RE: [CVEPRI] Update and modification to CyberCrime Treaty Statement

["Ken Armstrong" <karmstrong@ewa-canada.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have no problems with the new wording.   Ken

| -----Original Message-----
| From: owner-cve-editorial-board-list@lists.mitre.org
| [mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of
| Steven M. Christey
| Sent: Monday, June 05, 2000 4:19 PM
| To: cve-editorial-board-list@lists.mitre.org
| Cc: gjg@MITRE.ORG; ramartin@MITRE.ORG; ptasker@MITRE.ORG
| Subject: [CVEPRI] Update and modification to CyberCrime
| Treaty Statement
|
|
| All:
|
| Working with Gene Spafford, we have identified a number of individuals
| who we would like to sign the statement on the CyberCrime treaty.  We
| have prepared an informational web site, which we will initially
| provide to those individuals.  This informational web site will be
| separated from the CVE web site to ensure that there is no implication
| that this is a CVE-related effort.  Once we have gathered the
| signatures (by some deadline), we will make the site more publicly
| known, and forward the signed statement to the Council of Europe and
| other government policy makers.  We still need to decide what to do,
| if anything, once the statement has been released and presented to the
| people we want to be aware of it.
|
| Our lawyer and our communications director have reviewed the statement
| and suggested some modifications which may improve its impact.  The
| modified statement is included below.  Please let me know if these
| modifications prevent you from signing the statement.
|
| There are 2 primary concerns with the current wording of the
| statement.
|
| 1) As written, the statement makes it look like we are being critical
| of the entire treaty, instead of one portion: "we wish to register our
| misgivings about the Council of Europe draft treaty."  It's really
| only one portion of the treaty we care about, so we might want to
| clarify this point so that it doesn't raise eyebrows unnecessarily.
| (The second sentence actually does say that the concern is only with a
| portion, so at the very least the first 2 sentences of the statement
| are in some conflict with each other!)
|
| 2) From our lawyer's perspective, the treaty itself won't necessarily
| cause the creation of bad laws.  However, countries may misinterpret
| the treaty and criminalize legitimate security practices.  The current
| wording focuses on Article 6.  Our lawyer believes that this article
| is fine, but that Articles 2-5 need to be more clear with respect to
| criminal intent.  Some of this was discussed when Board members were
| developing the statement last month.  It was also suggested that we
| shouldn't try to make explicit recommendations for modifications to
| the treaty, rather treat the letter as a mechanism for making the
| treaty drafters (and others) aware of the issues.
|
|
| So the modified statement contains the following changes: (a) the
| first sentence is modified to indicate that it's only a portion of the
| treaty we're concerned with, (b) the risk of misinterpretation is
| explicitly mentioned, and (c) the paragraph suggesting specific
| modifications to the treaty has been deleted.
|
|
| Please let me know if this affects whether or not you are willing to
| sign the statement.  While I believe that these changes are relatively
| minor, I wanted to make sure that the Board members who will publicly
| support this statement can still support it.
|
| - Steve
|
|
|
|
| ************** SUGGESTED NEW TEXT of CyberCrime Treaty
| Statement *************
|
|
| Changes from the original text are marked with a '***' tag.
|
|
|
| Greetings:
|
| As leading security practitioners, educators, vendors, and users of
| information security, we wish to register our misgivings about
| ***portions of*** the Council of Europe draft treaty on Crime in
| Cyberspace.
|
| We are concerned that *** some *** of the proposed treaty may result
| in criminalizing techniques and software commonly used to make
| computer systems resistant to attack.  Signatory states passing
| legislation to implement the treaty may endanger the security of their
| computer systems, because computer users in those countries will not
| be able to adequately protect their computer systems and the education
| of information protection specialists will be hindered.
|
| Critical to the protection of computer systems and infrastructure is
| the ability to
| * Test software for weaknesses
| * Verify the presence of defects in computer systems
| * Exchange vulnerability information
|
| System administrators, researchers, consultants, and companies all
| routinely develop, use, and share software designed to exercise known
| and suspected vulnerabilities.  Academic institutions use these tools
| to educate students and in research to develop improved defenses.  Our
| combined experience suggests that it is impossible to reliably
| distinguish software used in computer crime from that used for these
| legitimate purposes.  In fact, they are often identical.
|
| *** Currently, the draft treaty as written may be misinterpreted ***
| regarding the use, distribution, and possession of software that could
| be used to violate the security of computer systems.  We agree that
| damaging or breaking into computer systems is wrong and we
| unequivocally support laws against such inappropriate behavior.  We
| affirm that a goal of the treaty and resulting legislation should be
| to permit the development and application of good security measures.
| However, legislation that criminalizes security software development,
| distribution, and use is counter to that goal, as it would adversely
| impact security practitioners, researchers, and educators.
|
| *** [Paragraph suggesting specific modifications to the treaty
|     deleted.] ***
|
| Please do not hesitate to call on us for technical advice in
| your future
deliberations.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOTznl3fba3jWxdCmEQIbhQCeJpPKaGilO4DI3CLfyjZGbjxWw/YAnApP
nbci2DPmemzlpOfLMK+baEbB
=7FZe
-----END PGP SIGNATURE-----