Nmap Announce mailing list archives
Re: Draft Convention on Cybercrime
From: Bart van Leeuwen <bart () ixori demon nl>
Date: Sat, 03 Jun 2000 00:38:54 +0200
Heh... looks like a good subject for a long and potentially spammy thread ;-) Below is my impression of this draft. I am not a lawyer and do not have any official legal training. I do have quite a bit of experience with legal issues however. My conclusion would be that nmap itself would not be illegal according to this draft. There will be cases however where using or mere possession of nmap can be illegal. An imho interesting question is if this draft would make running a scan against a system that is not owned by you and that you do not have explicit permission to scan illegal. Matt Marnell wrote:
Fyodor, nmap enthusiasts- I was just wondering how you guys feel about the Draft Convention on Cybercrime being circulated throughout roughly 40 countries for approval (including the US)? In it, certain "Illegal Devices" are banned entirely, the definition of which encompasses utilities such as nmap (Article 6).
As far as I understand the convention does not ban such tools entirely. It bans such tools if the primary or sole design purpose of the tool is to perform an offense as defined by the draft. It also bans possessing and using such tools if, and only if they are used to perform such offenses as described in the draft (regardless of the primary design purpose of the device) It goes as far as suggesting that local laws should be drafted carefully to ensure its only illegal when used for illegal purposes, or at least require possession of multiple different devices. I would argue that nmaps primary purpose is not to perform such offenses but rather to assist in determining if a system runs services which might be vulnerable. This is an assessment tool, not a tool to commit an offense. (actually I see how nmap might help to collect information with the purpose of performing such an offense, but I fail to see how nmap could in any way be used directly to perform such an offense) Nevertheless, this part of the draft is quite worrying. It will ban any sample exploits and as such severely limit administrators and security personal in their ability to determine if their systems are vulnerable to a specific attack. 2 other worrying things that I want to mention are: - seizure does not seem to take into account that in almost all cases seizure of computer data is done by seizing the computer system(s) containing the data. Combine this with the fact that in quite a few western countries computers are becomming an essential thing to have in order to be able to do banking, and some kinds of shopping. I think that far stronger limits are required, esp. limits on duration of a seizure, and on limiting the scope of a seizure to information relevant to a potential crime. The current draft looks like it broadens the seizure laws in many countries to an unreasonable level. The way the draft puts it right now when applied to more traditional information basicly allow seizure of any information carrier in your house regardless of it being related to a possible crime.If this already is allowed depends on local laws and esp. on the interpretation of such laws. In many cases such laws already allow for seizure of containers that have both related and unrelated information in them, unless this information can be seperated easily on the spot. This is clearly a matter for interpretation. - The part about government and crime investigation agencies being able to require a company or individual to retain certain information which normally is stored only temporarely if at all is impractical, unenforcable, and places unreasonable cost and efford on often unrelated parties. First it is impractical: Often such storage is temporarely because it is not physically possible (with reasonable cost) to store such information because of limits on storage space. Unenforcable: In many countries laws say that a suspect cannot be required to actively collect or provide information that will be used to convict the suspect. Unreasonable cost and efford can be required from a carrier or service provider or individual. I believe it is upto the government to pay the cost for collecting information for criminal investigation. This is one of the reasons why people pay taxes. Why would people be required to provide the means for this at their expense? Also, why would a carrier be required to do the work of law enforcement people and pay for it as well? This simply seems to be a government/crime investigation issue, and putting it on the shoulders of civilians and companies is like making them pay for something they already payed for.
you can check out the first revision of the treaty here: http://conventions.coe.int/treaty/en/projets/cybercrime.htm
And you can give them feedback as well, don't hesitate to tell them what you think! -- Bart van Leeuwen ----------------------------------------------------------- mailto:bart () ixori demon nl - http://www.ixori.demon.nl/ -----------------------------------------------------------
Current thread:
- Draft Convention on Cybercrime Matt Marnell (Jun 02)
- Re: Draft Convention on Cybercrime William Bradd (Jun 02)
- Re: Draft Convention on Cybercrime David Ford (Jun 02)
- Re: Draft Convention on Cybercrime Bart van Leeuwen (Jun 02)
- Re: Draft Convention on Cybercrime Mike Black (Jun 03)
- Re: Draft Convention on Cybercrime dhaag (Jun 03)
- Re: Draft Convention on Cybercrime Bart van Leeuwen (Jun 03)
- Re: Draft Convention on Cybercrime David Dennis (Jun 03)
- Re: Draft Convention on Cybercrime Mike Black (Jun 03)
- Re: Draft Convention on Cybercrime White Vampire (Jun 03)
- Re: Draft Convention on Cybercrime Tyler Allison (Jun 03)
- <Possible follow-ups>
- Re: Draft Convention on Cybercrime Matt Marnell (Jun 03)
- RE: Draft Convention on Cybercrime Marjorie Simmons (Jun 03)
- Re: Draft Convention on Cybercrime Jeff Simmons (Jun 03)
- Re: Draft Convention on Cybercrime Simple Nomad (Jun 04)
(Thread continues...)