RE: 5th Draft - CyberCrime Treaty Statement
Dang! I had just about finished revisions on v4, and now I'm reimplementing
them on v5. That's great, since Matt read my mind and improved what I had
Some of the major revisions in v5.1 summed up:
- Removal of the first paragraph to open this document to any security
professional, since we state who we are in subsequent paragraphs.
- Removal and contraction of certain transitive phrases and colloquial
expressions, as well as related phrases that could be run togther without
producing overly long sentences like this one. :-)
- Consistency in using "software" in place of program, tool, exploit, code;
same goes for "techniques" to refer to methods, procedures, and so on.
- Fixing misspellings. You can thank Mr. Bill's Processor for that one.
Anyway, the word count goes from 458 to 360, FWIW. :-)
Andre Frech | firstname.lastname@example.org | 678-443-6241
Internet Security Systems, Inc.
--- v5.1 follows ---
Dear <treaty drafters>:
As experts, educators, and practitioners of information security, we wish to
register our concerns about the Council of Europe draft treaty on Crime in
Cyberspace. Portions of the proposed treaty may result in criminalizing
techniques and software commonly used to make computer systems resistant to
attack. Signatory states passing legislation to implement the treaty
endanger the security of their computer systems. Professionals will not be
able to adequately protect computer systems, and education of the next
generation of information protection specialists will be hindered.
Critical to the protection of computer systems and infrastructure is the
ability to test software for vulnerabilities, verify the presence of
vulnerabilities in existing systems, and exchange vulnerability information.
Professionals and companies routinely develop, use, and share software
designed to exploit vulnerabilities. Commercial software for system
administrators and security experts include software that exploits
vulnerabilities. Academic institutions use this software to educate
students and in research to develop and improve defenses.
Our experience supports that it is impossible to reliably distinguish
between software used in computer crime and legitimate purposes.
Article 6 of the treaty is vague regarding the use, distribution, or
possession of software that could be used to violate the security of
computer systems. Legislation that criminalizes software use would
adversely impact security practitioners, researchers, and educators. Article
6 would throttle important progress in computer security research.
We agree that breaking into computer systems is wrong and are strongly in
favor of criminalizing inappropriate behavior. Our goal is for the treaty
and resulting legislation to permit the development and application of good
security measures. We urge the Council to avoid criminalizing the
development, use, and distribution of software important to commerce,
academia, and government professionals working to prevent misuse.
We request that the treaty drafters specifically recognize legitimate
computer security activities and permit the creation and public
dissemination of software and techniques used to study and verify computer
security vulnerabilities. Moreover, we urge that appropriate laws
criminalizing software misuse replace the ownership or creation clauses of
"Organizational affiliations are listed for identification purposes only,
and do not necessarily reflect the official opinion of the affiliated
> -----Original Message-----
> From: Dave Mann [mailto:dmann@BINDVIEW.COM]
> Sent: Wednesday, May 10, 2000 4:41 PM
> To: email@example.com
> Subject: 5th Draft - CyberCrime Treaty Statement
> Below is the 5th version and the last that I can handle today.
> This version was produced by Matt Bishop. Mostly just
> wordsmithing to shorten and clarify several points.
> IMO, I think it stand further shortening but I don't have
> time left today to devote to it.
> Could others also continue to place version numbers on
> their edits so that we can track the changes?
> Dave Mann || e-mail: firstname.lastname@example.org
> Senior Security Analyst || phone: 508-485-7737 x254
> BindView Corporation || fax: 508-485-0737
> Dear <treaty drafters>
> We are a group of security experts who participate in the Common
> Vulnerabilities and Exposures Initiative. This project is a
> collaboration between a broad range of responsible computer security
> experts and companies to develop a common industry-wide set of
> names for the many different vulnerabilities known in computer
> systems. As such, we represent a cross-section of the technical
> community that works on computer security vulnerabilities.
> As experts, educators, and practitioners of information security,
> we wish to register our concerns about the Council of Europe draft
> treaty on Crime in Cyberspace. Portions of the proposed treaty
> may result in criminializing practices and tools commonly used in
> making computer systems resistant to attack. If signatory states
> pass legislation to implement the treaty, they will endanger the
> security of their computer systems because professionals
> will not be able to protect those systems adequately. They will
> also hinder the education of the next generation of information
> protection specialists.
> Critical to the protection of computer systems and infrastructure
> is the ability to test software for new vulnerabilitities, determine
> the presence of known vulnerabilities in existing systems, and
> exchange information about such vulnerabilities. Professionals
> and companies routinely develop, use, and share tools designed to
> exploit vulnerabilities. Commercial tools for system administrators
> and security experts include these exploit tools. Academic
> use these tools and techniques to educate students and in research to
> develop new and better defenses.
> Our experience convinces us that impossible to reliably distinguish
> between tools used in computer crime and instances of tools used
> for the legitimate purposes described above.
> Article 6 of the treat is vague with respect to issues of use,
> distribution, or possession of software that could be used to
> violate the security of computer systems. Enabling legislation
> that criminalized tools or their uses would affect practitioners,
> researchers, and teachers, and would slow the important progress
> of computer security research.
> We agree that breaking into computer systems is wrong. But, we do
> not want the treaty, and the resulting legislation, to impede
> the development and application of good security measures. We are
> strongly in favor of criminalizing inappropriate behavior, but we
> urge the Council to avoid criminalizing the development, use, and
> distribution of tools that are important to professionals -- in
> commerce, academia, and government -- who are working to prevent
> We ask that the treaty drafters specifically recognize the legitimate
> and important role that the creation and public dissemination of
> demonstration code plays in advancing the information security
> field. Moreover, we urge that appropriate laws criminalizing the
> misuse of such tools replace the ownership or creation clauses of
> the treaty.
> <name> <affiliation>
> "Organizational affiliations are listed for
> identification purposes only, and do not necessarily reflect the
> official opinion of the affiliated organization."