|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [CVEPRI] Update and modification to CyberCrime Treaty Stateme nt
I don't have any problem with the changes. - Jim > -----Original Message----- > From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG] > Sent: Monday, June 05, 2000 1:19 PM > To: cve-editorial-board-list@lists.mitre.org > Cc: gjg@MITRE.ORG; ramartin@MITRE.ORG; ptasker@MITRE.ORG > Subject: [CVEPRI] Update and modification to CyberCrime > Treaty Statement > > > All: > > Working with Gene Spafford, we have identified a number of individuals > who we would like to sign the statement on the CyberCrime treaty. We > have prepared an informational web site, which we will initially > provide to those individuals. This informational web site will be > separated from the CVE web site to ensure that there is no implication > that this is a CVE-related effort. Once we have gathered the > signatures (by some deadline), we will make the site more publicly > known, and forward the signed statement to the Council of Europe and > other government policy makers. We still need to decide what to do, > if anything, once the statement has been released and presented to the > people we want to be aware of it. > > Our lawyer and our communications director have reviewed the statement > and suggested some modifications which may improve its impact. The > modified statement is included below. Please let me know if these > modifications prevent you from signing the statement. > > There are 2 primary concerns with the current wording of the > statement. > > 1) As written, the statement makes it look like we are being critical > of the entire treaty, instead of one portion: "we wish to register our > misgivings about the Council of Europe draft treaty." It's really > only one portion of the treaty we care about, so we might want to > clarify this point so that it doesn't raise eyebrows unnecessarily. > (The second sentence actually does say that the concern is only with a > portion, so at the very least the first 2 sentences of the statement > are in some conflict with each other!) > > 2) From our lawyer's perspective, the treaty itself won't necessarily > cause the creation of bad laws. However, countries may misinterpret > the treaty and criminalize legitimate security practices. The current > wording focuses on Article 6. Our lawyer believes that this article > is fine, but that Articles 2-5 need to be more clear with respect to > criminal intent. Some of this was discussed when Board members were > developing the statement last month. It was also suggested that we > shouldn't try to make explicit recommendations for modifications to > the treaty, rather treat the letter as a mechanism for making the > treaty drafters (and others) aware of the issues. > > > So the modified statement contains the following changes: (a) the > first sentence is modified to indicate that it's only a portion of the > treaty we're concerned with, (b) the risk of misinterpretation is > explicitly mentioned, and (c) the paragraph suggesting specific > modifications to the treaty has been deleted. > > > Please let me know if this affects whether or not you are willing to > sign the statement. While I believe that these changes are relatively > minor, I wanted to make sure that the Board members who will publicly > support this statement can still support it. > > - Steve > > > > > ************** SUGGESTED NEW TEXT of CyberCrime Treaty > Statement ************* > > > Changes from the original text are marked with a '***' tag. > > > > Greetings: > > As leading security practitioners, educators, vendors, and users of > information security, we wish to register our misgivings about > ***portions of*** the Council of Europe draft treaty on Crime in > Cyberspace. > > We are concerned that *** some *** of the proposed treaty may result > in criminalizing techniques and software commonly used to make > computer systems resistant to attack. Signatory states passing > legislation to implement the treaty may endanger the security of their > computer systems, because computer users in those countries will not > be able to adequately protect their computer systems and the education > of information protection specialists will be hindered. > > Critical to the protection of computer systems and infrastructure is > the ability to > * Test software for weaknesses > * Verify the presence of defects in computer systems > * Exchange vulnerability information > > System administrators, researchers, consultants, and companies all > routinely develop, use, and share software designed to exercise known > and suspected vulnerabilities. Academic institutions use these tools > to educate students and in research to develop improved defenses. Our > combined experience suggests that it is impossible to reliably > distinguish software used in computer crime from that used for these > legitimate purposes. In fact, they are often identical. > > *** Currently, the draft treaty as written may be misinterpreted *** > regarding the use, distribution, and possession of software that could > be used to violate the security of computer systems. We agree that > damaging or breaking into computer systems is wrong and we > unequivocally support laws against such inappropriate behavior. We > affirm that a goal of the treaty and resulting legislation should be > to permit the development and application of good security measures. > However, legislation that criminalizes security software development, > distribution, and use is counter to that goal, as it would adversely > impact security practitioners, researchers, and educators. > > *** [Paragraph suggesting specific modifications to the treaty > deleted.] *** > > Please do not hesitate to call on us for technical advice in > your future > deliberations. >
|
||||
