RE: Cybercrime treaty
If you had trouble with the link in Adams message, as I did for some reason,
another link to the Draft is
From: Adam Shostack [mailto:adam@HOMEPORT.ORG]
Sent: Wednesday, May 03, 2000 9:59 AM
Subject: Cybercrime treaty
(This is a joint letter from myself, and Scott Blake)
We'd like to draw the attention of the board to a new proposed treaty
which might make it substantially more difficult for us to work. The
proposed Cybercrime treaty apparently includes the criminalisation of
exploit code. This is similar to the Digital Millenium Copyright Act,
where we had to fight to keep research into security legitamate.
Imagine how hard it will be to verify the existance of a vulnerability
in Windows without exploit code. Now, there are clearly problems with
script kiddies that need to be addressed in some way. But its not
clear to me that criminalizing research is the right way. We'll draw a
parallel to the Bernstien and Junger decisions, in which 2 appeals
courts have found source code to be protected speech.
At Netect/Bindview, we create and distributed exploit code to show new
vulnerabilities. That code has never been widely distributed, but
would have violated the proposed treaty. Getting an international
treaty revised will be very difficult, and that will result in a chill
that will make it more difficult to do security research. Given the
poor state of the field today, we would strongly urge that we not chill
research into how to improve security.
So, we'd like first to draw your attention to this, since we think its a
mistake. Then, (with Steve's permission), we'd like to get the view of
the other board members on this issue, and ask if we can produce a
joint statement deploring the unethical use of exploit code, but
drawing attention to its many legitamate uses for information sharing.
Adam & Scott
Adam Shostack, email@example.com
Scott Blake, firstname.lastname@example.org
Excerpts from http://wired.com/news/politics/0,1283,36047,00.html
>The proposal, which is expected to be finalized by December 2000
>and appears to be the first computer crime treaty, would:
>* Make it a crime to create, download, or post on a website any
>computer program that is "designed or adapted" primarily to gain
>access to a computer system without permission.
"It is seldom that liberty of any kind is lost all at once."