Re: Second draft of CyberCrime Treaty Statement
Some comments embedded. Keep in mind that shorter is better.
At 10:58 AM -0400 5/10/00, Adam Shostack wrote:
>Dear <treaty drafters>
>We are a group of security experts who participate in the Common
... group of security professionals, leading academics, and industry
>Vulnerabilities and Exposures Initiative. This project is a
>collaboration between a range of responsible computer security experts
>and companies to develop a common industry-wide set of names for the
common, industry-wide nomenclature for the ...
>many different vulnerabilities known in computer systems. As such, we
>represent a cross-section of the technical community which works on
community that works on
>computer security vulnerabilities.
>As security experts, we have some technical concerns with respect to
>Article 6, which appears to be vague with respect to the use,
As experts, educators, and practitioners of information security, we
wish to register our concerns about the Council of Europe draft
treaty on Crime in Cyberspace. In brief, we believe that the
portions of the proposed treaty are vague or counter to accepted
practice. The wording may actually result in criminalizing behavior
and tools that are commonly used in education and protection of
computer systems. If member states implement the provisions of the
treaty and supporting legislation, the result is likely to be a
reduction in the overall security and protection of computer systems
in those locations.
In particular, we find Article 6 to be vague with respect to issues of use,
>distribution, or possession of software that could be used to violate
>the security of computer systems. We note that it is critically
>important to the advancement of science and engineering techniques for
>computer security professionals to be able to test software looking
....to be able to test software for new vulnerabilities....
>for new vulnerabilitities, determine the presence of known
>vulnerabilities in existing systems, and exchange information about
>such vulnerabilities with each other. Therefore, most professionals
>and companies in this field routinely develop, use, and share scripts
>and programs designed to exploit vulnerabilities. In addition, these
>exploits are often included in commercial tools used by systems
>administrators and security experts to test the security of their
>systems. It is technically very difficult or impossible to
....systems. Academic institutions also use these tools and
techniques in education of students and in research efforts to
develop new and better defenses. Our experience has shown that it
is impossible to reliably distinguish every instance of a tool used
in computer crime from tools used for the above purposes.
Furthermore, important tools....
>important tools and techniques are regularly revealed by previously
>unknown individuals or groups. To criminalize their research and
>educational activities would be to slow the important progress of
>computer security research. We do not intend to challenge the idea
...progress of information security research. We are very concerned
that the draft treaty, and legislation that might flow from it, not
be drafted so as to impede the development and application of good
security measures. We are strongly in favor of criminalizing
inappropriate behavior, but we urge the Council to avoid
criminalizing the development, use, and distribution of tools that
are important to professionals -- in commerce, academia, and
government -- working to prevent misuse.
>(Should we mention Stackguard here? It wouldn't be available without
>We are concerned that Article 6 may prevent, impede, or criminalize
>such responsible development and use of exploit tools. This would
>greatly limit the ability of systems and security administrators to
>test and validate the security of their systems, either through the
>use of freely available research tools, or with commercial tools, as
>are sold by several of the organizations involved with CVE.
...or with commercial tools. [Whether they use CVE or not....]
>We ask that the treaty drafters recognize the legitimate and important
>role that the creation of demonstration code plays in advancing the
>security field. We ask that the treaty be re-worked so as to not
>chill or limit ethical and important research.
Drop this paragraph. The request is implicit.
>If, instead, the treaty is used to ban any use of exploit tools, we
>fear that this will be very counter-productive. Since computer
>criminals are currently largely beyond the reach of effective law
>enforcement, they will not be much impacted by new laws banning their
Drop this paragraph. It is implicit.
>(I think that this language is counterproductive, and suggest:
>If the treaty causes to be banned the creation or use of exploit
>tools, without recognition of their valuable role, then communication
>and research will be stifled, and many young security enthusiasts who
>today behave unethically will be made into criminals, and lose their
>opportunity to mature and grow into valuable members of the
>community. We urge that appropriate laws criminalizing the misuse of
>such tools replace the ownership or creation clauses. )
>We urge that appropriate laws criminalizing the misuse of
>such tools replace the ownership or creation clauses, and further that
>the Council fund research into ways to encourage companies to produce
>more secure software, such as, but not limited to, recinding warranty
>law exemptions, requiring recalls of bad software, etc.
Another concern we have is the notion of "making available" as
expressed in footnote 13 to Article 9.1.a. Many of us have had
experiences where we have established hyperlinks on our WWW pages to
point to useful or amusing sites, only to have those sites later
replaced with other material without our knowledge. Furthermore,
the general state of security is such that a person or organization's
web site could be altered by malfeasors so as to point to sites
containing inappropriate material without the site owner's knowledge
or intent. This will particularly be a problem in countries where
the criminal code provides that offense is presumed and innocence
must be proven: persons with malicious intent could alter WWW sites
to point to sites with proscribed content and then "denounce" the
site owners. As with our previous comments, we urge the Council to
write the treaty so as to make illegal the end behavior (provision
and traffic in proscribed materials), but not the instrumentality
(e.g., hyperlinks) that might be used in some cases to violate those
We would be happy to provide additional feedback if you should request it.