[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cybercrime treaty

> -----Original Message-----
> From: Matt Bishop [mailto:bishop@nob.cs.ucdavis.edu]

> And by the way, if you think 6a1 is bad, check out 6a2. -- kiss
> crack, johntheripper, etc. goodbye. And merely POSSESSING these
> seems to be illegal, under 6b (they mislabeled it a; it's the
> second a).

That's ridiculous - they clearly don't understand that these things have
legitimate uses. It's been my job to write tools that do this for the last
4+ years. Ack - my source tree would be illegal...
> PS: One thing, David -- if I remember my political science class
> taken umptiddy-ump years ago, treaties in the US are at
> the same level as the Constitution, so I'm not sure that the
> US federal courts would accept an argument that restricting this
> technology (break-in programs) is unconsititutional -- the issue
> arose during the court cases about the seizure of Iranian
> assets in the 1980s, and the US Government's efforts to return
> (some of) the assets. The leinholders hollared bloody murder, but
> -- if I remember correctly -- the US Supreme Court said too bad.
> Any lawyers (or computer scientists who play lawyers on the web :-))
> know if I'm completely off base here?

This doesn't sound right - first of all, Congress can't pass anything that
supercedes the Constitution without approval of the states.  What I think
might be muddying the waters here is that we're dealing with an interaction
between governments here. Also, as soon as you're dealing with even non-US
citizens all bets are off - for example, if a foreign national commits a
crime in the US, many of the rights we take for granted do not apply.

Now, back to where we started - 

Howard Schmidt is sending a rep to a computer crime summit where this is
going to be discussed.  IF we can craft a reasoned response to why we think
this article is a Bad Thing, then I will push that and see if it helps.  Who
would like to take a swipe at editing the initial response? Steve?

I'll take an initial swipe at this thing - 

>Article 6 - Illegal Devices 

>Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal >offences under its domestic law when
committed intentionally and without right:

>the production, sale, procurement for use, import, distribution or
otherwise making available of: 

>a device, including a computer program, designed or adapted [specifically]
[primarily] [particularly] for the purpose of committing any of the offences
established in accordance with Article 2 - 5; 

This section is vague.  Numerous examples exist of programs which are
primarily designed to intercept data, and these programs are considered part
of a normal system administrator's trouble-shooting toolkit. Illegal access
can be obtained to many systems merely by attempting to log on using normal
system tools (e.g., telnet, net use, etc.). These tools are also normally
present on most operating systems.

There is also the issue that a part of normal security administration
involves using tools which are designed to obtain unauthorized access to
determine which portions of your own network may be vulnerable.  Making
these programs illegal would severely hinder our ability to test our
defenses against the activities defined in articles 2-5.

This clause, unlike the following two clauses, does not require that the use
or possession of these devices be with criminal intent.

>a computer password, access code, or similar data by which the whole or any
part of a computer system is capable of being accessed with intent that it
be used for the purpose of committing the offences established in Articles 2
- 5;

>the possession of an item referred to in paragraphs (a)(1) and (2) above,
with intent that it be used for the purpose of committing the offenses
established in Articles 2 - 5. A party may require by law that a number of
such items be possessed before criminal liability attaches.

Page Last Updated or Reviewed: May 22, 2007