Re: Cybercrime treaty
> IMO, we should do nothing but prepare for a demonstration case where one (or
> more of us) are the defendants.
Russ - this is a treaty. That means every country will come up with
their own legal implementation. When they prosecute you in Canada, for
example, the resulting precedent will do nothing for us in the U.S.
(It's actually a council of Europe treaty, but apparently the US DOJ has
taken a strong role in drafting it). And if the treaty starts out with
dumb provisions, it will be very hard not to end up with dumb provisions
in all the implementing legislations in individual countries.
Besides, an international treaty on cybercrime isn't a bad idea. Some
provisions (like making sure it's illegal to break into computers in
another signatory country) are a really good idea.
But it needs to lose the "make the tools illegal" part in Article 6.
That won't work and will do far more harm than good. And that's the
only part that has anything to do with CVE.
The treaty calls for laws that make it a crime to <<produce or
distribute a computer program designed for the purpose of infringing
security measures without right>> (Putting together several strands of
the draft treaty language). If that doesn't make it illegal to write or
distribute exploit scripts, I don't know what would.
> If we shot this down what will come afterwards? If we're listened to, what
> would prefer it to say?
How about making it a crime to distribute an exploit script without
first giving two weeks notice to affected vendors?
Think of this: if it was in an international treaty, you wouldn't have
to defend your policy on NTBugtraq :-)
Stuart Staniford --- President --- Silicon Defense
(707) 445-4355 (707) 445-4222 (FAX)