Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Considering Ratifying Cybercrime Treaty

Posted by timothy on from the your-best-interests-at-heart dept.

waytoomuchcoffee writes "SecurityFocus has a new article on the Council of Europe's "Convention on Cybercrime". The U.S. has already signed the treaty, but it has not yet been ratified by the Senate (although President Bush has written a letter urging the treaty's passage). This treaty, among other items, would require the U.S. to "cooperate with foreign authorities" in conducting surveillance on American citizens who have committed no crime under U.S. law, but may have broken another country's law (selling historic Nazi posters on Ebay? Germany might have you wiretapped), prohibiting the "production, sale or distribution of hacking tools", whatever that means (would Nmap be illegal?) and require the U.S. to pass laws to "force users to provide their encryption keys" and the plain text of their encrypted files. Canada is a signatory as well."

27 of 535 comments (clear)

  1. hacking tools by quelrods · · Score: 4, Informative

    If one is arrested under any charge and found to have tone dialers, packet sniffers, port scanners, etc. one can be found to be in posession of "hacking devices." (This has happend in the past to Bernie S and others.) Essentially the government has no real evidence of any crime and uses it as a catch-all or as a way to increase sentence time. The annoying part of this is that sysadmins use sniffers and scanners quite often as part of their job. It would appear this "treaty" is just to strengthen previous laws and help to catch those evil hackers...er um hopefully not sysadmins?

    --
    :(){ :|:&};:
    1. Re:hacking tools by LostCluster · · Score: 2, Informative

      Here's the text of the treaty.

      Please cite the section that makes it criminal to posess a "hacking device".

  2. Link to the story by Wooky_linuxer · · Score: 3, Informative

    is here

    --
    Where is that guy who'd die defending what I had to say when I need him?
  3. Re:What's the problem here? by SirCrashALot · · Score: 2, Informative

    The encryption key issue is already covered by subpoena laws. Why should people pre-emptyively surrender their keys. Why should the government have access to my files without any suspiscion nor complaint of wrongdoing on my part. It's the "I haven't done anything so there is nothing to hide" part that is frightening. People don't mind having their rights taken because they feel that they have nothing to hide. But as this becomes precedent we lose more and more rights.

  4. RTFA folks by Professor+Cool+Linux · · Score: 2, Informative

    look like our "Free speech" still stands...

    "Betty Shave, who heads the Justice Department's international computer crime division, admitted that the treaty mostly lacks so-called "duel criminality" provisions, but she countered that other language in the pact would prevent abuses. One clause in the treaty allows a country to refuse to cooperate in an investigation if its "essential interests" are threatened by the request: Shave says that would allow the U.S. to bow out of a probe targeting free speech or other actions protected by the U.S. Constitution. Moreover, political offenses are specifically excluded from some types of mutual assistance requests available under the treaty."

    Lets just hope our polititions & lawyers, use that wisely... one can only hope...

  5. Won't stand up to a court challenge. by fmaxwell · · Score: 5, Informative

    Requiring that someone provide encryption keys would likely be construed as a violation of a U.S. citizen's Fifth Amendment rights: "nor shall be compelled in any criminal case to be a witness against himself." If the hard drive had incriminating evidence of ANY crime on it, then the person would be within their Constitutional rights to refuse to provide the encryption keys to access the data.

    From a practical standpoint, "I can't recall" is a very effective three words sentence in such a case. It's not like any of us can honestly say that we've never forgotten a password or encryption key, so the prosecution would be hard-pressed to convince a judge and jury that such a claim is preposterous.

    1. Re:Won't stand up to a court challenge. by westlake · · Score: 3, Informative
      From a practical standpoint, "I can't recall" is a very effective three words sentence in such a case.

      You will be expected to release the keys after a judge issues a warrant for a search of your computer. Saying "I can't recall" will earn you an interminate stay in the county jug until your memory improves dramatically.

      The privelege against self-incrimination can be invoked only during interrogation and at trial. It is the first line of defense against the use of torture or intimidation to achieve a conviction. But it does not protect you from bring compelled to provide fingerprint and DNA samples, surrender your private correspondence, account books and ledgers, etc.

    2. Re:Won't stand up to a court challenge. by fmaxwell · · Score: 2, Informative

      Regarding fifth-amendment rights: one cannot be compelled to provide self-incriminating evidence, but one may be compelled to provide evidence against someone else, so the attack would go down something like this:

      That's a common misconception. The only way that they could compel you to provide self-incriminating evidence would be for them to give you immunity from prosecution. If someone witnessed a hit-and-run while soliciting a prostitute, they would have a Fifth Amendment right to refuse to testify as to why they were in the area.

      FBI believes person A committed crime (or otherwise wants information on person A). FBI accuses person B of being an accessory to said crime and subpoenas all of person A's evidence related to person B. Since person A has encrypted files which might reasonably contain details on the "crime" that B committed, the FBI can reasonably subpoena A's encryption keys.

      No, no, no! The FBI cannot make any person provide testimony which would be self-incriminating. If person A has been trading kiddie porn on Kazaa, they cannot make person B turn over the encryption key to the ZIP file that contains all of the kiddie porn he downloaded from person A.

    3. Re:Won't stand up to a court challenge. by theLOUDroom · · Score: 2, Informative

      The FBI cannot make any person provide testimony which would be self-incriminating. If person A has been trading kiddie porn on Kazaa, they cannot make person B turn over the encryption key to the ZIP file that contains all of the kiddie porn he downloaded from person A.

      Can you cite any relevant laws or cases?

      The cryptonomicon FAQ states that this issue is still undecided. (see 10.3.4) Although I believe that page is quite old.

      There seem to be a lot of issues here. My current understanding is that you should not expect to keep you encryption key secret.
      This is mainly because a judge might hold you in contemp of court indefinately, until you gave them your key.

      There seems to be a discussion of this very subject in Risks digest as well.

      So far the only info I've ever heard on the subject is mere speculation.

      Here's another discussion of the topic on the Rubberhose website (an encryotion scheme which offers deniable encryption).
      It's by far the best discussion of the subject I've seen, but even this (with its 159 footnotes) refuses to make a conclusive judgement on the topic. It states what the courts "should" do, but wouldn't do me much good in a jail cell. It's seems like the privacy of your crypto key is quite debatable.

      IANAL, but I am quite interested in this topic, and AFAIK the issue is still up in the air.

      --
      Life is too short to proofread.
  6. Re:The threat posed by treaties by ducomputergeek · · Score: 2, Informative
    First of the, the House has always been out of the loop when it comes to treaties. How it has been since day 1. Number 2, the Sentate was largely an appointed position up until the last 100 years or so. State Houses typically choose the senator, not the people.

    While the House was meant to be a represenative body of the people, the Senate was supposed to be made up of elder statesmen and professional politions. Good, bad, indifferent, that was the way things were set up.

    --
    "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  7. Re:Isn't this redundant? by I+Be+Hatin' · · Score: 4, Informative
    In order to break the laws of a another land, you have to be there at the time.

    At what time? At the time the crime was committed? I think Dmitry Sklyarov would beg to differ with you on that point.

    --
    I know god exists. I read it on the internet, so it must be true.
  8. Ok, first, READ it. by Valar · · Score: 4, Informative

    I've looked through this treaty, and it appears that the only explicit mention of encryption is that each participating country must ensure that if they have encryption keys needed to help another participating country, they should hand them over (i.e. Country A got Mr. Baddy's RSA key during an investigation and he is being tried in Country B for another offense. Country A should give the key to Country B to help them). Presumably, the key must be obtained by legal means in country A before it can be given to country B. They also mention that encryption should be used, if necessary, to ensure secure communications between the governments... I would hope this is the case anyway.

    This treaty doesn't expand the definition of computer crime really. All it is is a promise between countries that if someone commits a crime in another participating country, the other countries will turn over the criminal. To me, this makes perfect sense-- think about it. If someone from a european nation stole your credit card information, for example, you would want them to be accountable for their damages, even if you were an american, right?

    --

    ====
    Crudely Drawn Games
  9. Civics lesson for AC by mariox19 · · Score: 2, Informative

    Right, the Senate passes treaties -- my whole point exactly.

    The Senate is designed to be somewhat insulated from the vagaries of popular opinion: they are up for election only once every six years. Moreover, as a body of only 100 members, they are supposed to be able to act more decisively.

    The House, by contrast, is made up of many more members, each of which is up for election every two years. By design, the House is supposed to be more representative.

    Together, the House is supposed to represent popular opinion, and the Senate is supposed to cool the passions of the masses; together, along with the President, laws are passed -- in theory, at least, balanced laws.

    Treaties, by contrast, are ratified by the Senate after being presented by the President. The House is left totally out of the loop. As treaties enjoy the full force of law, this creates a tendency for more elitist, less populist laws.

    Now, because you had to start with your "who modded this idiot up" nonsense, I have had to give you a lesson in U.S. government -- so much so that I myself would be tempted to mod this whole thread down as a "troll."

    Think before you shoot that idiot mouth of yours off, next time.

    --

    quiquid id est, timeo puellas et oscula dantes.

  10. Bricker Amendment by XanC · · Score: 2, Informative
    This is what the Bricker Amendment, first proposed in 1953, would solve.

    The main points are:
    1. A provision of a treaty, which conflicts with this Constitution, shall not be of any force or effect.
    2. A treaty shall become effective as internal law in the United States only through legislation, which would be valid in the absence of a treaty.

    Click for more details.

  11. Re:The threat posed by treaties by mariox19 · · Score: 2, Informative

    You're absolutely right, but I think the understanding of the proper scope of treaties was much more limited until at least we were well into the 20th century. That's what I have a problem with: the increase in scope.

    --

    quiquid id est, timeo puellas et oscula dantes.

  12. Re:New Slashdot Category: by Shakrai · · Score: 4, Informative

    Not true.
    All rights with a very few exceptions are guaranteed by the Constitution. The bill of rights was merely an add on addendum which a lot of people disagreed with the necessity for at the time. It is a sad eulogy to those who forced it through that they were right to do it.

    The constitution is mainly a granting of a few closely restricted powers granted to the government.

    That's right. Allow me to quote it from the source for those that will disagree with you:

    The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

    I think we can be thankful that the bill of rights was created though.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  13. Re:What's the problem here? by Simple-Simmian · · Score: 2, Informative

    You can't be forced to tell them where the money/body/records are buried or how to get them either.

    --
    If you don't like what I write don't be a CS and mod it down. Refute it.
    Yea I can't spell. So what is your point?
  14. Re:"Force users to provide their encryption keys" by Anonymous Coward · · Score: 1, Informative

    A few centuries on a cray won't let you break a one time pad. That's the whole point of one time pads.

  15. Re:The threat posed by treaties by nomadic · · Score: 2, Informative

    However, a treaty cannot create a US law. It can create a promise to pass a law... but most of these treaties say nothing about what happens if we break the treaty and don't pass the law as promised.

    No, a treaty automatically becomes law when it is ratified. The only exceptions occur when the treaty language itself explicitly states otherwise.

  16. Re:bad standards by BCoates · · Score: 2, Informative

    Bush refused to sign the treaty for the International Criminal Court

    Clinton signed the ICC treaty. There is no chance in hell that it will pass the Senate, and he didn't even try. Bush wasn't interested in getting it passed either, and withdrew from the unratified treaty.

  17. Forums about the Treaty. by Dozix007 · · Score: 4, Informative

    I run Uberhacker.Com, a site primarily focused on PHP security. We also run a section in our Forums dedicated to Fighting the CyberCrime Treaty. Please visit the forums if you are interested in the topic, check out the forums and sign up.

  18. Re:Hiding the Encryption Keys by shiftless · · Score: 2, Informative

    There is a program called BestCrypt for Windows that I like. You create an encrypted "container" of any size. You can mount this contained as a virtual drive and use it as such.

    One neat feature is the ability to create a "hidden compartment" so to speak. Once the container is open, you hit a special key combination and it asks for a password. The hidden compartment is hidden as noise in the container and the program has no idea it's even there until you enter the correct password, which it then puts through some sort of encryption algorithm and compares to the container file to find any hidden compartment.

    Neat stuff! Just store a bunch of useless crap in the main part of your container and hide the real goods in the hidden compartment. Unless somebody knows the password and knows how to access it (its a special key combination, with no visible buttons, and just a brief mention in the help file), there's no way to even know the secret compartment exists.

  19. What thuh? by bezuwork's+friend · · Score: 3, Informative
    This treaty, among other items, would require the U.S. to "cooperate with foreign authorities" in conducting surveillance on American citizens who have committed no crime under U.S. law, but may have broken another country's law (selling historic Nazi posters on Ebay? Germany might have you wiretapped)

    No time to read the article (I'm becomming a good /.er) or most of the comments - finals and such - so I apologize if another has said this. One of the cases I read today is the one Yahoo! filed in response to the French ruling [Yahoo!, Inc. v. La Ligue Contre le Racisme et l'Antisémitisme, et al. (CA, 2001)]. It was only a Cal. case, but the court said something very basic which the feds will have trouble with: even if a person in the US does something on the internet which violates laws in another country, so long as that action is protected in the US (such as under the first amendment), US courts cannot enforce any foreign judgement.

    Since treaties are subservient to the Constitution, I think selling Nazi posters is gonna remain a US right.

  20. Picking your house lock is trivial by cgenman · · Score: 4, Informative

    You should see the equipment to get into a locked house sometime. My personal favorite is a shockwave gun that knocks the pins up and into place. There is also the freezy-heaty gun that freezes the pins in an upward position, then heats the lower pins until they fall into position. Neither of these will allow anyone to know they have been hacked. Then there are traditional lock picking techniques, which take longer. In a pinch, you can always just pound down the door with a piece of concrete, or break a window.

    They don't want a copy of your house key because they don't need your house key to get in your house. That data is not secure. Even picks for those nice, safe-looking round locks can be had for about 400 dollars. But what they can't do is break strong encryption. If you put a good system on your computer with a well-chosen key, and make sure there isn't a keylogger installed on your keyboard, or a trojan, or a camera pointed at your fingers... Well, OK, there are ways around it. But after they catch you the only way to open that data is in your head. This violates their whole "hit it with something large until it opens" strategy, so they need that key from you.

    That's why they're going for your encryption keys, but not your house keys. It's not because encryption keys aren't sacred, but because your house protection is trivial.

    --
    The ______ Agenda
  21. The Ninth too... by red+floyd · · Score: 3, Informative

    The Ninth goes hand in hand with the Tenth:

    The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

    In other words:

    The Ninth: Even if we didn't mention them, you have your rights.
    The Tenth: If we didn't talk about it, the Feds can't do it.

    --
    The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
  22. Re:Er... by Eythian · · Score: 2, Informative

    Rubberhose is unfortunatly very out of date. A newer equivalent, that should work with 2.4 and 2.6 kernels is PhoneBook.

  23. RTFA!!! by alizard · · Score: 2, Informative
    While the implications of this treaty are truly frightening, the amazing thing about it is that it originated in Europe.

    From the available information, the bad ideas in it came straight from the DOJ representatives who sat in on the conferences at which the treaty was drafted. Did a published article on this for 8wire back in 2001. Unfortunately, 8wire is out of business. From the SecurityFocus article, it appears that everything that was wrong with it back then still is.

    Judging by all the anti-American trolls here on Slashdot, you would think that such legislation was only possible in a land corrupted by people like Jack Valenti and John Ashcroft.

    By and large, the bad ideas that the EU government is rushing to adopt are MADE IN USA. The DMCA clones (see EU Copyright Directive) that the EU has mandated for adoption by EU nations are a good example. The only purpose is to protect the Hollywood content cartel.

    Doesn't it make you proud to be an American?

    --
    Tech Public Policy stuff