v 5.2 (from Stuart)
Andre's last is great. This is my best experience ever of collaborative
Here's another version with very minor wordsmithing to remove a couple
of grammatical infelicities. Only substantial changes are:
* add "and open-source" after "commercial" in re software.
Dear <treaty drafters>:
As experts, educators, and practitioners of information security, we
register our concerns about the Council of Europe draft treaty on Crime
Cyberspace. Portions of the proposed treaty may result in criminalizing
techniques and software commonly used to make computer systems resistant
attack. Signatory states passing legislation to implement the treaty
endanger the security of their computer systems. Professionals will not
able to adequately protect computer systems, and education of the next
generation of information protection specialists will be hindered.
Critical to the protection of computer systems and infrastructure is the
ability to test software for vulnerabilities, verify the presence of
vulnerabilities in existing systems, and exchange vulnerability
Professionals and companies routinely develop, use, and share software
designed to exploit vulnerabilities. Commercial and open-source tools
for system administrators and security experts include software that
exploits vulnerabilities. Academic institutions use this software to
educate students and in research to develop and improve defenses.
Our experience suggests that it is impossible to reliably distinguish
software used in computer crime from that used for legitimate purposes.
Article 6 of the treaty is vague regarding the use, distribution, or
possession of software that could be used to violate the security of
computer systems. Legislation that criminalizes exploit software use
would adversely impact security practitioners, researchers, and
educators. Article 6 would throttle important progress in computer
security research and engineering.
We agree that breaking into computer systems is wrong and are strongly
favor of criminalizing inappropriate behavior. Our goal is for the
and resulting legislation to permit the development and application of
security measures. We urge the Council to avoid criminalizing the
development, use, and distribution of software important to those of us
working to prevent misuse.
We request that the treaty drafters specifically recognize legitimate
computer security activities and permit the creation and public
dissemination of software and techniques used to study and verify
security vulnerabilities. Moreover, we urge that appropriate laws
criminalizing software misuse replace the ownership or creation clauses
"Organizational affiliations are listed for identification purposes
and do not necessarily reflect the official opinion of the affiliated
Stuart Staniford --- President --- Silicon Defense
(707) 445-4355 (707) 445-4222 (FAX)