[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [CVEPRI] Update and modification to CyberCrime Treaty Stateme nt
I have no problems with it as modified. -mike -----Original Message----- From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG] Sent: Monday, June 05, 2000 3:19 PM To: email@example.com Cc: gjg@MITRE.ORG; ramartin@MITRE.ORG; ptasker@MITRE.ORG Subject: [CVEPRI] Update and modification to CyberCrime Treaty Statement All: Working with Gene Spafford, we have identified a number of individuals who we would like to sign the statement on the CyberCrime treaty. We have prepared an informational web site, which we will initially provide to those individuals. This informational web site will be separated from the CVE web site to ensure that there is no implication that this is a CVE-related effort. Once we have gathered the signatures (by some deadline), we will make the site more publicly known, and forward the signed statement to the Council of Europe and other government policy makers. We still need to decide what to do, if anything, once the statement has been released and presented to the people we want to be aware of it. Our lawyer and our communications director have reviewed the statement and suggested some modifications which may improve its impact. The modified statement is included below. Please let me know if these modifications prevent you from signing the statement. There are 2 primary concerns with the current wording of the statement. 1) As written, the statement makes it look like we are being critical of the entire treaty, instead of one portion: "we wish to register our misgivings about the Council of Europe draft treaty." It's really only one portion of the treaty we care about, so we might want to clarify this point so that it doesn't raise eyebrows unnecessarily. (The second sentence actually does say that the concern is only with a portion, so at the very least the first 2 sentences of the statement are in some conflict with each other!) 2) From our lawyer's perspective, the treaty itself won't necessarily cause the creation of bad laws. However, countries may misinterpret the treaty and criminalize legitimate security practices. The current wording focuses on Article 6. Our lawyer believes that this article is fine, but that Articles 2-5 need to be more clear with respect to criminal intent. Some of this was discussed when Board members were developing the statement last month. It was also suggested that we shouldn't try to make explicit recommendations for modifications to the treaty, rather treat the letter as a mechanism for making the treaty drafters (and others) aware of the issues. So the modified statement contains the following changes: (a) the first sentence is modified to indicate that it's only a portion of the treaty we're concerned with, (b) the risk of misinterpretation is explicitly mentioned, and (c) the paragraph suggesting specific modifications to the treaty has been deleted. Please let me know if this affects whether or not you are willing to sign the statement. While I believe that these changes are relatively minor, I wanted to make sure that the Board members who will publicly support this statement can still support it. - Steve ************** SUGGESTED NEW TEXT of CyberCrime Treaty Statement ************* Changes from the original text are marked with a '***' tag. Greetings: As leading security practitioners, educators, vendors, and users of information security, we wish to register our misgivings about ***portions of*** the Council of Europe draft treaty on Crime in Cyberspace. We are concerned that *** some *** of the proposed treaty may result in criminalizing techniques and software commonly used to make computer systems resistant to attack. Signatory states passing legislation to implement the treaty may endanger the security of their computer systems, because computer users in those countries will not be able to adequately protect their computer systems and the education of information protection specialists will be hindered. Critical to the protection of computer systems and infrastructure is the ability to * Test software for weaknesses * Verify the presence of defects in computer systems * Exchange vulnerability information System administrators, researchers, consultants, and companies all routinely develop, use, and share software designed to exercise known and suspected vulnerabilities. Academic institutions use these tools to educate students and in research to develop improved defenses. Our combined experience suggests that it is impossible to reliably distinguish software used in computer crime from that used for these legitimate purposes. In fact, they are often identical. *** Currently, the draft treaty as written may be misinterpreted *** regarding the use, distribution, and possession of software that could be used to violate the security of computer systems. We agree that damaging or breaking into computer systems is wrong and we unequivocally support laws against such inappropriate behavior. We affirm that a goal of the treaty and resulting legislation should be to permit the development and application of good security measures. However, legislation that criminalizes security software development, distribution, and use is counter to that goal, as it would adversely impact security practitioners, researchers, and educators. *** [Paragraph suggesting specific modifications to the treaty deleted.] *** Please do not hesitate to call on us for technical advice in your future deliberations.