[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [CVEPRI] Please Vote on Text of CyberCrime Treaty Statement v 5.5



Accept

-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Thursday, May 11, 2000 9:29 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: [CVEPRI] Please Vote on Text of CyberCrime Treaty Statement
v5.5


All,

Please vote on the current text of the CyberCrime treaty statement,
included below, which I've labeled v5.5 (just in case it doesn't turn
out to be the "final").  This is *NOT* a vote on how we will present
signatures and organizational affiliations, as that issue is still
under discussion and can be separated from the actual text.

Since the list has been quiet about edits in the last day and a half,
this is the only concrete way to be certain that the Board is ready to
bless this statement and agree to a "final copy" to use to draw
support from outside the Board.

Please send one of the following votes to me and Dave Mann
(dmann@bindview.com), or to the Editorial Board list:

ACCEPT - accept text as recorded

MODIFY - make modifications.  Please send any MODIFY votes to the
         list.  However, at this time you are strongly urged not to
         suggest minor modifications that could be labeled "pedantic
         wordsmithing" :-)

NOOP - use this if you wish to abstain from voting.

REJECT - use this vote at your own risk ;-)


It is requested that you send your vote by Tuesday, May 16.  If a
"final decision" can be made at that time, I'll announce it.

I will gather and count the votes.  Of the 26 organizations
represented on the Board, 21 have established that they are aware of
this issue.

It seems reasonable to require a minimum of 16 ACCEPT votes, which
would be 75% of the "active" Board member organizations, and 60% of
all Board member organizations.

Note that I will be unavailable for all or most of Friday, so if
you're voting then, please make sure that Dave Mann knows how you
voted.

- Steve


************** TEXT of CyberCrime Treaty Statement v5.5 **************

Greetings:

As leading security practitioners, educators, vendors, and users of
information security, we wish to register our misgivings about the
Council of Europe draft treaty on Crime in Cyberspace.

We are concerned that portions of the proposed treaty may result in
criminalizing techniques and software commonly used to make computer
systems resistant to attack.  Signatory states passing legislation to
implement the treaty may endanger the security of their computer
systems because computer users in those countries will not be able to
adequately protect their computer systems and the education of
information protection specialists will be hindered.

Critical to the protection of computer systems and infrastructure is
the ability to
* Test software for weaknesses
* Verify the presence of defects in computer systems
* Exchange vulnerability information

System administrators, researchers, consultants and companies all
routinely develop, use, and share software designed to exercise known
and suspected vulnerabilities.  Academic institutions use these
tools to educate students and in research to develop improved
defenses.  Our combined experience suggests that it is impossible
to reliably distinguish software used in computer crime from that
used for these legitimate purposes.  In fact, they are often
identical.

Currently, article 6 of the draft treaty is vague regarding the use,
distribution, and possession of software that could be used to
violate the security of computer systems.  We agree that damaging or
breaking into computer systems is wrong and we unequivocally support
laws against such inappropriate behavior.  We affirm that a goal of the
treaty and resulting legislation should  be to permit the development
and application of good security measures.  However, legislation that
criminalizes security software development, distribution and use
is counter to that goal, as it would adversely impact security
practitioners, researchers, and educators.

Therefore, we respectfully request that the treaty drafters remove
section a.1 from article 6, and modify section b accordingly; the
articles on computer intrusion and damage (viz., articles 1-5) are
already sufficient to proscribe any improper use of security-related
software or information.

Please do not hesitate to call on us for technical advice in your
future deliberations.

Signed,


[** signatures, affiliations, and disclaimers deleted - still under
discussion **]

Page Last Updated or Reviewed: May 22, 2007