[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 5th Draft - CyberCrime Treaty Statement



I'm offering my stab at modifications. First you'll find the draft with my
comments inserted together with what I suggest be removed <new ~ old>.

Below that you'll find the read of the entire draft with my wording alone (a
more coherent read).

Btw, if we're going to do this, we also need to re-write the sections we
believe should be changed with our proposed language. If we simply ask them
to change it, and don't tell them specifically how we think it should be
written, our opinion will be diminished (IMO).

Cheers,
Russ

------
Dear <treaty drafters>

We are a group of security <specialists ~ experts> who participate in the
Common Vulnerabilities and Exposures Initiative.  This project is a
collaboration between a broad range of responsible <members of the
information security industry ~ computer security experts and companies> to
develop a common industry-wide set of names for the many different
vulnerabilities known in computer systems. <deleted ~ As such, we represent
a cross-section of the technical community that works on computer security
vulnerabilities.>

As <such ~ experts, educators, and practitioners of information security>,
we wish to register our concerns about the Council of Europe draft treaty on
Crime in Cyberspace.  Portions of the proposed treaty may result in
criminializing practices and tools commonly used in <facilitating defenses
for ~ making> computer systems <deleted ~ resistant to attack>.  If
signatory states pass legislation to implement the treaty <as is>, they will
endanger <their ability to defend ~ the security of> their computer systems
<by limiting what members of our industry see, discuss, and work with ~
because  Professionals will not be able> to protect those systems
adequately. They will also hinder the education of the next generation of
information <security ~ protection> specialists.

<deleted ~ Critical to the protection of computer systems and infrastructure
is the ability to test software for new vulnerabilitities, determine the
presence of known vulnerabilities in existing systems, and exchange
information about such vulnerabilities.  <Specialists ~ Professionals> and
companies routinely develop, use, and share tools designed to exploit
vulnerabilities. Commercial tools for system administrators and
<information> security <specialists ~ experts> include these exploit tools.
Academic institutions use these tools and techniques to educate students and
in research to develop new and better defenses.>

Our experience convinces us that impossible to reliably distinguish between
tools used in computer crime and instances of tools used for the legitimate
purposes <, such as new or known vulnerability testing and the public dialog
associated with such testing ~ described above>.

Article 6 of the treat is vague with respect to issues of use, distribution,
or possession of software that could be used to violate the security of
computer systems.  <Promoting ~ Enabling> legislation that criminalized
tools or their uses would affect <specialists ~ practitioners>, researchers,
and teachers, and would slow the important progress of computer security
research.

We agree that <the intent to break ~ breaking> into computer systems
<without rights> is wrong.  But, we do not want the treaty, and the
resulting legislation, to impede the development and application of <much
needed defensive ~ good> security measures.  We are strongly in favor of
criminalizing inappropriate behavior, but we urge the Council to avoid
criminalizing the development, use, and distribution of tools that are
important to <information security specialists ~ professionals> -- in
commerce, academia, and government --  who are <the only real defense
against ~ working to prevent> misuse.

We ask that the treaty drafters specifically recognize the legitimate and
important role that the creation and public dissemination of demonstration
code plays in advancing the information security field.  Moreover, we urge
that appropriate laws criminalizing the <intent to abuse ~ misuse of> such
tools replace the ownership or creation clauses of the treaty.

Signed,

<name> <affiliation>


"Organizational affiliations are listed for
identification purposes only, and do not necessarily reflect the
official opinion of the affiliated organization."

------
Dear <treaty drafters>

We are a group of security specialists who participate in the Common
Vulnerabilities and Exposures Initiative.  This project is a collaboration
between a broad range of responsible members of the information security
industry to develop a common  Industry-wide set of names for the many
different vulnerabilities known in computer systems.

As such, we wish to register our concerns about the Council of Europe draft
treaty on Crime in Cyberspace.  Portions of the proposed treaty may result
in criminalizing practices and tools commonly used in facilitating defenses
for computer systems.  If signatory states pass legislation to implement the
treaty <as is>, they will endanger their ability to defend their computer
systems by limiting what members of our industry see, discuss, and work with
to protect those systems adequately. They will also hinder the education of
the next generation of information security specialists.

Our experience convinces us that impossible to reliably distinguish between
tools used in computer crime and instances of tools used for the legitimate
purposes, such as new or known vulnerability testing and the public dialog
associated with such testing.

Article 6 of the treat is vague with respect to issues of use, distribution,
or possession of software that could be used to violate the security of
computer systems.  Promoting legislation that criminalized tools or their
uses would affect specialists, researchers, and teachers, and would slow the
important progress of computer security research.

We agree that the intent to break into computer systems without rights is
wrong.  But, we do not want the treaty, and the resulting legislation, to
impede the development and application of much needed defensive security
measures.  We are strongly in favor of criminalizing inappropriate behavior,
but we urge the Council to avoid criminalizing the development, use, and
distribution of tools that are important to information security specialists
-- in commerce, academia, and government --  who are the only real defense
against misuse.

We ask that the treaty drafters specifically recognize the legitimate and
important role that the creation and public dissemination of demonstration
code plays in advancing the information security field.  Moreover, we urge
that appropriate laws criminalizing the intent to abuse such tools replace
the ownership or creation clauses of the treaty.

Signed,

<name> <affiliation>


"Organizational affiliations are listed for
identification purposes only, and do not necessarily reflect the
official opinion of the affiliated organization."

Page Last Updated or Reviewed: May 22, 2007