http://www.wired.com/news/politics/0,1283,36047,00.html
by Declan McCullagh
3:00 a.m. May. 3, 2000 PDT
WASHINGTON -- U.S. and European police agencies will receive new
powers to investigate and prosecute computer crimes, according to a
preliminary draft of a treaty being circulated among over 40 nations.
The Council of Europe's 65KB proposal is designed to aid police in
investigations of online miscreants in cases where attacks or
intrusions cross national borders.
But the details of the "Draft Convention on Cybercrime" worry U.S.
civil libertarians. They warn that the plan would violate longstanding
privacy rights and grant the government far too much power.
The proposal, which is expected to be finalized by December 2000 and
appears to be the first computer crime treaty, would:
Make it a crime to create, download, or post on a website any
computer program that is "designed or adapted" primarily to gain
access to a computer system without permission. Also banned is
software designed to interfere with the "functioning of a computer
system" by deleting or altering data.
Allow authorities to order someone to reveal his or her
passphrase for an encryption key. According to a recent
survey, only Singapore and Malaysia have enacted such a
requirement into law, and experts say that in the United States
it could run afoul of constitutional protections against
self-incrimination.
Internationalize a U.S. law that makes it a crime to possess
even digital images that "appear" to represent children's genitals
or children engaged in sexual conduct. Linking to such a site also
would be a crime.
Require websites and Internet providers to collect information
about their users, a rule that would potentially limit
anonymous remailers.
U.S. law enforcement officials helped to write the document, which was
released for public comment last Thursday, and the Justice Department
is expected to urge the Senate to approve it next year. Other
non-European countries actively involved in negotiations include
Canada, Japan, and South Africa.
During recent testimony before Congress, Attorney General Janet Reno
warned of international computer crime, a claim that gained more
credibility last month with the arrest of alleged denial-of-service
culprit Mafiaboy in Canada.
"The damage that can be done by somebody sitting halfway around the
world is immense. We have got to be able to trace them, and we have
made real progress with our discussions with our colleagues in the G-8
and in the Council of Europe," Reno told a Senate appropriations
subcommittee in February, the week after the denial-of-service attacks
took place.
"Some countries have weak laws, or no laws, against computer crimes,
creating a major obstacle to solving and to prosecuting computer
crimes. I am quite concerned that one or more nations will become
'safe havens' for cyber-criminals," Reno said.
Civil libertarians say the Justice Department will try to pressure the
Senate to approve the treaty even if it violates Americans' privacy
rights.
"The Council of Europe in this case has just been taken over by the
U.S. Justice Department and is only considering law enforcement
demands," says Dave Banisar, co-author of The Electronic Privacy
Papers. "They're using one more international organization to launder
U.S. policy."
Banisar says Article 6 of the measure, titled "Illegal Devices," could
ban commonplace network security tools like crack and nmap, which is
included with Linux as a standard utility. "Companies would be able to
criminalize people who reveal security holes about their products,"
Banisar said.
"I think it's dangerous for the Internet," says Barry Steinhardt,
associate director of the American Civil Liberties Union and a founder
of the Global Internet Liberty Campaign. "I think it will interfere
with the ability to speak anonymously."
"It will interfere with the ability of hackers -- using that term in a
favorable light -- to test their own security and the security of
others," Steinhardt said.
Solveig Singleton, director of information studies at the libertarian
Cato Institute says it's likely -- although because of the vague
language not certain -- that anonymous remailers will be imperiled.
The draft document says countries must pass laws to "ensure the
expeditious preservation of that traffic data, regardless whether one
or more service providers were involved in the transmission of that
communication." A service provider is defined as any entity that sends
or receives electronic communications.
Representing the U.S. in the drafting process is the Justice
Department's Computer Crime and Intellectual Property section, which
chairs the G-8 subgroup on high-tech crime and also is involved with a
cybercrime project at the Organization of American States. In December
1997 Reno convened the first meeting on computer crime of the G-8
nations.
A recent White House working group, which includes representatives
from the Justice Department, FBI, and Secret Service has called for
restrictions on anonymity online, saying it can provide criminals with
an impenetrable shield. So has a report from a committee of the
European Parliament.
Other portions of the treaty include fairly detailed descriptions of
extradition procedures and requirements for countries to establish
around-the-clock computer-crime centers that police groups in other
countries may contact for immediate help.
The Council of Europe is not affiliated with the European Union, and
includes over 40 member nations, including Russia, which joined in
1996.
After the Council of Europe's expert group finalizes the proposed
treaty, the full committee of ministers must adopt the text. Then it
will be sent to countries for their signatures. Comments can be sent
to daj@coe.int.
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Wed May 3 22:07 CDT 2000