Re: [BOARD] Dissenting opinion on CyberCrime treaty statement

[Gene Spafford <spaf@cerias.purdue.edu>]

I have concerns about the posting of vulnerability information and
circulation of some code that could be damaging.   I am not a fan of
full disclosure as it is currently practiced. So I am therefore
sympathetic to Marcus's position.

With that said, I also support the concept of free speech and press.
There are slippery slope arguments here that suggest that there is no
clear demarcation line where we can say that everything before is
okay and after is criminal.   This is especially true in today's
world of IT.

Thus,  I don't support laws criminalizing such behavior without clear
evidence of malicious intent and a clear burden of proof that there
is no legitimate reason for same.  The current wording of the treaty
does not make such distinctions clear, and national legislatures are
unlikely to do a better job of it.

So, we raise our voices to indicate that the current wording of the
treaty could endanger current practice in teaching and protection.
We indicate that they should consider what they do.   The letter does
not advocate immunity, nor does it claim that there should never be
restrictions.

Actually, I think there should be civil recourse and not criminal
penalty.   People who post exploits and full details of
vulnerabilities without adequate advance warning of vendors to
provide fixes should be liable for lawsuits, but not necessarily
arrest.   That is coming, and what we state in the letter doesn't
hinder or prevent this.

As such, I don't see a contradiction with Marcus's view.

--spaf