to enact this provision, researchers who study others’ systems in the course of good faith for legitimate research may become criminals.
Article 3 of the Draft Directive criminalizes intentional access to information systems without prior authorization where the actor infringes a security measure. At the heart of the problem is the directive’s reliance on the concept of accessing information systems “without right,” which is defined as “access, interference, interception, or any other conduct referred to in this Directive, not authorized by the owner, other right holder of the system or part of it, or not permitted under national legislation.”
The vague notion of “unauthorized access” has proved to be troublesome within the United States Computer Fraud and Abuse Act. For example, creative prosecutors and litigants have argued in past cases that merely accessing a computer in violation of terms of use makes access “unauthorized,” and therefore a crime. That broad interpretation of the law would criminalize a great deal of innocuous activity. As the Ninth Circuit Court of Appeals recently pointed out, “By giving that much power to prosecutors, we're inviting discriminatory and arbitrary enforcement.”
The Directive’s caveat about punishing only activities that infringe a "security measure" is an improvement over previous draft language, and will hopefully ensure that merely violating terms of use can’t amount to unauthorized access. But the vagueness of the term "security measure" creates new problems. Does a user infringe a “security measure” when she stumbles across files in a hidden but unprotected directory on a website? Or when she changes her IP address to avoid an IP block, even if for valid, legitimate reasons?
Another major problem with the draft directive is Article 7, which criminalizes the production, sale, procurement, import, or distribution of tools used to access systems for committing other offenses. This new article rightly tries to link punishment to malicious intent behind using the tool, rather than simply criminalizing the use, production, sale, or distribution of such tools per se. By doing so, this article tries to avoid the criminalization of dual-use tools that can be used for bad purposes, but also for desirable security efforts to prevent and deter attacks. However, Article 7 remains problematic because it relies upon the murky definition of access “without right” and uses Article 3 as a reference for defining criminal intent, which, as we explained above, is vague.
Another improvement is that the directive seeks to limit criminal punishment to cases that are “not minor.” However, the directive fails to explain what "minor" means in the text itself, leaving the option open for member states to define the term as they see fit. According to the directive’s present wording, maximum penalties for offenses (including distributing tool software) are at least 2 years of imprisonment, 3 years when using botnets and 5 years when committed in the context of organized crime, causing serious damage, or committed against a critical infrastructure.
Security researchers are a crucial part of any effective security strategy. Unfortunately, this directive creates a very real possibility that they may face serious criminal punishments for their work, which creates a strong disincentive for them to do it. While the directive’s legally non-binding recitals suggest a number of safeguards, including human rights, security testing, it is troubling that those protections are not included in the articles themselves.
The European Union should implement a target-hardening strategy to provide strong incentives and support for security researchers to identify and disclose vulnerabilities and motivate providers to quickly issue patches and updates. Please tune in this Thursday at 11:00 am Brussels time for a live stream of the directive debate in the European Parliament.