FC: US-Europe cybercrime treaty happening in secret --M.Wessling

[Declan McCullagh <declan () well com>]

************

[The following note says a draft treaty would outlaw distributing (think: 
posting on your web site) hacking and eavesdropping tools, including 
presumably ones that are currently readily available like crack and 
tcpdump. I wonder if there will be a grandfather clause for the version of 
crack I compiled in 1992? If not, does this mean I'll be a criminal if I 
lend a CDROM with my hard drive archive to a friend? Hmmm. --Declan]

***********

To: declan () well com
Subject: Bogus cybercrime treaty happening in secret
Date: Thu, 13 Jan 2000 06:37:49 -0800
From: John Gilmore <gnu () toad com>


Date: Thu, 13 Jan 2000 15:23:17 +0100 (CET)
From: Maurice Wessling <maurice () xs4all nl>
Subject: cybercrime treaty

I've just submitted this to slashdot. Many people on this list will have
to worry about it. It will make your job a lot more difficult.
maurice

The Council of Europe is preparing a so-called "Cybercrime"
treaty. European countries, the USA, Canada, Japan and
South Africa are involved in the talks. There is no draft
made public but a letter of the Dutch minister of Justice to
the Dutch parliament is mentioning some of the details of
what is discussed during the negotiations about the treaty.
The draft is prepared by an ad-hoc group of experts
(PC-CY) who will have to finish their work by the end of
2000. There is only a Dutch language version of the letter
(if you can read Dutch, I've put it on
http://www.bof.nl/cybercrime_treaty.pdf
One part of the treaty is of particular interest to Slashdot
readers. The treaty will outlaw hacking tools. A summary
(not a word-by-word translation):
<treaty>
Protection against so-called CIA-crimes (confidentiality,
integrity and availability) of public and closed networks
and systems: computer hacking, unauthorized eavesdropping,
unauthorized changing or destroying of data (either stored
or in transport). In discussion are also denial of service
attacks to public and private networks and systems. This
will probably not cover spam.
The treaty will outlaw the production, making available or
distribution of hardware and software tools to do the
above-mentioned (hacking, denial of service, eavesdropping,
etc.). The letter does not mention the possession of these
tools.
The treaty will also outlaw sites with lists of passwords or
codes that give unauthorized access to computer systems
(this is not about copyright related serials and cracks).
The letter explicitly points out that as a result of this
treaty countries that wish to implement digital wiretapping
or the use of hacking tools by law enforcement need to
implement that in their national legislation.
</treaty>
This definitely sounds like a bad idea. The public will get
a false sense of safety, security experts can not do their
work and software producers and system administrators will
loose an important stimulation to improve the quality of
their work.
Other points in the treaty:
<treaty>
illegal content
There is only agreement upon child pornography.
The countries involved could not agree upon racist speech
and pornography in general. European countries wanted to
include racist speech but the USA blocked this. On the other
hand, European countries did not want to include pornography
in general as some others wanted to (the letter doesn't
mention who).
Child pornography is defined here as "the realistic
depiction of a child involved in sexual behavior". It does
not matter if children were actually involved in the
fabrication of the material. It explicitly includes material
with adult actors impersonating as children or computer
animations. Cartoons with a non-realistic character are not
included in the definition.
The letter states a broad international consensus about this
definition.

email
The treaty defines the procedures of investigating the
content of email. The treaty tries to follow regimes for
search warrants when email is stored and warrants for
tapping of telecommunication when email is in transport.
Under circumstances (not further explained in the letter)
the person subject of a search warrant which involves stored
email can be ordered to keep the search secret to prevent
damage to the further investigation.

border crossing aspects of computer and network search
warrants
Law enforcement can not cross borders during the search of a
computer network. The draft outlines a procedure in which an
official request is necessary to the other country to
complete the search. All members of treaty will establish a
national contact point where such request can be handled
fast. In most cases this will be the Interpol contact point.
Discussions are ongoing about accessing a computer in
another country to which the person that gets the warrant
already has authorized access. Is that a border crossing of
law enforcement competence? Do the authorities in the other
country need to be informed?
There is no agreement yet about the status of information
that was accidentally gathered from systems in other
countries during a network search. One possibility is that
that country gets a veto right on the use of that
information.

preservation order to admins of public or private networks
The treaty will define a preservation order that can be
given to the admin of the public or private network. Such an
order is intended to log traffic data (not content) that
would normally be lost immediately or as soon as that data
is not important anymore for the maintenance of the network
(according to privacy rules).

tapping
The treaty will force countries to implement digital
wiretapping into their national laws. Both of public and
private networks.
As the Netherlands already have digital wiretapping laws
this section is not discussed extensively in the letter.
</treaty>


--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------