RE: Draft Convention on Cybercrime

[Marjorie Simmons <lawyer () usit net>]

With my lawyer's hat on (I am a lawyer), I agree with Dale. 
It bears pointing out also that, as some of the posts in this 
thread are from US citizens, the US is not a member of the 
Council whose draft of a proposed legal-consortium this is, 
and this type of attempt at sweeping, all-inclusive legislative 
one-size-fits-all action is one reason. (Nor, for that matter, 
are Canada or Japan members, amongst others.)

The focus of criminal law, in most countries, is based on 
conceptions of what constitutes an intentional, wrongful 
act that surpasses mere negligence (a tort).  Inadvertent 
actions lack the requisite and primary factor of intent. Some 
acts may be adjudged criminal while lacking actual intent, 
as intent may be inferred given an individual set of facts & 
circumstances.  Therefore, in any discussion of the proposed 
criminalization of scanning tools, one must look to (1) the 
tool's designed purpose -- for which Fyodor must be consulted, 
(2) to the reasonability of its use for that purpose given the 
tool's stated design purpose, which may be inferred from the 
tool's contemporary employment by systems people the 
world 'round, and (3) the tool's actual use within the scope 
of a wrongful act.

In the US, Nmap as it stands now, is as any tool which has a 
useful, non-criminal purpose, which yet may be employed as 
a tool within the array of tools used by someone who commits 
a criminal act.  I could kill someone with a toaster as well as 
with a knife, but the character of neither item bears an outright 
ban on its use, possession, or transfer.  A gun, on the other hand, 
is designed for the primary purpose of killing, and as such, is 
subject to rather stringent governmental controls in most 
countries.  Nmap is a tool that is in between knives and guns: 
it has the capacity to be used in an active fashion that may 
injure, and the designed purpose for use in a passive fashion 
that simply identifies and logs activity at the doors of a given 
system in order to alert and provide data for strengthening a 
vulnerable system.

I expect when the dust settles, the Council's efforts will, after 
much revision and some partially successful implementation & 
litigation, effect controls on such tools that are more stringent 
in some European countries than in others, but that does not 
ultimately ban them outright in all cases.

As far as Nmap is concerned, what is needed is a PR campaign 
that substantiates its rightful place amongst the respected 
toolbox items in general use of any competent systems person 
or security organization. Taking a proactive stance in this way 
now will go a long way toward staving off governmental attempts 
to criminalize it conceptually by those who lack the technical 
ability to differentiate it from "guns". 

Just my .02.

Marjorie

Marjorie Simmons, Esq.
lawyer () usit net
~~~~~~~~~~


The Act

On Saturday, June 03, 2000 10:45 am, dhaag [SMTP:dhaag () net-defender net] wrote:
> I have watched this thread and have to interject in order to make a few
> points clear to everyone.
>
> > All of us that use nmap would NOT be in trouble...only the author, the
> > web/ftp site and possibly this mailing list.
>
> Dead Wrong.  No more then a library is guilty of terrorism because it has
> books on terrorism.  The Constitution and its Amendments supercede and apply
> here. The author is not, and could not be found to be, guilty of anything,
> as long as the program or software was not "specifically" designed to be
> used in a criminal activity as defined in the act.
>
> > Quote:
> > a device, including a computer program, designed or adapted [specifically]
> > [primarily] [particularly] for the purpose of committing any of the
> offences
> > established in accordance with Article 2 - 5;
>
> > The above offense and the definition below would say that making nmap and
> > putting on a website for download would fit under the definition of "dolus
> > eventualis" -- also know in Homer Simpson terms as "Doh!".  There's no way
> > that an author or web/ftp site could say "well gee, we didn't think it
> would
> > be used for bad purposes".  It's only a little bit of a stretch to say
> that
> > a mailing list is a "piece of software" that educates users how to do bad
> > things (note -- I'm not talking about majordomo here...but the specific
> > mailing list).  Hacker websites would most certainly be targeted.
>
> Wrong again.  NMap, to the best of my knowledge, is not [specifically]
> [primarily][particularly] designed or intended to commit any of the offences
> listed.  It is a security review tool for legal use by authorized
> individuals in the maintenance and upkeep of their network and systems.  The
> same as other products that assist in network tuning, such as NetXray,
> Openview, ISS Security Scanner, and a plethora of others. List groups that
> discuss the software or technology, as well as "hacker sites" that do not
> promote the software for illegal purposes would not be effected. This is
> covered under the 1st amendment.
>
>
> > (6) In the understanding of certain members of the Drafting Group,
> "intent"
> > may also cover "dolus eventualis". For common law countries, this notion
> > would be similar to "recklessness", i.e. that a person is aware of the
> high
> > risk that a certain result may occur and knowingly accepts it. The
> Drafting
> > Group agreed that the interpretation of "intent" should be left to
> national
> > laws, but it should not, where possible, exclude "dolus eventualis".
>
> Whether or not this ever makes it into the act is totally irrelevant. The
> courts would not allow it to be used in a prosecution due to "breadth of
> scope" and vagueness.  "Dolus Eventualis" would never fly, if it did, one
> could also apply Dolus Eventualis in across the board litigation. As an
> example. you buy a new car - you drive the new car - you have an accident in
> the new car and are injured severely - you cannot sue the manufacturer using
> Dolus Eventualis as a basis, even though the manufacturer was aware of the
> high risk that a certain result ( injurous accidents ) would occur, and
> knowingly accepted the risk by continuing to manufacture automobiles. Just
> imagine the class actions that could by pursued on something so broad and
> vague as Dolus Eventualis.
>
> As in any "Draft" there is much to be hashed out.  And, just because it may
> or may not become Law, it still has to stand the test before the courts.
> Which, in its present state, it would not do.
>
>
> Just my two cents worth.
>
>
> Dale Haag
> CCSA/CCSE/CCSI/CNTE/CIE/CFE/CCI/CFT/VCS/CSI/ICSA/ISSA/HTCIA/HTCN/HTCC
> President
> Net-Defender
> Seabrook, TX 77586
> (281) 532-1488 voice
> (877)733-5451 fax
> http://www.net-defender.net
>
>
>
>
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to 
> nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).