[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
5th Draft - CyberCrime Treaty Statement
Below is the 5th version and the last that I can handle today. This version was produced by Matt Bishop. Mostly just wordsmithing to shorten and clarify several points. IMO, I think it stand further shortening but I don't have time left today to devote to it. Could others also continue to place version numbers on their edits so that we can track the changes? Thanks! Dave -- ============================================================== Dave Mann || e-mail: firstname.lastname@example.org Senior Security Analyst || phone: 508-485-7737 x254 BindView Corporation || fax: 508-485-0737 ============================================================== Dear <treaty drafters> We are a group of security experts who participate in the Common Vulnerabilities and Exposures Initiative. This project is a collaboration between a broad range of responsible computer security experts and companies to develop a common industry-wide set of names for the many different vulnerabilities known in computer systems. As such, we represent a cross-section of the technical community that works on computer security vulnerabilities. As experts, educators, and practitioners of information security, we wish to register our concerns about the Council of Europe draft treaty on Crime in Cyberspace. Portions of the proposed treaty may result in criminializing practices and tools commonly used in making computer systems resistant to attack. If signatory states pass legislation to implement the treaty, they will endanger the security of their computer systems because professionals will not be able to protect those systems adequately. They will also hinder the education of the next generation of information protection specialists. Critical to the protection of computer systems and infrastructure is the ability to test software for new vulnerabilitities, determine the presence of known vulnerabilities in existing systems, and exchange information about such vulnerabilities. Professionals and companies routinely develop, use, and share tools designed to exploit vulnerabilities. Commercial tools for system administrators and security experts include these exploit tools. Academic institutions use these tools and techniques to educate students and in research to develop new and better defenses. Our experience convinces us that impossible to reliably distinguish between tools used in computer crime and instances of tools used for the legitimate purposes described above. Article 6 of the treat is vague with respect to issues of use, distribution, or possession of software that could be used to violate the security of computer systems. Enabling legislation that criminalized tools or their uses would affect practitioners, researchers, and teachers, and would slow the important progress of computer security research. We agree that breaking into computer systems is wrong. But, we do not want the treaty, and the resulting legislation, to impede the development and application of good security measures. We are strongly in favor of criminalizing inappropriate behavior, but we urge the Council to avoid criminalizing the development, use, and distribution of tools that are important to professionals -- in commerce, academia, and government -- who are working to prevent misuse. We ask that the treaty drafters specifically recognize the legitimate and important role that the creation and public dissemination of demonstration code plays in advancing the information security field. Moreover, we urge that appropriate laws criminalizing the misuse of such tools replace the ownership or creation clauses of the treaty. Signed, <name> <affiliation> "Organizational affiliations are listed for identification purposes only, and do not necessarily reflect the official opinion of the affiliated organization."