Go to previous post:
Jim Henley

Go to Electrolite's front page.

Go to next post:
It’s hard to know what to say, really.

Our Admirable Sponsors

March 4, 2003

Whoa. I’d be interested in European comment on this:
If anyone in the European Union tried to protest online the way thousands of anti-war protesters did in the United States last week, they could be branded criminals under a pact recently reached by justice ministers in Brussels. […]

The decision forces all 15 Union countries to adopt a new criminal offense—illegal access to, and illegal interference with an information system—and calls on national courts to impose jail terms of at least two years in serious cases.

As Nathan Newman correctly observes, “Americans are often surprised at the kinds of speech that are pretty regularly regulated or banned in Europe.”

Several sharp and well-informed Europeans (from both sides of the English channel) post now and then in Electrolite’s comment section. I’d be very interested in their perspective on this.

UPDATE: Indeed, don’t leave this post without reading the comments. Very informative—thank you all! [08:53 AM]

Welcome to Electrolite's comments section.
Hard-Hitting Moderator: Teresa Nielsen Hayden.

Comments on Whoa.:

Sam Dodsworth ::: (view all by) ::: March 04, 2003, 10:03 AM:

My take (although it's unlikely to be popular) is that it's just another case of badly-thought-out lawmaking rather than an assault on freedom of speech. It's not about banning certain types of speech - it's just a law with a nasty loophole that could be used to do that.

We see a lot of this sort of reporting from the anti-EU press in Britain: take a stupid piece of legislation, put the worst possible spin on it, and hold it up as evidence of malice on the part of the nasty EU Bureaucrats who want to Steal! Our! Sovernity! In this case, I think it's just another attempt to reinforce the "Technocratic European Superstate" meme.

Can anyone with a better knowledge of EU law comment on what would happen if a free-speech based challenge to this made it to the European Court of Human Rights? They've dealt pretty well with local instances of this kind of thing in the past.

Jeff Crook ::: (view all by) ::: March 04, 2003, 10:10 AM:

Then again, their news isn't written in the boardroom, either. If we had a press free from corporate censorship, we wouldn't have had to have a virtual march.

Alison Scott ::: (view all by) ::: March 04, 2003, 10:51 AM:

Warning: I am not an expert on EU law. But in my experience, these European-wide policy statements get pretty thoroughly revised as law is drafted. The sequence goes something like this:

1) EU Ministers of x agree that there will be local legislation on a subject. They issue a relatively high-level statement.

2) Everyone screams about the obvious things that are inadvertently covered by the high-level statement.

3) Local legislation gets drafted, and goes through the ordinary local procedures for ensuring that the legislation that's enacted ends up sensible, which vary from country to country.

4) The EU Ministers for X meet up again, and discuss whether the legislation enacted at (3) is sufficient.

This story is at point (2) at the moment. There's a bit of a mountain-out-of-a-molehill issue, too, because it seems to me impossible to demonstrate that any particular e-mail about a relevant subject was 'designed to hinder the computer system of the recipient'.

James D. Macdonald ::: (view all by) ::: March 04, 2003, 10:54 AM:

It will be interesting to see if they start throwing spammers in jail for two years at a stretch.

Iain J Coleman ::: (view all by) ::: March 04, 2003, 11:30 AM:

If you follow Nathan's link to the Herald Tribune article, it supports Alison's reading of the situation. I don't think this is all that worrying at the EU level. My concern is with the implementation into UK legislation (Alison's stage 3). I strongly suspect the Home Office will use the EU directive as an excuse to push through the most deeply repressive legislation they possibly can. That's when the fun will really start.

Chuck Nolan ::: (view all by) ::: March 04, 2003, 12:25 PM:

I'm worried that it will give Ashcroft ideas.

Xopher ::: (view all by) ::: March 04, 2003, 12:50 PM:

Chuck: Nahh. Ashcroft has his own ideas. And the Bush administration listening to Europe? They haven't so far.

Richard Brandt ::: (view all by) ::: March 04, 2003, 12:55 PM:

I thought one of the givens of civil disobedience is that your actions might well run afoul of laws currently on the books and hence land you in jail. That aside, part of me has a certain sneaking fondness for the idea of laws that would jail folks who intentionally overload an e-mail server, not to mention spammers of all stripes, although I concede the thorny free-speech issues that immediately arise.

Charlie Stross ::: (view all by) ::: March 04, 2003, 01:52 PM:

I think this is broadly comparable to the existing Computer Misuse Act (1990) in British law. Illegal access to/interference with an information system has been a criminal offense carrying a 2 year prison sentence in the UK for over a decade. It's the statute that's used for prosecuting virus writers and crackers, and this appears to be nothing more than an attempt to standardize the existing law across the EU.

The deployment of the CMA against spammers is viable because spammers execute a DOS attack against servers. And this EU initiative isn't directed at the legitimate exercise of free speech. According to the Herald Tribune piece, ... "Council of Europe charter on cybercrime, which defines as criminal activity the sending of unsolicited e-mails designed to hinder the computer system of the recipient of the messages." Let me emphasize the point: that's not a legitimate email protest; that's a denial of service attack directed against a mail server. Emailing your representatives is fine, but attempting to bring down their servers is potentially an offense.

So, in short, there's nothing to see here folks, just a journalist generating alarmist column-inches via a speculative interpretation of an early draft of a boring but necessary piece of legislation that's still being bolted together.

Anna Feruglio Dal Dan ::: (view all by) ::: March 04, 2003, 02:55 PM:

The news's been reported by the specialized online press (Punto Informatico, etc) in Italy as a standardization at EU levels of the laws against hackers and crackers. Smells like standard EU-bashing to me.

Reimer Behrends ::: (view all by) ::: March 04, 2003, 04:22 PM:

It might be helpful to read the text of the framework decision here, and not just the abbreviated summary in the article. In particular: First, the framework decision states explicitly that it respects Chapter II of the Charter of Fundamental Rights of the EU, which includes freedom of expression. (The amendments proposed by the European Parliament make that even more explicit, but it is not clear whether they are part of the final framework decision). Second, any potential criminal activity must be performed with intent (gross neglicence does not suffice). So, unless a "virtual demonstration" plans to cause harm (and we don't condone "normal" demonstrations that plan to tear down physical infrastructure, either), it should not qualify. Third, the scope of the law only covers activities done "without right", which is supposed to exclude normal lawful activities according to the text of the decision.

I may be overlooking something, and there may be changes in the final version that we don't know yet, but so far it looks like a tempest in a teapot to me.

Alan Bostick ::: (view all by) ::: March 04, 2003, 05:04 PM:

My partner took part -- or, perhaps, attempted to take part -- in the protest, by telephoning the Washington office (I think) or our senator at a particular time. She says she couldn't get through, and got the "circuits busy" busy signal over her phone.

When she told me about it, I immediately thought in terms of denial-of-service attacks. It's not a big mental leap.

Without having given it too much thought, I suspect that it would be very difficult indeed to craft a law or regulation that banned DOS attacks (say) on telephone switching systems that had any teeth at all without being on very dicy grounds with respect to civil liberties and freedom of expression.

I am not saying that such protests are wrong or should be banned, any more than I'm saying that any script kiddie with a Linux box and an net connection should be given free reign to bring down Amazon.com. But I rather think that people who organize such things should at least consider it in terms of civil disobedience of anti-cracking laws rather than as mere lawful protest.

Leslie Turek ::: (view all by) ::: March 05, 2003, 08:00 AM:

It seems to me there's a qualitative difference between thousands of people who care about an issue picking up the telephone and placing a call (thus perhaps resulting in denial of service), and someone programming a computer to repetitively place the same call. I don't know if this is reflected in the law, but it should be.

Alan Bostick ::: (view all by) ::: March 05, 2003, 11:44 AM:

Leslie, how big is the difference between using the one computer's autodialer to place a whole bunch of calls for a DOS attack on a telephone exchange, and organizing and motivating thousands of people who care about an issue to pick up their telephones and making one call each?

The issue is genuinely double-edged. If regulation is constructed to protect political expression, malicious attackers can motivate concerned citizens to make that one phone call or send that one piece of email each that brings down the switchboard or server of the political target. If on the other hand regulation takes a hard line against DOS and DDOS attacks, then organizers and participants of obviously legitimate email and telephone campaigns can be targeted as criminal hackers and phreaks.

(If you rely on the judgment and discretion of prosecutors to determine what is protected speech and what is malicious, take note of who is our attorney general. If the courts decide, take note of the Supremes, and of who currently gets to make judicial appointments.)

At risk of sounding like the moderator of one of those Sunday talking-heads shows, it seems to me that there aren't any easy answers here.

Anders Jacobsen ::: (view all by) ::: March 05, 2003, 12:56 PM:

I agree with Sam (first commenter) that it's probably just a negative spin on a poorly designed rule. Anyway, I think this is interesting reading for you Americans ;-)


Adam Rice ::: (view all by) ::: March 05, 2003, 02:30 PM:

Alan--You make a good point, but the intent (if it matters) is very different. If you are organizing a malicious DDOS attack with the intention of bringing down the system, that's one thing. If, however, you are one of many people who *want their message to get through*, and are unintentionally contributing to an overload, that's quite another. If you are the organizer who is encouraging people to try to get a message through, that's still different from someone trying to bring the system down.

There was the notorious Victoria's Secret webcast a few years ago that wound up gobbling up a significant portion of the Internet's then-capacity. This could be construed as a DDOS, using an overly loose definition. VS might have been able to estimate that this would happen, but still, getting people to over-use the system is not the same as getting them to abuse it. There have been analagous incidents, I believe, with the phone network.