4th Draft of CyberCrime Treaty Statement

[Dave Mann <dmann@bindview.com>]

All,

Here is the 4th cut at the draft.

1) This version attempts to merge in Spaf's comments with
my earlier, shorter version.

2) I did NOT put the language concerning liability back in
per Matt Bishop's comments 1) to maintain brevity and 2) to
help prevent alienation of those for whom it remains a
controversial subject.

3) I would urge others to simply post their own modifications
to what is below as opposed making comments.  While making
comments is easier, it requires others to merge the edits.

4) My personal feeling is that the current draft is dangerously
long and should be shortened.  If others can tinker with it
to trim it down, I feel it would strengthen it.

Dave

********************************************************************

Dear <treaty drafters>

We are a group of security experts who participate in the Common
Vulnerabilities and Exposures Initiative.  This project is a
collaboration between a broad range of responsible computer security
experts and companies to develop a common industry-wide set of names for
the many different vulnerabilities known in computer systems.  As such,
we represent a cross-section of the technical community which works on
computer security vulnerabilities.

As experts, educators, and practitioners of information security, we
wish to register our concerns about the Council of Europe draft
treaty on Crime in Cyberspace.  In brief, we believe that the
portions of the proposed treaty are vague or counter to accepted
practice.  The wording may actually result in criminalizing behavior
and tools that are commonly used in education, research and the
protection
of computer systems.  If member states implement the provisions of the
treaty and supporting legislation, the result is likely to be a
reduction in the overall security and protection of computer systems
in those locations.

In particular, we find Article 6 to be vague with respect to issues of
use, distribution, or possession of software that could be used to
violate
the security of computer systems.

We note that it is critically important to the advancement of science
and
engineering techniques for computer security professionals to be able to
test software for new vulnerabilitities, determine the presence of known
vulnerabilities in existing systems, and exchange information about such
vulnerabilities with each other.  Therefore, most professionals and
companies
in this field routinely develop, use, and share scripts and programs
designed
to exploit vulnerabilities.  These exploits are often included in
commercial
tools used by systems administrators and security experts to test the
security of their systems.  Academic institutions also use these tools
and techniques in education of students and in research efforts to
develop
new and better defenses.

Our experience has shown that it is impossible to reliably distinguish
between instances of tools used in computer crime from instances of
tools
used for the legitimate purposes described above. Furthermore,
important tools and techniques are regularly published by previously
unknown individuals or groups.  To criminalize their research and
educational activities would be to slow the important progress of
computer security research.

We do not intend to challenge the idea that breaking into computer
systems
is wrong.  But, we are very concerned that the draft treaty, and
legislation
that might flow from it, not be drafted so as to impede the development
and
application of good security measures.   We are strongly in favor of
criminalizing inappropriate behavior, but we urge the Council to avoid
criminalizing the development, use, and distribution of tools that
are important to professionals -- in commerce, academia, and
government --  who are working to prevent misuse.

We ask that the treaty drafters specifically recognize the legitimate
and important role that the creation and public dissemination of
demonstration code plays in advancing the information security field.
Moreover, we urge that appropriate laws criminalizing the misuse of
such tools replace the ownership or creation clauses of the treaty.

Signed,

<name> <affiliation>


"Organizational affiliations are listed for
identification purposes only, and do not necessarily reflect the
official opinion of the affiliated organization."