EFF asks the European Parliament to protect the rights of programmers
The European Parliament is now preparing to adopt the Directive on Attacks Against Information Systems , pdf, and the Electronic Frontier Foundation has addressed the parliamentarians to provide rules for the protection of computer security researchers who publish information on new vulnerabilities, exploits and so on. According to the EFF, in America after the adoption of the DMCA and CFAA (Computer Fraud and Abuse Act) there was an ambiguous situation regarding the legality of the work of such specialists, which at one time even led to the arrest of the Russian programmer Dmitry Sklyarov, who unsuccessfully traveled to America .
Similar legal difficulties for the work of researchers are created by the international Convention on Cybercrime (Convention on Cybercrime).
According to the EFF, the European Commission should once again think well of the need to adopt a new directive, since it largely duplicates the Convention on Cybercrime, which in itself creates problems. But if Europe does not abandon its plans, the EFF asks to improve the new project in several aspects.
Cancel the criminalization of tools . One of the “innovations” in the directive is the introduction of criminal liability for the use, production, sale or distribution of tools for attacking information systems. But many such programs actually have a dual purpose: they can be used both to attack and to test systems for vulnerabilities in order to enhance security. The European Parliament should state in the document the purpose of using the tool, and not just the fact of “possession, use or distribution” as such.
')
Protect the programmer's right to unauthorized intrusion into the system for security testing . This opportunity is needed for various types of research that would never have been possible if the researcher must obtain permission from each company.
Currently, the draft directive of the European Parliament with its wording largely repeats the American Computer Fraud and Abuse Act (CFAA), which also simply prohibits "unauthorized access" without any reservations - such wording has been repeatedly challenged in US courts. The key disadvantage is that in this case, the criminalization of human actions is carried out using a private contract - a user agreement (ToS), which establishes what access is allowed for this system. If you change the wording of the ToS, the site owner can in one day turn into criminals millions of ordinary users on the basis of their daily routine activities.
Protect the programmers' right to innovation and freedom of expression . EFF asks the European Parliament to guarantee the right to free speech for researchers in the field of computer security. The ability to freely publish vulnerability reports is critical to the global Internet community. Public disclosure of information about holes contributes to informing users, as well as encourages vendors to tell the truth about vulnerabilities in their products, close vulnerabilities and improve their security.
As mentioned above, the European Commission has not yet demonstrated the real need for the adoption of a new directive, and the EFF does not believe that such a need exists. If the document is given a move, then you need to carefully monitor that the legislators again did not break the wood.
Similar legal difficulties for the work of researchers are created by the international Convention on Cybercrime (Convention on Cybercrime).
According to the EFF, the European Commission should once again think well of the need to adopt a new directive, since it largely duplicates the Convention on Cybercrime, which in itself creates problems. But if Europe does not abandon its plans, the EFF asks to improve the new project in several aspects.
Cancel the criminalization of tools . One of the “innovations” in the directive is the introduction of criminal liability for the use, production, sale or distribution of tools for attacking information systems. But many such programs actually have a dual purpose: they can be used both to attack and to test systems for vulnerabilities in order to enhance security. The European Parliament should state in the document the purpose of using the tool, and not just the fact of “possession, use or distribution” as such.
')
Protect the programmer's right to unauthorized intrusion into the system for security testing . This opportunity is needed for various types of research that would never have been possible if the researcher must obtain permission from each company.
Currently, the draft directive of the European Parliament with its wording largely repeats the American Computer Fraud and Abuse Act (CFAA), which also simply prohibits "unauthorized access" without any reservations - such wording has been repeatedly challenged in US courts. The key disadvantage is that in this case, the criminalization of human actions is carried out using a private contract - a user agreement (ToS), which establishes what access is allowed for this system. If you change the wording of the ToS, the site owner can in one day turn into criminals millions of ordinary users on the basis of their daily routine activities.
Protect the programmers' right to innovation and freedom of expression . EFF asks the European Parliament to guarantee the right to free speech for researchers in the field of computer security. The ability to freely publish vulnerability reports is critical to the global Internet community. Public disclosure of information about holes contributes to informing users, as well as encourages vendors to tell the truth about vulnerabilities in their products, close vulnerabilities and improve their security.
As mentioned above, the European Commission has not yet demonstrated the real need for the adoption of a new directive, and the EFF does not believe that such a need exists. If the document is given a move, then you need to carefully monitor that the legislators again did not break the wood.
Source: https://habr.com/ru/post/138922/
All Articles