back to article Yes, maybe we should keep hackers in the clink for YEARS, mulls EU

The EU is pushing through a directive calling for harsher criminal penalties against convicted hackers. The proposed rules (PDF) set a baseline sentence of two years' imprisonment in cases where hacks are carried out with the intent to cause serious harm, involve circumventing security measures and where no attempt is made to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I agree.

    As an extension of that logic, let's lock up the people who contributed to the two major financial meltdowns over the last decade. The politicians who enabled the fiasco, the bankers who mismanaged our money while pulling down billion dollar bonuses, and the oversight committees who should have caught it all in time but didn't and still haven't done faff all to fix the system.

    Seems to me the NSA monitors everyone, except the people actually doing damage to the state of the world.

    1. Combustable Lemon
      Joke

      Re: I agree.

      "Seems to me the NSA monitors everyone, except the people actually doing damage to the state of the world."

      Fair point, i don't think they monitor themselves.

    2. AbelSoul

      Re: I agree.

      "Seems to me the NSA monitors everyone, except the people actually doing damage to the state of the world."

      I imagine they do indeed monitor them too.

      Alas, I fear their activities are not viewed by the NSA as damaging the state of the world.

    3. scrubber
      Holmes

      Re: I agree.

      Unfortunately the majority of those who were very wealthy before the crisis are (relatively at least) better off than they were before. It is the slightly wealthy and the middle class who are paying.

      Blair's got millions, Brown's doing the lecture circuit rather than acting as MP (his job!) and Balls is Shadow Chancellor. Those tasked with regulating the banks have mostly got jobs with banks now, some of those in the banks are now working as regulators...

      The game is rigged, yet we play it anyway while turning a blind eye to those who are rigging it since those we ask to do something about it are eyeing up their own payoff in the near future.

  2. xerocred

    The EU are ignorant, witless, profligate tossers.

    Who are unemployable oxygen wasters in the real world. As user of wireshark it's very worrying the the inmates have overrun the EU asylum.

    1. Anonymous Coward
      Anonymous Coward

      Re: The EU are ignorant, witless, profligate tossers.

      as a worker actually in the EU kreml, using wireshark, Aircrack on Android etc at work for defense purposes, I encourage you to continue to use standard linux tools for self-training in infrastructural protection! I have heard that there are some £70K salaries going at present for ppl with your skills, allegedly.

  3. Vimes

    What about illegal corporate activities? Like BT/Phorm, 3UK/Bluecoat, Vodafone/Bluecoat, TalkTalk/Huawei?

    3UK and Vodafone customers ought to really pay attention in particular, since Bluecoat is a US company. Their repeat visits - ostensibly made to check the content as part of the filtering - originates from a server within the US.

    Now Virgin Media appears to be US owned too. The interesting bit there though is that the EU commission OKed this back in April. I wonder when they were told about PRISM? Mind you, they already ought to have some idea of what could happen considering previous problems with SWIFT.

    In any case I doubt that the commission will ever help stop corporate exploitation of EU nationals. They're a bit like the ICO in that respect - they only seem to be willing to go after individuals or organisations that don't have deep pockets to pay the lawyers. Everybody else gets to unfairly influence data protection legislation (which in itself ought to cause people to stop and think since a large part of this pressure originates from within the US).

    1. John Brown (no body) Silver badge

      "Now Virgin Media appears to be US owned too"

      VM, a trading name of NTL:Telewest has been a US owned and traded company almost since it's inception, certainly many years before they spent £10m buying a 10 year licence to use the name "Virgin Media". NTL was certainly a US company before the merger with Telewest. And just to cap it off and make certain of access, VMs email is outsourced to Googles GMail.

  4. Anonymous Coward
    Anonymous Coward

    Ya think?

    Will Blighty ever get in touch with proper punishment for digital crimes? So far they have just given hackers and pirates free reign. It's time the world apply a uniform mandatory minimum punishment as Japan has with 2 years in prison for pirates and 10 years for hackers along with high fines.

    1. Steven Roper
      Flame

      Re: Ya think?

      How about 20 years for sanctimonious Dudley Do-rights who sit on their moral high horses pronouncing judgements from on high against anyone who dares to engage in independent thought, or express any kind of dissent against the established order?

    2. Scorchio!!
      Thumb Up

      Re: Ya think?

      "Will Blighty ever get in touch with proper punishment for digital crimes? So far they have just given hackers and pirates free reign. It's time the world apply a uniform mandatory minimum punishment as Japan has with 2 years in prison for pirates and 10 years for hackers along with high fines."

      As you will have seen there are people here who deploy non sequitur arguments to draw attention away from the crimes under discussion, and appear to think that they are not crimes. It's partly a hangover from the old days when we really did police ourselves, when a UDP (Usenet death penalty) really did mean what it said, when the spam blackhole really was a black hole, and small furry creatures from alpha centauri really were small furry creatures from alpha centauri (I must play the MP3s again tonight).

      There are still people who believe that digital stays digital ("starts online, stays online"), that crimes committed using a digital->terrestrial interface are in fact just jolly pranks for which no sentence should be applied. They probably have acne, BO, dream of losing their virginity, and have no conception of the massive heist that is being performed daily on artists' incomes by people who download MP3s, believing it to be their right. Certainly, St Jules believes that he should be interviewed online by the Swedish police, and there are other erroneous views on RL that he holds about, say, Afghan informants and the disclosure of their locations (via his publications) to the Taliban. I bet he'd shit himself if they were after him, but Assange's brain evidently does not do quid pro quo, witness his imbroglio with a publisher whose money he felt free to keep, revealing a lot about him and his view of the basis of rule following in human relationships.

      That the online world has expanded beyond Usenet, Compuserve/AOL fora (spit), bulletin boards and the like has evidently either escaped the attention of some, or they perhaps don't understand what meat space means. These evidently do not philosophise in the world in which they draw their pay, and still think this is an electronic village that is entirely separate from RL. That said, I remember shuddering with displeasure when someone in a Usenet news group said that the Web was going to be turned into a business park. I didn't want the invasion... ...but now, well I bought my house through the web, have done a lot of research through the web, buy music, clothes, blue ray discs [...] almost everything I reckon. The net is now a place of transactions, commercial, military and social, just as with anywhere.

      Thus the net is now unfortunately and irrevocably a part of RL; laws from the land of meat space apply, no matter how many spotty, juvenile delinquents argue otherwise and, yes, there will be punishments, there will be tears, no matter how many people have temper tantrums, pound their keyboards in petty rage, and it will continue until the selfish generation of net users that don't like rules and point to the bankers saying 'look at them I want to get away with it too', have been replaced by those who grew up from day 1 with the net, and manage to learn, internalise and apply the rules governing social behaviour supplied to them by teachers and responsible parents (from which St Jules apparently did not benefit during his formative years)... ...meanwhile that sub population that does not learn the rules governing other regarding conduct, those who like their off line contemporaries in offending do not (to quote Cleckley) 'profit from experience' due perhaps to frontal lobe deficits, they will develop criminal careers/offending profiles over which they will snigger with their contemporaries, expressing resentment at 'the man', whilst others look on failing to see anything funny at all, and nothing meriting resentment; this was not society's fault, but the fault of the offender.

      It is a matter of sadness that career criminals do not seem to learn, that they lose so much of their freedom inside, that they make jokes out of it and play this silly game, while the immature look to them as 'role models'. To them, welcome to RL, where prison is not a matter of losing your interwebs access.

  5. Anonymous Coward 15

    "no attempt is made to notify website owners or other vulnerable parties"

    Does that include sticking a big "hacked by Anonymous" message on the homepage?

  6. Chairo

    I wonder

    sentences would be increased to a starting point of five years' imprisonment for cases involving attacks against critical infrastructure systems, such as power plants and transport networks.

    Does this apply for heads of states of supposedly allied nations? You know, the ones that order to prepare such strikes anyway. Just in case - you never know what these strange europeans might be up to...

  7. Anonymous Coward
    Anonymous Coward

    Why not?

    If you're going after the hackers you should also be enforcing the same rules on the people who write the shoddy insecure software / systems. They need to tighten up their act rather than using legislation against people who highlight the insecurities.

    1. Anonymous Coward
      WTF?

      Re: Why not?

      "enforcing the same rules on the people who write the shoddy insecure software"

      So if someone breaks into my house you'll throw me in jail for two years for not putting a better lock on the door? Nice attitude.

      1. Voland's right hand Silver badge
        Devil

        Re: Why not?

        Quote: "So if someone breaks into my house you'll throw me in jail for two years for not putting a better lock on the door? Nice attitude."

        Err... Wrong attitude.

        Let's say you are the house owner and a trader supplies you a supposedly standards compliant safe door (not just burglary perspective - fire safety, etc). That door can be opened by simply pulling the handle the wrong way and its safety, security and standards compliance is a load of bovine excrement.

        So if your house gets burgled as a result of you installing said door, you are just going to tell the vendor who designed it, built it and sold it "hi nice chap, let's go have a beer, no harm done". Right? And your insurance company will reimburse you 100% instead of suing the door vendor out of the face of the earth. Right? Wrong - do not think so.

        For some reason the software industry considers it absolutely normal to be exempt to all normal consumer liability clauses. That may have been OK once upon a time when the industry was young. Today software is a commodity so this has to end at some point.

        1. This Handle Isn't Taken
          Trollface

          Re: Why not?

          Actually, the locksmith never sold you the lock in the first place. He retained ownership of the lock the whole time and only licenced the use of the lock to you, in exchange for a tick in the checkbox removing all legal liability from the lock malfunctioning or not being fit for use.

  8. Evil Auditor Silver badge

    No pity for criminal hackers. But shouldn't they, at least, also think about punishing those fucktards who leave critical infrastructure open to attack? In other words, connect them to the internet (or other open networks) in the first place?

    1. Aldous
      Stop

      Yeah it is just like possession of drugs for personal use or supply. That line never gets blurred either. One network engineers wireshark is another "leet haxor tool". Next time they want to bag an Assange just say they had a hackers toolkit on there system (ping etc)

  9. MrXavia

    I partly agree with them, especially if they honour the "intent to cause serious harm" part, since someone hacking to find evidence of Aliens but causes some harm accidentally, is different to someone who breaks into a system and steals money/designs/photos etc...

    BUT would that be the case or would many people end up being thrown in the clink for minor hacks that hurt no one?

  10. Anonymous Coward
    Anonymous Coward

    half measures (troll warning)

    shoot them. And then nuke the whole continent. Guaranteed 100% success rate.

  11. James Micallef Silver badge
    Thumb Up

    Theory vs Practice

    The general outline of proposals actually make sense. But then it all depends on how the final wording is written and how it is interpreted. For example:

    "where hacks are carried out with the intent to cause serious harm, involve circumventing security measures and where no attempt is made to notify website owners or other vulnerable parties about a security breach."

    If the administrator password is left blank and an unauthorised person logs in, is that "circumventing security measures"? If bits of websites are left open to anyone who can guess a URL and type it in, is that "circumventing security measures"? If someone accidentally stumbles upon a page that should be closed and notifies the website owner, is that considered a defense given that more likely than not, the website owner will ignore the security hole? Or even worse, will the website owner attack and accuse the submitter of being a hacker even though they're just trying to help? (as has happened in quite a few reported cases)

    Also, as many other commenters have mentioned, it's up to the website owners and their technology vendors/partners to make sure that sites that are supposed to be secure really are secure. If I jump over or cut through a huge f***-off fence to get into someone's private property, it's a bit more difficult to plead innocent to trespass than if I just wandered into an open lot.

    1. Anonymous Coward
      Anonymous Coward

      Re: Theory vs Practice

      Once I came back witha colleague form a 4 pint liquid lunch and we logged into the wrong server farm by accident, at the password prompt we typed password and got in and laughed. It turned out to be the back end of a load of schools web sites, yes, we wre drunk, and we vandalised it, using SQL and straight edits. How we laughed. But was this wrong ? They had left a car in the street wit the keys in the ignition. All we did was joy ride it round the corner.

      1. breakfast Silver badge
        Pint

        Re: Theory vs Practice

        It was metaphorically wrong as you shouldn't be driving the metaphorical car while drunk.

        More seriously, though- a skiddie who defaces someone's website should be treated the same as someone who daubs graffiti on a shop window. There's no real difference there.

        Thefts of personal data are a little different, but at the low end of the scale some of these proposed sentences are way high.

        1. Yet Another Anonymous coward Silver badge

          Re: Theory vs Practice

          Perhaps a new offence of Coding Under the Influence.

  12. Anonymous Coward
    Anonymous Coward

    They should monitor the tor version of /b/

    Thats where they organise the attacks and advertise them now...

  13. JaitcH
    FAIL

    Menu-driven sentencing is NOT justice: ever heard of three strikes?

    Judges are more than equipped to deal with sentencing. Even the cretin from Maidenhead, in disallowing the deportation of a hacker to the USA acknowledged that cases have nuances.

    A fine example of menu-driven sentencing is the US 3-strikes and you are screwed.

    How many are doing life, no parole/time off for stealing food, minor drug deals, etc?

    I always thought Europe meted out punishment in human terms.

    If a web site has weaknesses, or a utility is exposed, it should be incumbent for them to PROVE they had security in place and not just the manufacturers password.

    1. Richard 26

      Re: Menu-driven sentencing is NOT justice: ever heard of three strikes?

      I agree that restricting judges discretion to adjust sentences to fit the circumstances of the case is a bad thing. However, that isn't what is being proposed here; the legislation only affects maximum penalties.

      For most countries in the EU, it won't make a difference. It just means that there won't be any odd corners of the EU where you can commit these crimes with impunity.

      1. Yet Another Anonymous coward Silver badge

        Re: Menu-driven sentencing is NOT justice: ever heard of three strikes?

        Except for the odd corners where the police don't give a fsck or don't have the resources.

        So instead of being able to hack a German bank from a computer in Cyprus because they don't have laws against it, you will be able to hack a German bank from a computer in Cyprus because their police have got bigger problems to deal with.

    2. Anonymous Coward
      Anonymous Coward

      Re: Menu-driven sentencing is NOT justice: ever heard of three strikes?

      "A fine example of menu-driven sentencing is the US 3-strikes and you are screwed."

      FWIW, that's only (AFAIK) in California, and is most likely on the way out soon.

  14. trickie
    Alert

    And this is the EU's business how?

    So not content with telling us what laws to enact, the EU now tells us what the sentence should be as well. Remind me, just what does the national parliament do in all this?

    1. Lars Silver badge
      Pint

      Re: And this is the EU's business how?

      " what does the national parliament do in all this?". well, they accept it or they do not or they tweak it a bit. The reporting part I find a bit worrying. Report to who and how and how do you prove you did it There is a slight feeling that "anything hacking" should resemble touching some bolt on your car engine and you loose your warranty.

      Still this, according to the text, was not about who to convict but about "calling for harsher criminal penalties against convicted hackers." (depending on ..???.) Perhaps I should have read the PDF.

  15. westlake
    Pint

    About time.

    When you break into someone's home, you won't get far arguing that your motives were well-intentioned --- no matter how crack-brained --- and that any damage you caused was accidental or that the owner was at fault because he should have invested in better locks.

  16. Radbruch1929
    WTF?

    Good for what?

    This is an interesting piece of proposed legislation but what is it supposed to do?

    * Attacking infrastructure with the intention to cause harm or damage seems to be already an offence in at least some of the larger member states, mostly in the form of criminal liability even for the attempt;

    * The same goes for circumventing secured security measures themselves, which already seems to be criminalized in some member states (and the wording leaves open some questions).

    I am confused as I am also missing some regulations regarding cross border regulations if that was the idea behind it all: Sections 12 and 13a of the preamble make this cooperation a prerequisite but Article 14 only requires a single point of contact. No further regulation is provided on what is going to be exchanged with this contact and what is going to be the follow up.

  17. mIRCat
    Pirate

    If everything is illegal...

    We're all criminals.

  18. dephormation.org.uk
    Big Brother

    I'll believe they're serious

    .. when BT/Phorm Directors (and others who do the same) are in jail.

  19. strum

    Legislative sentencing

    I'm not at all keen on minimum sentences - for anything. All crimes are not equal. Just because the mechanism is hi-tech (and the legislators don't really understand it), doesn't mean it's necessarily any worse than a physical theft or vandalism. On the other hand, it might be - but only if the intent/outcome is worse.

    I don't know how true the story is, but there's a possibility that the hacker who uncovered a rape could get a higher sentence than the rapist [Stuebenville]. If so, that's a nonsense.

    1. gazthejourno (Written by Reg staff)

      Re: Legislative sentencing

      see here: http://www.theregister.co.uk/2013/06/10/steubenville_rape_hackerfaces_decade_in_prison/

  20. teebie

    Criminalise everyone

    "intentionally producing and selling tools used to commit"

    So that's anyone who has sold a PC.

This topic is closed for new posts.

Other stories you might like