[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Panel on Cybercrime treaty



I just appeared on the panel about the Cybercrime treaty at the Esorics
conference (European Computer Security Conference) that Mark Dacier had
organized.  I wanted to report back.

The panel was a rather confusing and disorienting experience (through no
fault of Mark's).  He had trouble finding anyone from the Council of Europe
to discuss the treaty because the drafters are anonymous.  In the end he
got participation telephonically from Betty Shave at the US Department of
Justice.  The US is only an observer at the Council of Europe, but has
apparently been heavily involved in the drafting, though it is unclear
whether the US will eventually sign the treaty.

A new draft of the treaty came out very recently.  It was dated Oct 2nd,
but we were not able to get a copy until the 4th - I ended up having about
2 hours to read the thing and prepare my comments which was far less than
ideal.  The other members of the panel were little better off.  Besides
myself, Mark, and Betty, the other members of the panel were Peter Sommer
(telephonically), a cyber legal expert from the UK (who mainly does defense
work and is quite well known in IDS circles), and John McHugh of CERT/CC in
the US.

First, Mark briefly described the introduction of the treaty and some of
the concerns that had been raised.  He introduced the panel.

Betty spoke next and briefly introduced the benefits of the treaty and
international co-operation between law enforcment in cyberspace.  She also
addressed a couple of issues that people had had with the treaty.  In
particular, she said it was not the intent of the drafters to prevent
legitimate use of exploit scripts by security companies, researchers, and
consultants.

I spoke next.  I briefly described the process that led to the letter, but
said that I was not speaking for the CVE board.  I then emphasized the
general significance of vulnerabilities (how, as we make more and more
aspects of our societies dependent on the Internet, a new vulnerability
could be used to cause massive damage, and therefore society has a critical
interest in the process by which vulnerabilities are reported and
resolved).  Although it's clear that the revised treaty is better than
before, I expressed my doubts that trying to ban exploit scripts was the
best we could do at making that aspect of society work better.  I stated my
fear that even the revised wording of the treaty could prevent full
disclosure of vulnerabilities, and that might not make society more
secure.  Was that the intent of the treaty drafters?

Betty Shave responded to this.  The present wording of the draft treaty
makes it clear that it's only intended to be illegal to create, possess,
sell, distribute, etc. exploit scripts *if* you are doing it with intent to
cause others to commit crimes.  So it was not intended to hinder
distribution of vulnerability information.  She thought full disclosure
sites were fine.  Peter Sommer expressed his view that the intent language
might mean that whether posting an exploit, fragrouter program, sniffer,
etc is illegal would come down to the language on the web site from which
it was distributed (did it look like a hacker site advocating breaking in,
or did it look like a site distributing security information for the
purpose of improving the security of systems.)

Peter next spoke in general about his concerns that the treaty was too
tailored to the law enforcement viewpoint.  He said that he wasn't a
conspiracy theorist, that he believed law enforcement generally was useful
and beneficial and had reasonable concerns.  But law enforcement is
generally trying to make their own job easier and quicker, and in pursuing
that, they don't necessarily have either enough concern for the rights of
others, or a broad enough understanding of the overall problem to draft
good legislation.  In experience with past laws and treaties, he had
observed a tendency for prosecuters working as law drafters, instead of
saying "Ok we'll change the wording", to say "Oh, we'd never use it to do
that" and then leave the dubious wording in.  Peter felt we needed to care
about what the actual wording said and means, and not be satisfied with
assurances that the treaty would or would not be used for particular
purposes.  "Watch the final wording like hawks, and lobby furiously both at
the international level and the national level".

Next John McHugh spoke and expressed his concern that some of the
information disclosure stuff could affect the likes of CERT.  Around that
time, I had to leave for my plane.

My own feeling at present is one of uncertainty.  I want to have our
lawyers review the current wording, rather than take DOJ's word for it.  I
have some instances of the potentially contrabrand items on my laptop as I
write this, as I'm sure many of us do.  I'm not yet reassured that my
ability to do that will continue.

Stuart.

--
Stuart Staniford  ---  President  ---  Silicon Defense
                   stuart@silicondefense.com
(707) 445-4355                     (707) 445-4222 (FAX)

Page Last Updated or Reviewed: May 22, 2007