[BOARD] Dissenting opinion on CyberCrime treaty statement
Marcus Ranum, as the NFR representative on the Editorial Board, has
expressed a dissenting opinion with the CyberCrime Treaty statement.
I am posting Marcus' concerns here as a matter of record. This does
not impact the current activities with respect to garnering support
for the statement, as we have already decided that it is not an
"official" Editorial Board activity.
Since some of his concern touches on the controversial issue of full
disclosure, I encourage any potential responders to this email to take
care to avoid being "sidetracked" by that issue. There may be better
forums than the Editorial Board mailing list for those sorts of
The concern is with the following text of the statement:
# System administrators, researchers, consultants and companies all
# routinely develop, use, and share software designed to exercise known
# and suspected vulnerabilities. Academic institutions use these
# tools to educate students and in research to develop improved
# defenses. Our combined experience suggests that it is impossible
# to reliably distinguish software used in computer crime from that
# used for these legitimate purposes. In fact, they are often
And following is Marcus' response, extracted from various email
discussions and approved by him:
>The statement, as it is drafted, goes contrary to what I believe is
>the inevitable and right progression of legislative events concerning
>hacking/penetration test tools.
>While it is difficult to reliably distinguish between attack tools and
>security tools, I believe there are standards of reasonableness that
>can, and _must_ be applied. Too many attack tools are being developed
>and deployed, under the guise of "helping" and "education" - I believe
>that in the long run it is not helpful and is in fact detrimental.
>For example, nmap, by its very design, is intended to defeat certain
>forms of security. Therefore it is not a purely legitimate tool. Some
>may argue that it may still be useful to white hats. That may be true
>- but there are plenty of cases where legitimate tools that may be
>abused are restricted and regulated. I don't have a problem with that
>in this case.
Others have expressed concerns that if it appears that the Board as a
whole supports this treaty statement, that it may conflict with the
organizational opinions of some parent organizations of Board members.
Marcus effectively agrees with this:
>I am opposed to participating (and, by extension, NFR
>participating...) in any action that indicates support for further
>dissemenation, usage, teaching about, or otherwise condoning the use
>of hacking tools and techniques.