Re: Draft Convention on Cybercrime

[Jeff Simmons <jsimmons () goblin punk net>]

I've seen a lot of discussion about the specific language of such laws and
proposals, both here and elsewhere.  While interesting, I don't think it
is of much value.

Allow me to present the following highly cynical piece of flamebait
describing how the process actually works.

1)  A specific problem is identified, in this case the generic one of 
"cybercrime".  Persons and organizations affected by this problem wish
to remove the responsibility for solving it from themselves and place it
on the taxpayers.

2) The affected parties go to Washington (substitute here the power center
of your choice) to purchase a law.  During negotiations, the law will balloon
into a massive 'wish list' of things the purchasers would like the taxpayers
to do for them.  Many of these things will appear to violate previously
purchased laws, or previous decisions on constitutional rights. For examples,
see the DMCA and UCITA.

3)  In an attempt to maximize revenues, legislators will allow other 
interested parties to either purchase related/contravening laws, or purchase
alterations to the proposed law.  The final package will be totally 
incomprehensible to anyone, even the highly paid lawyers who wrote it.

4)  A few of these laws actually get enacted.  Most will die somewhere along
the way.  Once enacted, nobody will have a clue as to what the actual
consequences of the new law will be.  Despite the new law, business continues
as usual.

5)  In order to find out how this shiny new law actually works, a test case
will be selected.  This case will be carefully scrutinized by all parties
concerned in order to figure out how their brand new piece of legislation
will be interpreted by the only folks who matter, the courts.  Note that
this is the FIRST step in the process where decisions are made by people
who have no vested economic interest in the effects of the new law.  During
this period, parties with lots of money to throw around will be able to
use the threat of an expensive lawsuit/test case to stomp all over parties
who cannot afford to participate in the process.

6)  In the end, when the last question about the meaning of the new law has
been settled by a 5 to 4 decision of the Supreme Court, the final result
will be surprisingly intelligent.  Various compromises will have been made,
changes implemented, costs examined, funding allocated, etc.  While the tax
burden will increase, the economic effects will tend to benefit everyone.
This of course will be small consolation to the people who's lives, 
businesses, and reputations were destroyed while the system slowly worked
it's way to an acceptable conclusion (see Kevin Mitnik).

Bottom line?  Arguing about the meaning of some particular language in a 
proposed law ain't gonna do us any good.  Getting some input into the
process may.  I make a pretty good living building, maintaining, and securing
computer networks, and I'm perfectly willing to send some bucks to an
organization like the EFF to help fight the DeCSS thing.  And I've been
lucky enough that on occasion I've been able to speak to various groups
of people and try to explain what this computer security thing is all
about, and why open disclosure works far better than security by obscurity.

Those of us who are in any way involved with network security professionally
need someplace where we can put our money/mouths/efforts to try and get 
our side of things presented during this process.  Anybody got any
suggestions?

-- 
Jeff Simmons                                              jeff () punk net 
     Simmons Consulting - Network Engineering and Administration
Punknet - what happens when a bunch of computer geeks with way too much
        free time and free hardware get pissed off at their ISP.
"You guys, I don't hear any noise.  Are you sure you're doing it right?" 
               -- My Life With The Thrill Kill Kult