Slashdot Mirror
U.S. Considering Ratifying Cybercrime Treaty
waytoomuchcoffee writes "SecurityFocus has a new article on the Council of Europe's "Convention on Cybercrime". The U.S. has already signed the treaty, but it has not yet been ratified by the Senate (although President Bush has written a letter urging the treaty's passage). This treaty, among other items, would require the U.S.
to "cooperate with foreign authorities" in conducting surveillance on American citizens who have committed no crime under U.S. law, but may have broken another country's law (selling historic Nazi posters on Ebay? Germany might have you wiretapped), prohibiting the "production, sale or distribution of hacking tools", whatever that means (would Nmap be illegal?) and require the U.S. to pass laws to "force users to provide their encryption keys" and the plain text of their encrypted files. Canada is a signatory as well."
If one is arrested under any charge and found to have tone dialers, packet sniffers, port scanners, etc. one can be found to be in posession of "hacking devices." (This has happend in the past to Bernie S and others.) Essentially the government has no real evidence of any crime and uses it as a catch-all or as a way to increase sentence time. The annoying part of this is that sysadmins use sniffers and scanners quite often as part of their job. It would appear this "treaty" is just to strengthen previous laws and help to catch those evil hackers...er um hopefully not sysadmins?
:(){
Requiring that someone provide encryption keys would likely be construed as a violation of a U.S. citizen's Fifth Amendment rights: "nor shall be compelled in any criminal case to be a witness against himself." If the hard drive had incriminating evidence of ANY crime on it, then the person would be within their Constitutional rights to refuse to provide the encryption keys to access the data.
From a practical standpoint, "I can't recall" is a very effective three words sentence in such a case. It's not like any of us can honestly say that we've never forgotten a password or encryption key, so the prosecution would be hard-pressed to convince a judge and jury that such a claim is preposterous.
At what time? At the time the crime was committed? I think Dmitry Sklyarov would beg to differ with you on that point.
I know god exists. I read it on the internet, so it must be true.
I've looked through this treaty, and it appears that the only explicit mention of encryption is that each participating country must ensure that if they have encryption keys needed to help another participating country, they should hand them over (i.e. Country A got Mr. Baddy's RSA key during an investigation and he is being tried in Country B for another offense. Country A should give the key to Country B to help them). Presumably, the key must be obtained by legal means in country A before it can be given to country B. They also mention that encryption should be used, if necessary, to ensure secure communications between the governments... I would hope this is the case anyway.
This treaty doesn't expand the definition of computer crime really. All it is is a promise between countries that if someone commits a crime in another participating country, the other countries will turn over the criminal. To me, this makes perfect sense-- think about it. If someone from a european nation stole your credit card information, for example, you would want them to be accountable for their damages, even if you were an american, right?
====
Crudely Drawn Games
Not true.
All rights with a very few exceptions are guaranteed by the Constitution. The bill of rights was merely an add on addendum which a lot of people disagreed with the necessity for at the time. It is a sad eulogy to those who forced it through that they were right to do it.
The constitution is mainly a granting of a few closely restricted powers granted to the government.
That's right. Allow me to quote it from the source for those that will disagree with you:
I think we can be thankful that the bill of rights was created though.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I run Uberhacker.Com, a site primarily focused on PHP security. We also run a section in our Forums dedicated to Fighting the CyberCrime Treaty. Please visit the forums if you are interested in the topic, check out the forums and sign up.
You should see the equipment to get into a locked house sometime. My personal favorite is a shockwave gun that knocks the pins up and into place. There is also the freezy-heaty gun that freezes the pins in an upward position, then heats the lower pins until they fall into position. Neither of these will allow anyone to know they have been hacked. Then there are traditional lock picking techniques, which take longer. In a pinch, you can always just pound down the door with a piece of concrete, or break a window.
They don't want a copy of your house key because they don't need your house key to get in your house. That data is not secure. Even picks for those nice, safe-looking round locks can be had for about 400 dollars. But what they can't do is break strong encryption. If you put a good system on your computer with a well-chosen key, and make sure there isn't a keylogger installed on your keyboard, or a trojan, or a camera pointed at your fingers... Well, OK, there are ways around it. But after they catch you the only way to open that data is in your head. This violates their whole "hit it with something large until it opens" strategy, so they need that key from you.
That's why they're going for your encryption keys, but not your house keys. It's not because encryption keys aren't sacred, but because your house protection is trivial.
The ______ Agenda