European countries want to ban hacking and penetration testing tools

Justice Ministers across Europe want to make the creation of "hacking tools" a criminal offence, but critics have hit back at the plans, saying that they are unworkable.

Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include "the production and making available of tools for committing offences".

This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions "malicious software designed to create botnets or unrightfully obtained computer passwords," but goes no further in attempting to clarify what "tools" might be subject to criminal sanctions.

For example, the distinction between a password cracker and a password recovery tool is not specified. Nor is there any mention of legitimate use for testing. Many tools that could be used for hacking in the wrong hands, are used by system administrators and security consultants to probe for vulnerabilities in corporate systems.

Illegal access, illegal system interference and illegal data interference as well as instigating, aiding, abetting and attempting to commit offences are already crimes under current EU law. However, ministers want to harmonise penalties for illegal interception of computer data, and see the imposition of a minimum two year sentence for the most serious crimes. They also want to oblige member states to collect basic statistical data on cybercrimes and to respond to urgent requests for information by other member states within eight hours.

The creation of hacking tools is already a criminal offence in the United Kingdom under the Computer Misuse Act, and in Germany under the 202C law, and is also cited in the Budapest Cybercrime Convention. But if included in an EU directive, all 27 member states would be required to ban production of these so-called "tools" in national law.

The introduction of the laws in Germany in 2007 and the UK in 2008 met with fierce criticism. In Germany many legitimate websites shut down or moved over fears that they might be prosecuted.

German PHP security professional Stefan Esser wrote on his blog at the time that the law was not clearly written and allows too much interpretation. "While our government says that they do not want to punish, for example, hired penetration testers, this is not written down in the law," Esser wrote.

The ministers' proposals will now be put to the European Parliament, which must approve the text before it can become law. It is likely that MEPs will question some of the ministers' assumptions and will seek to better define what is meant by "tools".