[CVEPRI] Update and modification to CyberCrime Treaty Statement
Working with Gene Spafford, we have identified a number of individuals
who we would like to sign the statement on the CyberCrime treaty. We
have prepared an informational web site, which we will initially
provide to those individuals. This informational web site will be
separated from the CVE web site to ensure that there is no implication
that this is a CVE-related effort. Once we have gathered the
signatures (by some deadline), we will make the site more publicly
known, and forward the signed statement to the Council of Europe and
other government policy makers. We still need to decide what to do,
if anything, once the statement has been released and presented to the
people we want to be aware of it.
Our lawyer and our communications director have reviewed the statement
and suggested some modifications which may improve its impact. The
modified statement is included below. Please let me know if these
modifications prevent you from signing the statement.
There are 2 primary concerns with the current wording of the
1) As written, the statement makes it look like we are being critical
of the entire treaty, instead of one portion: "we wish to register our
misgivings about the Council of Europe draft treaty." It's really
only one portion of the treaty we care about, so we might want to
clarify this point so that it doesn't raise eyebrows unnecessarily.
(The second sentence actually does say that the concern is only with a
portion, so at the very least the first 2 sentences of the statement
are in some conflict with each other!)
2) From our lawyer's perspective, the treaty itself won't necessarily
cause the creation of bad laws. However, countries may misinterpret
the treaty and criminalize legitimate security practices. The current
wording focuses on Article 6. Our lawyer believes that this article
is fine, but that Articles 2-5 need to be more clear with respect to
criminal intent. Some of this was discussed when Board members were
developing the statement last month. It was also suggested that we
shouldn't try to make explicit recommendations for modifications to
the treaty, rather treat the letter as a mechanism for making the
treaty drafters (and others) aware of the issues.
So the modified statement contains the following changes: (a) the
first sentence is modified to indicate that it's only a portion of the
treaty we're concerned with, (b) the risk of misinterpretation is
explicitly mentioned, and (c) the paragraph suggesting specific
modifications to the treaty has been deleted.
Please let me know if this affects whether or not you are willing to
sign the statement. While I believe that these changes are relatively
minor, I wanted to make sure that the Board members who will publicly
support this statement can still support it.
************** SUGGESTED NEW TEXT of CyberCrime Treaty Statement *************
Changes from the original text are marked with a '***' tag.
As leading security practitioners, educators, vendors, and users of
information security, we wish to register our misgivings about
***portions of*** the Council of Europe draft treaty on Crime in
We are concerned that *** some *** of the proposed treaty may result
in criminalizing techniques and software commonly used to make
computer systems resistant to attack. Signatory states passing
legislation to implement the treaty may endanger the security of their
computer systems, because computer users in those countries will not
be able to adequately protect their computer systems and the education
of information protection specialists will be hindered.
Critical to the protection of computer systems and infrastructure is
the ability to
* Test software for weaknesses
* Verify the presence of defects in computer systems
* Exchange vulnerability information
System administrators, researchers, consultants, and companies all
routinely develop, use, and share software designed to exercise known
and suspected vulnerabilities. Academic institutions use these tools
to educate students and in research to develop improved defenses. Our
combined experience suggests that it is impossible to reliably
distinguish software used in computer crime from that used for these
legitimate purposes. In fact, they are often identical.
*** Currently, the draft treaty as written may be misinterpreted ***
regarding the use, distribution, and possession of software that could
be used to violate the security of computer systems. We agree that
damaging or breaking into computer systems is wrong and we
unequivocally support laws against such inappropriate behavior. We
affirm that a goal of the treaty and resulting legislation should be
to permit the development and application of good security measures.
However, legislation that criminalizes security software development,
distribution, and use is counter to that goal, as it would adversely
impact security practitioners, researchers, and educators.
*** [Paragraph suggesting specific modifications to the treaty
Please do not hesitate to call on us for technical advice in your future