[BOARD] Status of CyberCrime treaty statement
Spaf asked about the status of the CyberCrime treaty statement. Below
is an update from Gary Gagnon, followed by a description of what we
will do next:
>We have completed the web site ready for public release. We have been
>discussing this with attorneys to validate our understanding of the
>treaty and concerns. In addition, we have also discussed our concerns
>with key government personnel. This past Friday, MITRE's corporate
>attorney and I spoke to Martha Stansell-Gamm, the US Department of
>Justice Section Chief responsible for the US delegations drafting the
>treaty. DoJ has convinced me and our attorney that treaty drafters
>have adequately addressed this issue. In particular, Article 6 has
>two section "a", both of which must hold true to be a criminal
>offense (emphasis added):
> "Each Party shall adopt such legislative and other measures as may be
> necessary to establish as criminal offences under its domestic law
> when committed intentionally and without right:
> a.THE PRODUCTION, SALE, PROCUREMENT FOR USE, IMPORT, DISTRIBUTION OR
> OTHERWISE MAKING AVAILABLE OF:
> 1.a device, including a computer program, designed or adapted
> [specifically] [primarily] [particularly] for the purpose of
> committing any of the offences established in accordance with
> Article 2 – 5;
> 2.a computer password, access code, or similar data by which the
> whole or any part of a computer system is capable of being accessed
> with intent that it be used for the purpose of committing the
> offences established in Articles 2 - 5;
> a.the possession of an item referred to in paragraphs (a)(1) and (2)
> above, WITH INTENT THAT IT BE USED FOR THE PURPOSE OF COMMITTING THE
> OFFENSES ESTABLISHED IN ARTICLES 2 -5. A party may require by law
> that a number of such items be possessed before criminal liability
> attaches. "
>The way this was explained to me is that the possession (production,
>sale, distribution, etc) with the intent to commit the offenses is
>what the treaty is recommending become a crime consistent across the
>member nations. DoJ recognized the difficulty proving the intent
>portion of this treaty language. In addition, I have re-read the
>summary of concerns by the CVE Editorial Board, and feel that based on
>the above the treaty language appropriately addressed them.
>Therefore, based on this legal review of the treaty language as well
>as personnel discussions with DoJ, we no longer feel this issue is of
>grave concern to security professional community. We would recommend
>to NOT go forward with the letter and signature collection.
However, we recognize that some Editorial Board members may still wish
to move ahead with the statement, independently of DoJ's assurances
that such a treaty would not result in the criminalization of "white
hat" security activities.
To this end, we are doing the following:
1) We have scheduled a more detailed conversation with Gene Spafford
on Tuesday afternoon.
2) We will be packaging the web site up for transition to Gene
Spafford, who will take over the effort in the event that Board
members want to move forward with the statement.
More details will be available after our conversation with Spaf.