EU to vote on five-year minimum sentences for hackers

Hackers found guilty of attacking 'critical infrastructure' face five years or more in prison

The European Union is planning a new directive on computer crime, which will include harsh penalties for people convicted of hacking "with criminal intent" to cause "serious harm".

The draft was approved by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs last week and a vote in Parliament is scheduled for July.

Unusually - at least insofar as UK law is concerned - the draft directive calls for minimum sentences for those convicted of hacking.

That includes five years imprisonment for attacks against "critical infrastructure", while people that create and use "botnets" face a minimum of three years in prison. However, it will be up to courts to determine whether criminal intent was involved and whether the harm caused could be described as "serious".

It also covers activities such as the hiring of hackers to commit offences.

Other crimes that may see hackers given long minimum sentences include:

• Illegal, intentional access to an information system;
• Illegally interfering with data;
• Illegally intercepting of communications, including recording communications;
• Intentionally producing and selling tools that can be used to commit these offenses.

According to anti-virus software vendor Sophos, the emphasis on criminal intent ought to shield penetration testing - which could potentially be encompassed under many countries' hacking laws - as well as whistleblowers.

However, if passed, it remains to be seen when it will be implemented by EU member states and how exactly the directive will be translated into national laws and legal practice.