[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cybercrime treaty



Could we perhaps get the actual text of the proposed treaty?  Even better
would be getting some sort of lawyer to look at it.  I have had bad
experiences in the past relying on reporter's interpretations of complex
technical and legal issues.  There could be some real problems here, or
Wired could be telling us the sky is falling.

I also don't think the congress is too likely to confirm any treaties until
after the election.

> -----Original Message-----
> From: Adam Shostack [mailto:adam@HOMEPORT.ORG]
> Sent: Wednesday, May 03, 2000 7:59 AM
> To: cve-editorial-board-list@lists.mitre.org
> Subject: Cybercrime treaty
>
>
> (This is a joint letter from myself, and Scott Blake)
>
> We'd like to draw the attention of the board to a new proposed treaty
> which might make it substantially more difficult for us to work.  The
> proposed Cybercrime treaty apparently includes the criminalisation of
> exploit code.  This is similar to the Digital Millenium Copyright Act,
> where we had to fight to keep research into security legitamate.
>
> Imagine how hard it will be to verify the existance of a vulnerability
> in Windows without exploit code.  Now, there are clearly problems with
> script kiddies that need to be addressed in some way.  But its not
> clear to me that criminalizing research is the right way.
> We'll draw a
> parallel to the Bernstien and Junger decisions, in which 2 appeals
> courts have found source code to be protected speech.
>
> At Netect/Bindview, we create and distributed exploit code to show new
> vulnerabilities.  That code has never been widely distributed, but
> would have violated the proposed treaty.  Getting an international
> treaty revised will be very difficult, and that will result in a chill
> that will make it more difficult to do security research.  Given the
> poor state of the field today, we would strongly urge that we
> not chill
> research into how to improve security.
>
> So, we'd like first to draw your attention to this, since we
> think its a
> mistake.  Then, (with Steve's permission), we'd like to get
> the view of
> the other board members on this issue, and ask if we can produce a
> joint statement deploring the unethical use of exploit code, but
> drawing attention to its many legitamate uses for information sharing.
>
> Adam & Scott
>
> Adam Shostack, adam@homeport.org
> Scott Blake, blake@bindview.com
>
>
> Excerpts from http://wired.com/news/politics/0,1283,36047,00.html
>
> >The proposal, which is expected to be finalized by December 2000
> >and appears to be the first computer crime treaty, would:
>
> >* Make it a crime to create, download, or post on a website any
> >computer program that is "designed or adapted" primarily to gain
> >access to a computer system without permission.
>
>
>
> --
> "It is seldom that liberty of any kind is lost all at once."
> 					               -Hume
>

Page Last Updated or Reviewed: May 22, 2007