Council of Europe Cybercrime Treaty Analysis (continued)
It is obvious that Article 6 is aimed a certain list of freeware tools such as nMap, SAINT/SATAN, Ethereal, Cracker Jack, and others. It also seems clear that these tools will still be available for "legitimate" use. What constitutes legitimate use? Almost all of these tools are created, updated, and made available under the assumption that they are for educational or other legitimist purposes. I cannot think of a time when I have ever seen, "Take this tool and hack other peoples systems." The only plausible explanation is that The Council is attempting to make these tools only available to professionals.
If only professionals are going to be allowed use these tools, how is it going to be determined who is qualified to use them? Are security professionals going to need to be licensed? Most companies are finally realizing the need for strong security and adequate testing procedures. Some companies even arrange legitimist hacking events called wargames to test their systems, and offer cash rewards for any security flaws found. In my opinion this is the ultimate test you can put your software through next to releasing your source. This could no longer be possible if the tools used in these wargames were made illegal to the every day user. This, to my knowledge, is the first time an organization, who claims to be founded on civil rights, has attempted to dictate who is allowed to have access to certain software. This could set a very scary standard.
With more and more home users using high speed connections and static IP address, such as some DSL connections offer, many users no longer want to put up with having to rely on free services that flood your web site or email with ads and banners and places restrictions on content and amount of storage. Article 6 would make it nearly impossible for someone to run a relatively secure web site or mail server from home. Without the tools needed to do at least some basic security checks people will either not host their own page or worse they will host their own page with little or no regard for security. These are exactly the types of machines malicious hackers like to search out and turn into "zombies" for use in denial of service attacks.
Then there are all of us "hackers", the true target of Article 6. I always cringe when having to use this word, because of the continued misuse of it in the media. Hacking is not illegal. I, like many others, have studied network security and system penetration as a hobby for a number of years. I have used many different "hacker" tools, and have never done anything illegal and I have no intention to. There are plenty of opportunities to hack without breaking the law. Many of these opportunities even tell you that if you can gain control of their server you can do anything you want with it for as long as you can maintain control and keep others out. This teaches defense as well as attack. Hacking is like anything else that requires knowledge and a certain set of skills. There are always people that are going to abuse this knowledge. Attempting to obliterate an act completely by removing the tools and knowledge needed to perform the act does not solve the problem. If someone is hell bent on defacing a website and is willing to take the risk of getting caught, they are not going to care that they are using "illegal devices" to do it.
How would such a law be enforced, anyway? Would it just be one more thing that could be used to tack on more jail time when convicting a malicious hacker? I doubt most governments, publicly, would try and come up with some way to scan through computers for these hacker tools. A popular online game tried this not long ago. They told their customers that to continue playing, they would have to submit to having their hard drives scanned for specific tools that could be used to cheat the game. That did not go over well. There was such uproar, and so many people threatened to cancel their subscription, and file law suits that the company had to withdraw the idea.
Those of us in the United States may be wondering how this affects us? The U.S. is not part of the Council of Europe, and is not one of the few countries that are considered a "special guest", although they do often participate in the treaties. Apparently, the U.S. has some special interest in this treaty because the Department of Justice and FBI have aided in authoring this treaty. According to Article 33 the U.S. and other countries can sign the treaty with out being a member of the Council. If the U.S. signs this treaty then Congress would be compelled to pass laws in the U.S. to hold up their end of the treaty, allowing the U.S. to circumvent our democratic process and the strong opposition there undoubtedly would be to some of these articles.
Even if the U.S. does not sign the treaty, enough countries will sign to set an international standard for the issues mentioned in the treaty. There are other articles like Article 14 dealing with the search and seizure of equipment and Article 18, which deals with intercepting electronic communications and real time collection of data. These articles have little or no mention of due process and or the individual/suspect's rights to privacy or their civil rights. These two articles deal with topics that are currently being hotly debated in the U.S. around issues dealing with the FBI's new toy, Carnivore, and the idea of being able to tap voice over IP conversations. Some government agencies would like nothing more than to have an international standard that would back them up when it comes time to set standards in our own country dealing with these issues.
I do not think I would be so worried about this if this was only the first draft or outline of the treaty, but the draft I examined was the 22ed draft and still there are these vague areas. I would think that after 22 tries that they would be able to be a little more specific. The fact that they have not nailed down these issues yet, says to me that they have no intention to, and that they are looking for some gray areas in which to work.
I am not opposed to the idea of a treaty dealing with cyber crime, but the current version of the treaty is too vague and leaves too much room for abuse. I feel that fraud, forgery, copyright infringement, and especially child pornography need to be dealt with swiftly and sternly, and that law enforcement needs to be able to gather information to ensure that this is done, but the standards to deal with these issues need to be very carefully planed, and a person's civil rights and privacy should be first in the minds of those setting the standards.
You can find a copy of the 22ed draft of the Cybercrime Treaty here http://press.coe.int/Index.asp?Link=CPE and a list of companies and civil rights groups that are opposing the current version of the treaty and links to some news articles on the subject here http://www.gilc.org/privacy/coe-letter-1000.html