IDG News Service - Moves by several European countries to tighten laws against computer hacking worry security professionals, who often use the same tools as hackers but for legitimate purposes.
The U.K. and Germany are among the countries that are considering revisions to their computer crime laws in line with the European 2001 Convention on Cybercrime and a similar European Union measure passed in early 2005 (see "Senate approves cybercrime treaty").
But security professionals are scrutinizing those revisions out of concern for how prosecutors and judges could apply the laws. Security professionals are especially concerned about cases where the revisions apply to programs that could be used for bad or good. Companies often use hacking programs to test the mettle of their own systems.
"One useful utility in the wrong hands is a potentially malicious hacking tool," said Graham Cluley, senior technology consultant at Sophos PLC in Abingdon, England.
In the U.K., legislators are debating amendments to the Computer Misuse Act (CMA) of 1990. The proposed revisions would make it illegal to create or supply a tool to someone who intends to use it for unauthorized computer access or modification.
Likewise, the proposed changes to German law would also criminalize making and distributing hacking tools. The German government said the changes will bring it into compliance with the 2001 Convention on Cybercrime.
Several German security companies are planning to lobby against the law, as they fear it could hamper those who test security systems, said Alexander Kornbrust, founder and chief executive officer of Red-Database-Security GmbH in Neunkirchen, Germany. For example, tools to check the strength of passwords, often freely distributed, could also be used by malicious hackers, he said.
"The security community is very unhappy with this approach," Kornbrust said. "The concern is that the usage and possession of so-called hacker tools will become illegal."
The U.K. and Germany are trying to align their laws with Article 6 of the continentwide convention, which bans the creation of computer programs for the purpose of committing cybercrime.
So far, 43 countries have signed the treaty, which indicates their willingness to revise their laws to comply. Fifteen have ratified the Convention on Cybercrime. After a country changes its laws, it can ratify the convention and put it into force.
The convention does not mandate a deadline for when countries must comply, and the process of changing laws can be lengthy depending on the country, said Margaret Killerby, head of the European Committee on Crime Problems, which tracks implementation of the convention.
But the goal is for Europe -- and other governments, such as the U.S., which also said it will implement the convention soon -- to mount a consistent defense against computer criminals given the transnational nature of computer crime, Killerby said.
A key point of the Convention on Cybercrime requires countries to have a law enforcement contact available at all times to assist foreign authorities in obtaining electronic evidence, which can disappear quickly without quick moves by law enforcement.
"What we want to have is an institution to allow states to cooperate with each other as rapidly as possible," Killerby said.
Those requirements are devoid of controversy. Individual countries can draft their own customized legislation to comply with the convention, which can be used as a checklist, Killerby said. The council has provided assistance to countries in Central and Eastern Europe in creating computer crime laws where none were on the books, Killerby said.
Countries with existing laws will have find a medium that satisfies their own legal requirements and the treaty. In the U.K., the House of Lords is scheduled next month to debate changes in the part of the CMA concerning creation and distribution of hacking tools.
The proposed revision to the CMA says a person is guilty of an offense if he makes or supplies something intending it to be used to commit an offense or "believing that it is likely to be so used."
But officials said they are confident that the wording can be smoothed. The controversy could be dampened merely by changing "likely" to "primarily," which could "make sure we don't catch the legitimate penetration testers," said Merlin Erroll, a member of the House of Lords who sits on the All Party Parliamentary Internet Group, during a recent presentation in London.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
