EU law lets in hackers

A proposed European regulation could leave a loophole which would give some hackers a free rein to access personal and corporate systems, a leading technology lawyer has warned.

The Proposal for a Council Framework Decision on attacks against information systems first appeared in April 2002 but is now coming towards the end of the EC legislative process. Member states must comply with the Framework Decision by 31 December 2003. According to recent meeting notes, the aim is to "improve co-operation between judicial and other competent authorities, including the police and other specialised law enforcement services of the member states".

The proposal is intended to harmonise European-wide laws protecting web servers and other systems from organised crime and terrorist attacks, but George Gardiner, partner at law firm Stephenson Harwood, said the proposal may not be a major improvement on the UK's existing Computer Misuse Act.

He said it introduces "a significant omission" in that anybody accessing an unsecured computer system without intending to cause damage or generate an economic benefit, would not be committing an illegal act under the proposal. This is despite the fact that they could gain access to systems such as unsecured wireless LANs, potentially creating disruption for administrators.

"The proposal covers most situations but you still need a deterrent for the legion of teenage hackers," Gardiner said.

Although the Computer Misuse Act could cover this type of behaviour, the terms of the proposal could eventually replace that law. Gardiner added that the EC is missing an opportunity to cover all possible scenarios with one overarching piece of legislation.

Have your say: reply to IT Week