[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [CVEPRI] Update and modification to CyberCrime Treaty Stateme nt

I don't have any problem with the changes.

- Jim

> -----Original Message-----
> From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
> Sent: Monday, June 05, 2000 1:19 PM
> To: cve-editorial-board-list@lists.mitre.org
> Cc: gjg@MITRE.ORG; ramartin@MITRE.ORG; ptasker@MITRE.ORG
> Subject: [CVEPRI] Update and modification to CyberCrime
> Treaty Statement
> All:
> Working with Gene Spafford, we have identified a number of individuals
> who we would like to sign the statement on the CyberCrime treaty.  We
> have prepared an informational web site, which we will initially
> provide to those individuals.  This informational web site will be
> separated from the CVE web site to ensure that there is no implication
> that this is a CVE-related effort.  Once we have gathered the
> signatures (by some deadline), we will make the site more publicly
> known, and forward the signed statement to the Council of Europe and
> other government policy makers.  We still need to decide what to do,
> if anything, once the statement has been released and presented to the
> people we want to be aware of it.
> Our lawyer and our communications director have reviewed the statement
> and suggested some modifications which may improve its impact.  The
> modified statement is included below.  Please let me know if these
> modifications prevent you from signing the statement.
> There are 2 primary concerns with the current wording of the
> statement.
> 1) As written, the statement makes it look like we are being critical
> of the entire treaty, instead of one portion: "we wish to register our
> misgivings about the Council of Europe draft treaty."  It's really
> only one portion of the treaty we care about, so we might want to
> clarify this point so that it doesn't raise eyebrows unnecessarily.
> (The second sentence actually does say that the concern is only with a
> portion, so at the very least the first 2 sentences of the statement
> are in some conflict with each other!)
> 2) From our lawyer's perspective, the treaty itself won't necessarily
> cause the creation of bad laws.  However, countries may misinterpret
> the treaty and criminalize legitimate security practices.  The current
> wording focuses on Article 6.  Our lawyer believes that this article
> is fine, but that Articles 2-5 need to be more clear with respect to
> criminal intent.  Some of this was discussed when Board members were
> developing the statement last month.  It was also suggested that we
> shouldn't try to make explicit recommendations for modifications to
> the treaty, rather treat the letter as a mechanism for making the
> treaty drafters (and others) aware of the issues.
> So the modified statement contains the following changes: (a) the
> first sentence is modified to indicate that it's only a portion of the
> treaty we're concerned with, (b) the risk of misinterpretation is
> explicitly mentioned, and (c) the paragraph suggesting specific
> modifications to the treaty has been deleted.
> Please let me know if this affects whether or not you are willing to
> sign the statement.  While I believe that these changes are relatively
> minor, I wanted to make sure that the Board members who will publicly
> support this statement can still support it.
> - Steve
> ************** SUGGESTED NEW TEXT of CyberCrime Treaty
> Statement *************
> Changes from the original text are marked with a '***' tag.
> Greetings:
> As leading security practitioners, educators, vendors, and users of
> information security, we wish to register our misgivings about
> ***portions of*** the Council of Europe draft treaty on Crime in
> Cyberspace.
> We are concerned that *** some *** of the proposed treaty may result
> in criminalizing techniques and software commonly used to make
> computer systems resistant to attack.  Signatory states passing
> legislation to implement the treaty may endanger the security of their
> computer systems, because computer users in those countries will not
> be able to adequately protect their computer systems and the education
> of information protection specialists will be hindered.
> Critical to the protection of computer systems and infrastructure is
> the ability to
> * Test software for weaknesses
> * Verify the presence of defects in computer systems
> * Exchange vulnerability information
> System administrators, researchers, consultants, and companies all
> routinely develop, use, and share software designed to exercise known
> and suspected vulnerabilities.  Academic institutions use these tools
> to educate students and in research to develop improved defenses.  Our
> combined experience suggests that it is impossible to reliably
> distinguish software used in computer crime from that used for these
> legitimate purposes.  In fact, they are often identical.
> *** Currently, the draft treaty as written may be misinterpreted ***
> regarding the use, distribution, and possession of software that could
> be used to violate the security of computer systems.  We agree that
> damaging or breaking into computer systems is wrong and we
> unequivocally support laws against such inappropriate behavior.  We
> affirm that a goal of the treaty and resulting legislation should be
> to permit the development and application of good security measures.
> However, legislation that criminalizes security software development,
> distribution, and use is counter to that goal, as it would adversely
> impact security practitioners, researchers, and educators.
> *** [Paragraph suggesting specific modifications to the treaty
>     deleted.] ***
> Please do not hesitate to call on us for technical advice in
> your future
> deliberations.

Page Last Updated or Reviewed: May 22, 2007