[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: v 5.3 (dcl)
My few changes to David's copy, including adding a few words from Kevin Ziese. My changes fit into the following categories: 1) further reduced some sentences (but added others; this is about 15 more words than David's draft) 2) more careful word choices. For example, I tried to remove the word "exploit." That word is not used in the treaty, and can have negative connotations to some people. 3) removed repeated use of the same word in adjoining sentences (e.g., "vulnerability" was overused) 4) changed us from "experts" to "leaders" (instead of being pointy-headed geeks we are now peers of a sort) 5) Changed sense in a few places so that it implies that *anyone* can develop and use security software; previous wording implied that we were only concerned about professionals being able to use it. 6) Added explicit statement about not criminalizing the technology. 7) Added back in statement about contacting us for future assistance. I've written about a dozen of these for ACM over the last 2 years and I can tell you that precision and brevity are important. So we should all look at this to be certain that there are no statements that could be misinterpreted. Cheers, --spaf ============= Greetings: As leading security practitioners, educators, vendors, and users of information security, we wish to register our opinions about the Council of Europe draft treaty on Crime in Cyberspace. We are concerned that portions of the proposed treaty may result in criminalizing techniques and software commonly used to make computer systems resistant to attack. Signatory states passing legislation to implement the treaty may thus endanger the security of their computer systems, computer users in those countries may not be able to adequately protect their computer systems, and education of information protection specialists may be hindered. Critical to the protection of computer systems and infrastructure is the ability to test software for weaknesses, verify the presence of defects in existing systems, and exchange vulnerability information. System administrators, researchers, consultants and companies all routinely develop, use, and share software designed to exercise known and suspected vulnerabilities. Academic institutions use software designed to probe vulnerabilities to educate students and in research to develop improved defenses. Our experience with these tools suggest that it is impossible to reliably distinguish software used in computer crime from that used for these legitimate purposes -- and that often it is identical. Currently, article 6 of the draft treaty is vague regarding the use, distribution, and possession of software that could be used to violate the security of computer systems. We agree that damaging or breaking into computer systems is wrong and we unequivocally support laws against such inappropriate behavior. However, legislation that criminalizes security software development and use would adversely impact security practitioners, researchers, and educators working to prevent computer misuse. The goal of the treaty and resulting legislation should be to permit the development and application of good security measures, and a prohibition against development or circulation of security tools and information is counter to that goal. Therefore, we respectfully request that the treaty drafters remove section a.1 from article 6, and modify section b accordingly; the articles on computer intrusion and damage (viz., articles 1-5) are already sufficient to proscribe any improper use of security-related software or information. Please do not hesitate to call on us for technical advice in your future deliberations. Signed, <name> <title> <affiliation> "Organizational affiliations are listed for identification purposes only, and do not necessarily reflect the official opinion of the affiliated organization."