RE: 5th Draft - CyberCrime Treaty Statement - 6
Resending as v6 at request of Dave Mann - edits in  now included.
Previous note left in so you can see what I changed.
> very minor changes in  - one striking out "next
> generation", since even older security professionals need
> education, and another adding the word 'authorized' in the
> next to last paragraph for emphasis.
Dear <treaty drafters>
We are a group of security experts who participate in the Common
Vulnerabilities and Exposures Initiative. This project is a
collaboration between a broad range of responsible computer security
experts and companies to develop a common industry-wide set of
names for the many different vulnerabilities known in computer
systems. As such, we represent a cross-section of the technical
community that works on computer security vulnerabilities.
As experts, educators, and practitioners of information security,
we wish to register our concerns about the Council of Europe draft
treaty on Crime in Cyberspace. Portions of the proposed treaty
may result in criminializing practices and tools commonly used in
making computer systems resistant to attack. If signatory states
pass legislation to implement the treaty, they will endanger the
security of their computer systems because professionals
will not be able to protect those systems adequately. They will
also hinder the education of information protection specialists.
Critical to the protection of computer systems and infrastructure
is the ability to test software for new vulnerabilitities, determine
the presence of known vulnerabilities in existing systems, and
exchange information about such vulnerabilities. Professionals
and companies routinely develop, use, and share tools designed to
exploit vulnerabilities. Commercial tools for system administrators
and security experts include these exploit tools. Academic
institutions use these tools and techniques to educate students and in
research to develop new and better defenses.
Our experience convinces us that impossible to reliably distinguish
between tools used in computer crime and instances of tools used
for the legitimate purposes described above.
Article 6 of the treat is vague with respect to issues of use,
distribution, or possession of software that could be used to
violate the security of computer systems. Enabling legislation
that criminalized tools or their uses would affect practitioners,
researchers, and teachers, and would slow the important progress
of computer security research.
We agree that breaking into computer systems is wrong. But, we do
not want the treaty, and the resulting legislation, to impede
the development and application of good security measures. We are
strongly in favor of criminalizing inappropriate behavior, but we
urge the Council to avoid criminalizing the development,
authorized use, and
distribution of tools that are important to professionals -- in
commerce, academia, and government -- who are working to prevent
We ask that the treaty drafters specifically recognize the
and important role that the creation and public dissemination of
demonstration code plays in advancing the information security
field. Moreover, we urge that appropriate laws criminalizing the
misuse of such tools replace the ownership or creation clauses of
"Organizational affiliations are listed for
identification purposes only, and do not necessarily reflect the
official opinion of the affiliated organization."