RE: [CVEPRI] Please Vote on Text of CyberCrime Treaty Statement v5.5
| -----Original Message-----
| From: firstname.lastname@example.org
| [mailto:email@example.com]On Behalf Of
| Steven M. Christey
| Sent: Thursday, May 11, 2000 10:29 PM
| To: firstname.lastname@example.org
| Subject: [CVEPRI] Please Vote on Text of CyberCrime Treaty Statement
| Please vote on the current text of the CyberCrime treaty statement,
| included below, which I've labeled v5.5 (just in case it doesn't turn
| out to be the "final"). This is *NOT* a vote on how we will present
| signatures and organizational affiliations, as that issue is still
| under discussion and can be separated from the actual text.
| Since the list has been quiet about edits in the last day and a half,
| this is the only concrete way to be certain that the Board is ready to
| bless this statement and agree to a "final copy" to use to draw
| support from outside the Board.
| Please send one of the following votes to me and Dave Mann
| (email@example.com), or to the Editorial Board list:
| ACCEPT - accept text as recorded
| MODIFY - make modifications. Please send any MODIFY votes to the
| list. However, at this time you are strongly urged not to
| suggest minor modifications that could be labeled "pedantic
| wordsmithing" :-)
| NOOP - use this if you wish to abstain from voting.
| REJECT - use this vote at your own risk ;-)
| It is requested that you send your vote by Tuesday, May 16. If a
| "final decision" can be made at that time, I'll announce it.
| I will gather and count the votes. Of the 26 organizations
| represented on the Board, 21 have established that they are aware of
| this issue.
| It seems reasonable to require a minimum of 16 ACCEPT votes, which
| would be 75% of the "active" Board member organizations, and 60% of
| all Board member organizations.
| Note that I will be unavailable for all or most of Friday, so if
| you're voting then, please make sure that Dave Mann knows how you
| - Steve
| ************** TEXT of CyberCrime Treaty Statement v5.5 **************
| As leading security practitioners, educators, vendors, and users of
| information security, we wish to register our misgivings about the
| Council of Europe draft treaty on Crime in Cyberspace.
| We are concerned that portions of the proposed treaty may result in
| criminalizing techniques and software commonly used to make computer
| systems resistant to attack. Signatory states passing legislation to
| implement the treaty may endanger the security of their computer
| systems because computer users in those countries will not be able to
| adequately protect their computer systems and the education of
| information protection specialists will be hindered.
| Critical to the protection of computer systems and infrastructure is
| the ability to
| * Test software for weaknesses
| * Verify the presence of defects in computer systems
| * Exchange vulnerability information
| System administrators, researchers, consultants and companies all
| routinely develop, use, and share software designed to exercise known
| and suspected vulnerabilities. Academic institutions use these
| tools to educate students and in research to develop improved
| defenses. Our combined experience suggests that it is impossible
| to reliably distinguish software used in computer crime from that
| used for these legitimate purposes. In fact, they are often
| Currently, article 6 of the draft treaty is vague regarding the use,
| distribution, and possession of software that could be used to
| violate the security of computer systems. We agree that damaging or
| breaking into computer systems is wrong and we unequivocally support
| laws against such inappropriate behavior. We affirm that a
| goal of the
| treaty and resulting legislation should be to permit the development
| and application of good security measures. However, legislation that
| criminalizes security software development, distribution and use
| is counter to that goal, as it would adversely impact security
| practitioners, researchers, and educators.
| Therefore, we respectfully request that the treaty drafters remove
| section a.1 from article 6, and modify section b accordingly; the
| articles on computer intrusion and damage (viz., articles 1-5) are
| already sufficient to proscribe any improper use of security-related
| software or information.
| Please do not hesitate to call on us for technical advice in your
| future deliberations.
| [** signatures, affiliations, and disclaimers deleted - still under
| discussion **]