The EU Commission presented in 2010 a directive proposal – to be examined by the European Parliament – “on attacks against information systems”. The proposal is currently awaiting its first reading by the EP, but was the object of a hearing by the Civil liberites, justice and internal affairs commiteed (LIBE) on October, 4th. Video streaming of the hearing is available on the European Parliament site..
Main objectives of the Proposal are to improve criminal justice cooperation between member states in contrasting cybercrime and armonization of legislations. It is the EC’s opinion that updating of the Budapest Convention would be a slow process involving substantial renegotiation, when at the moment not even all of the EU member states ratified it.
Apart from a strange fixation on a particular kind of criminal activities – botnets -, the subject matter of this proposal is to
Art. 1 [define] criminal offences in the area of attack against information systems and [to] establish minimum rules concerning penalties [...] to introducte common provisions to prevent such attacks [...] improve European criminal justice cooperation in this field [...]
The first articles define a series of criminal offences -nothing new here but Art. 7 is very “creatuve” and vaguely worrying:
Art. 7 [Member states should ensure that] production, sale, procurement for use, import, possession, distribution or otherwise making available of the following is punishable as a criminal offence when committed intentionally and without right for the purpose of committing [an offence]: a - a device, including a computer program [...] designed or adapted primarily for the purpose of committing [a criminal offence]; b -a computer password, access code or simila data by which the whole or any part of an information system is capable of being accessed.
While it is true that the text includes some provisions (when committed intentionally…) and specifies that the software possed or used must be design primaraly for criminal use, such a text could be interpreted by courts in a restrictive sense, where mere possess (or use) of specific software is considered a criminal offence. We all know that every person working in the field of informations ecurity or digital forensics has at her disposal a panoply of software that theoretically can be a tool for committing crime. It is to be hoped in a reformulation of this article in the definitive directive and later in rational interpretation when it will be adopted by member states.
