[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
4th Draft of CyberCrime Treaty Statement
All, Here is the 4th cut at the draft. 1) This version attempts to merge in Spaf's comments with my earlier, shorter version. 2) I did NOT put the language concerning liability back in per Matt Bishop's comments 1) to maintain brevity and 2) to help prevent alienation of those for whom it remains a controversial subject. 3) I would urge others to simply post their own modifications to what is below as opposed making comments. While making comments is easier, it requires others to merge the edits. 4) My personal feeling is that the current draft is dangerously long and should be shortened. If others can tinker with it to trim it down, I feel it would strengthen it. Dave ******************************************************************** Dear <treaty drafters> We are a group of security experts who participate in the Common Vulnerabilities and Exposures Initiative. This project is a collaboration between a broad range of responsible computer security experts and companies to develop a common industry-wide set of names for the many different vulnerabilities known in computer systems. As such, we represent a cross-section of the technical community which works on computer security vulnerabilities. As experts, educators, and practitioners of information security, we wish to register our concerns about the Council of Europe draft treaty on Crime in Cyberspace. In brief, we believe that the portions of the proposed treaty are vague or counter to accepted practice. The wording may actually result in criminalizing behavior and tools that are commonly used in education, research and the protection of computer systems. If member states implement the provisions of the treaty and supporting legislation, the result is likely to be a reduction in the overall security and protection of computer systems in those locations. In particular, we find Article 6 to be vague with respect to issues of use, distribution, or possession of software that could be used to violate the security of computer systems. We note that it is critically important to the advancement of science and engineering techniques for computer security professionals to be able to test software for new vulnerabilitities, determine the presence of known vulnerabilities in existing systems, and exchange information about such vulnerabilities with each other. Therefore, most professionals and companies in this field routinely develop, use, and share scripts and programs designed to exploit vulnerabilities. These exploits are often included in commercial tools used by systems administrators and security experts to test the security of their systems. Academic institutions also use these tools and techniques in education of students and in research efforts to develop new and better defenses. Our experience has shown that it is impossible to reliably distinguish between instances of tools used in computer crime from instances of tools used for the legitimate purposes described above. Furthermore, important tools and techniques are regularly published by previously unknown individuals or groups. To criminalize their research and educational activities would be to slow the important progress of computer security research. We do not intend to challenge the idea that breaking into computer systems is wrong. But, we are very concerned that the draft treaty, and legislation that might flow from it, not be drafted so as to impede the development and application of good security measures. We are strongly in favor of criminalizing inappropriate behavior, but we urge the Council to avoid criminalizing the development, use, and distribution of tools that are important to professionals -- in commerce, academia, and government -- who are working to prevent misuse. We ask that the treaty drafters specifically recognize the legitimate and important role that the creation and public dissemination of demonstration code plays in advancing the information security field. Moreover, we urge that appropriate laws criminalizing the misuse of such tools replace the ownership or creation clauses of the treaty. Signed, <name> <affiliation> "Organizational affiliations are listed for identification purposes only, and do not necessarily reflect the official opinion of the affiliated organization."