5th Draft - CyberCrime Treaty Statement
Below is the 5th version and the last that I can handle today.
This version was produced by Matt Bishop. Mostly just
wordsmithing to shorten and clarify several points.
IMO, I think it stand further shortening but I don't have
time left today to devote to it.
Could others also continue to place version numbers on
their edits so that we can track the changes?
Dave Mann || e-mail: firstname.lastname@example.org
Senior Security Analyst || phone: 508-485-7737 x254
BindView Corporation || fax: 508-485-0737
Dear <treaty drafters>
We are a group of security experts who participate in the Common
Vulnerabilities and Exposures Initiative. This project is a
collaboration between a broad range of responsible computer security
experts and companies to develop a common industry-wide set of
names for the many different vulnerabilities known in computer
systems. As such, we represent a cross-section of the technical
community that works on computer security vulnerabilities.
As experts, educators, and practitioners of information security,
we wish to register our concerns about the Council of Europe draft
treaty on Crime in Cyberspace. Portions of the proposed treaty
may result in criminializing practices and tools commonly used in
making computer systems resistant to attack. If signatory states
pass legislation to implement the treaty, they will endanger the
security of their computer systems because professionals
will not be able to protect those systems adequately. They will
also hinder the education of the next generation of information
Critical to the protection of computer systems and infrastructure
is the ability to test software for new vulnerabilitities, determine
the presence of known vulnerabilities in existing systems, and
exchange information about such vulnerabilities. Professionals
and companies routinely develop, use, and share tools designed to
exploit vulnerabilities. Commercial tools for system administrators
and security experts include these exploit tools. Academic institutions
use these tools and techniques to educate students and in research to
develop new and better defenses.
Our experience convinces us that impossible to reliably distinguish
between tools used in computer crime and instances of tools used
for the legitimate purposes described above.
Article 6 of the treat is vague with respect to issues of use,
distribution, or possession of software that could be used to
violate the security of computer systems. Enabling legislation
that criminalized tools or their uses would affect practitioners,
researchers, and teachers, and would slow the important progress
of computer security research.
We agree that breaking into computer systems is wrong. But, we do
not want the treaty, and the resulting legislation, to impede
the development and application of good security measures. We are
strongly in favor of criminalizing inappropriate behavior, but we
urge the Council to avoid criminalizing the development, use, and
distribution of tools that are important to professionals -- in
commerce, academia, and government -- who are working to prevent
We ask that the treaty drafters specifically recognize the legitimate
and important role that the creation and public dissemination of
demonstration code plays in advancing the information security
field. Moreover, we urge that appropriate laws criminalizing the
misuse of such tools replace the ownership or creation clauses of
"Organizational affiliations are listed for
identification purposes only, and do not necessarily reflect the
official opinion of the affiliated organization."