Cybercrime Treaty

Council of Europe Cybercrime Treaty Analysis

If adopted, will its vague nature trample on your civil rights or protect you from villains on the net?


November 2, 2000

by Jason Wallace

I recently learned about the Cybercrime Treaty that is attempting to be signed by the Council of Europe. I also learned that a large number of companies involved with Internet privacy and security, along side of many civil rights groups, have taken up arms against it. I decided to dig in to the issue a bit further.  What I found was alarming and quite disturbing.

The Council of Europe is made up of most of the European countries, a few countries bordering Europe, and some "special guests", 41 countries in all.  Its purpose is to establish a common ground for its members to work within when dealing with each other in certain international maters. It claims on it's website to be "A statue built on human rights."

The Cybercrime Treaty is made up of 43 articles. These articles attempt to set standards for dealing with a number of issues ranging form the illegal access of computer systems, interception and interference of data, computer related fraud, child pornography, to the real time collection of evidence and extradition of suspects.

Many of the articles, such as Article 7 dealing with forgery, 8 dealing with fraud, and 9, which deals with child pornography, are straightforward and have little affect on the everyday user who is not already doing something illegal.  However some of the articles are vague, and could be used to infringe on the privacy of many Internet users.

Article 6 is one of these vague articles.  Article 6 attempts to force the signers of the treaty to pass laws making it illegal to have, produce, sell, or make available what they call "illegal devices."  The treaty defines "illegal devices" as anything, including programs, passwords, and "access codes", that can be used to gain illegal access of a computer systems, intercept and interfere with data, or interfere with a computer system.  Although not specifically mentioned, some have also said this could effect forms of media used to publicly publish security flaws.

Article 6 is vague in two very important areas.  The wording of this article is at first unclear about whom, if anyone, is allowed to use such technology, and weather it is aimed at just freeware or at commercial software also. The use of the word "sell" in the article seemed to indicate that this could have ramifications for commercial security software as well as freeware tools, but all of the companies who have taken a stand against this treaty offer some version of their software for free. I have not heard of a completely commercial company openly opposing this treaty, and that seemed a bit odd.

The over all wording of the article seems to lead me at first to believe that these "devices" would be illegal to everyone. This did not seem to be a smart move either.  Many security professionals use commercial software and freeware tools to test their systems.  This only makes sense, because these are the tools that they are going to have to defend against. Few malicious hackers are willing to pay a high price for commercial software when they can use something that is freely available, open source, and in many cases works just as well as commercial software. It is very advantageous for a security professional to see how these freeware tools affect their defenses before an attack occurs.

I went back to the treaty and read through Article 6 again.  This time I noticed the footnotes at the bottom of the article. This footnote was added, because of concerns from some security professionals. The footnote states, "...that the so-called "cracking-devices", to which Article 6 applies, may also be used legitimately to test system security." And goes on to say, "...when undertaken with such legitimate purposes, would be considered to be "with right"."  You can see the quotes in full context by reading the treaty at the link I have provided.

Click here to continue the analysis