Re: Draft Convention on Cybercrime

[Bart van Leeuwen <bart () ixori demon nl>]

Heh... looks like a good subject for a long and potentially spammy
thread ;-)


Below is my impression of this draft.
I am not a lawyer and do not have any official legal training. I do have
quite a bit of experience with legal issues however. 

My conclusion would be that nmap itself would not be illegal according
to this draft. There will be cases however where using or mere
possession of nmap can be illegal.

An imho interesting question is if this draft would make running a scan
against a system that is not owned by you and that you do not have
explicit permission to scan illegal. 

Matt Marnell wrote:
> Fyodor, nmap enthusiasts-
>
> I was just wondering how you guys feel about the Draft Convention on Cybercrime being circulated throughout roughly 
> 40 countries for approval (including the US)?  In it, certain "Illegal Devices" are banned entirely, the definition 
> of which encompasses utilities such as nmap (Article 6).

As far as I understand the convention does not ban such tools entirely.
It bans such tools if the primary or sole design purpose of the tool is
to perform an offense as defined by the draft. It also bans possessing
and using such tools if, and only if they are used to perform such
offenses as described in the draft (regardless of the primary design
purpose of the device)
It goes as far as suggesting that local laws should be drafted carefully
to ensure its only illegal when used for illegal purposes, or at least
require possession of multiple different devices.

I would argue that nmaps primary purpose is not to perform such offenses
but rather to assist in determining if a system runs services which
might be vulnerable. This is an assessment tool, not a tool to commit an
offense. (actually I see how nmap might help to collect information with
the purpose of performing such an offense, but I fail to see how nmap
could in any way be used directly to perform such an offense)

Nevertheless, this part of the draft is quite worrying.
It will ban any sample exploits and as such severely limit
administrators and security personal in their ability to determine if
their systems are vulnerable to a specific attack.

2 other worrying things that I want to mention are:
- seizure does not seem to take into account that in almost all cases
seizure of computer data is done by seizing the computer system(s)
containing the data. Combine this with the fact that in quite a few
western countries computers are becomming an essential thing to have in
order to be able to do banking, and some kinds of shopping. I think that
far stronger limits are required, esp. limits on duration of a seizure,
and on limiting the scope of a seizure to information relevant to a
potential crime. The current draft looks like it broadens the seizure
laws in many countries to an unreasonable level. The way the draft puts
it right now when applied to more traditional information basicly allow
seizure of any information carrier in your house regardless of it being
related to a possible crime.If this already is allowed depends on local
laws and esp. on the interpretation of such laws. In many cases such
laws already allow for seizure of containers that have both related and
unrelated information in them, unless this information can be seperated
easily on the spot. This is clearly a matter for interpretation.

- The part about government and crime investigation agencies being able
to require a company or individual to retain certain information which
normally is stored only temporarely if at all is impractical,
unenforcable, and places unreasonable cost and efford on often unrelated
parties. First it is impractical: Often such storage is temporarely
because it is not physically possible (with reasonable cost) to store
such information because of limits on storage space. Unenforcable: In
many countries laws say that a suspect cannot be required to actively
collect or provide information that will be used to convict the suspect.
Unreasonable cost and efford can be required from a carrier or service
provider or individual. I believe it is upto the government to pay the
cost for collecting information for criminal investigation. This is one
of the reasons why people pay taxes. Why would people be required to
provide the means for this at their expense? Also, why would a carrier
be required to do the work of law enforcement people and pay for it as
well? This simply seems to be a government/crime investigation issue,
and putting it on the shoulders of civilians and companies is like
making them pay for something they already payed for.

> you can check out the first revision of the treaty here:
> http://conventions.coe.int/treaty/en/projets/cybercrime.htm

And you can give them feedback as well, don't hesitate to tell them what
you think! 
-- 
Bart van Leeuwen
-----------------------------------------------------------
 mailto:bart () ixori demon nl  -  http://www.ixori.demon.nl/
-----------------------------------------------------------