RE: v 5.3 (dcl)
My few changes to David's copy, including adding a few words from Kevin Ziese.
My changes fit into the following categories:
1) further reduced some sentences (but added others; this is about 15
more words than David's draft)
2) more careful word choices. For example, I tried to remove the
word "exploit." That word is not used in the treaty, and can have
negative connotations to some people.
3) removed repeated use of the same word in adjoining sentences
(e.g., "vulnerability" was overused)
4) changed us from "experts" to "leaders" (instead of being
pointy-headed geeks we are now peers of a sort)
5) Changed sense in a few places so that it implies that *anyone* can
develop and use security software; previous wording implied that we
were only concerned about professionals being able to use it.
6) Added explicit statement about not criminalizing the technology.
7) Added back in statement about contacting us for future assistance.
I've written about a dozen of these for ACM over the last 2 years and
I can tell you that precision and brevity are important. So we
should all look at this to be certain that there are no statements
that could be misinterpreted.
As leading security practitioners, educators, vendors, and users of
information security, we wish to register our opinions about the
Council of Europe draft treaty on Crime in Cyberspace. We are
concerned that portions of the proposed treaty may result in
criminalizing techniques and software commonly used to make computer
systems resistant to attack. Signatory states passing legislation to
implement the treaty may thus endanger the security of their computer
systems, computer users in those countries may not be able to
adequately protect their computer systems, and education of
information protection specialists may be hindered.
Critical to the protection of computer systems and infrastructure is
the ability to test software for weaknesses, verify the presence of
defects in existing systems, and exchange vulnerability information.
System administrators, researchers, consultants and companies all
routinely develop, use, and share software designed to exercise known
and suspected vulnerabilities. Academic institutions use software
designed to probe vulnerabilities to educate students and in research
to develop improved defenses. Our experience with these tools
suggest that it is impossible to reliably distinguish software used
in computer crime from that used for these legitimate purposes -- and
that often it is identical.
Currently, article 6 of the draft treaty is vague regarding the use,
distribution, and possession of software that could be used to
violate the security of computer systems. We agree that damaging or
breaking into computer systems is wrong and we unequivocally support
laws against such inappropriate behavior. However, legislation that
criminalizes security software development and use would adversely
impact security practitioners, researchers, and educators working to
prevent computer misuse. The goal of the treaty and resulting
legislation should be to permit the development and application of
good security measures, and a prohibition against development or
circulation of security tools and information is counter to that
goal. Therefore, we respectfully request that the treaty drafters
remove section a.1 from article 6, and modify section b accordingly;
the articles on computer intrusion and damage (viz., articles 1-5)
are already sufficient to proscribe any improper use of
security-related software or information.
Please do not hesitate to call on us for technical advice in your
"Organizational affiliations are listed for identification purposes only,
and do not necessarily reflect the official opinion of the affiliated