Cybercrime Treaty — Hidden Costs For All

linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you."

Can China join this

[wannabgeek]

And demand information about bloggers posting from even outside their country?

If only..

[aero2600-5]

If only the police would do their jobs, this wouldn't be necessary.

What crimes can this help fight that can't be helped in other ways? As it is, everything leaves a digital trail, if not a physical one.

Let's name some 'horrible' crimes. The only truly horrible crime I can think of on the internet is child pornography. It appears that, in light the large number of recent events, that they already know how to investigate this crime. In the event that didn't have a reasonable track record, there are still methods to combat this. The children are somewhere, find them. They're missing from somewhere, start there. There is money being made, follow that. The pervs get into these groups, so could the cops. The laws are pretty clear about child pornography: Have anything to do with it, and you'll go to jail for a long time.

Let's talk about other crimes. DDOS? Will this law help stop Distributed Denial of Service attacks? Not likely. Most DDOS attacks are done remotely using a net of bots. This law would require terabytes worth of retained data created by these bots, while the people that created the bot-net will have done so in a manner that isn't traceable. This law won't help any.

How about selling contraband over the internet? This law isn't necessary. The contraband is being created somewhere. The item is being shipped somewhere. Money is being transferred. There are standard methods to track all of this. The contraband is a physical item. Find it, you lazy fucks.

In short, requiring network operators to retain a record of every digital transmission is a lot like banning guns. Ban guns, and then only the criminals will have them. Require that ISPs keep records, and then only the criminals will be able to move freely about the internet.

Hey Keystone Kops, want to catch more bad guys? Work together better with your cohorts in other countries. Share that legally acquired data more efficiently. You found this item here. They're looking for this item there. Put two and two together, assholes.

Why should network operators have to pick up the slack for inefficient and incompetent law enforcement?

Aero

"Any society that would give up a little liberty to gain a little security will deserve neither and lose both."

Re:data-retention policies for network traffic ???

[max+born]

If we encrypt everything, it will simply become infeasible to perform long-term dragnet surveillance of innocent people.

Until they make encryption illegal. I think that's the next step when it doesn't work out for them.

But really, what's new? Never in the history of humanity has there not been one group of people who felt it their god given right to tell another group of people what to say and think.

Don't be lulled into thinking these folks are here to protect you.

Just like the increased powers of search and seizure, designed to protect us from the terrorists, are used mostly to bust people for possession of pot; so the draconian measures enacted to save from the cyber criminals will mostly be used to bust you for downloading your favorite music.

HELP!

[photomonkey]

I am an American, and I love my country. I am, however, getting really sick and tired of constantly watching my country crap all over everyone's rights (or in some cases, preempt people from HAVING rights) both here and abroad all for the sake of a few super-mega-corps; all the while, we're pretty powerless to immediately end any of it.

As I sit back and watch all the industry in this country die as we make the shift to a service-based economy, I watch us become less important in the global marketplace. Sure we have lots of cash (read: power) now, but what happens when we piss it all away? For Pete's sake, the Shanghai market shows instability and Wall Street shits the bed. We're on the verge of recession.

There were times in history in which the US helped prevent other countries from making stupid mistakes. Now we are the ones making lots of stupid mistakes, and we're doing it over and over again.

How does it benefit the EU or anyone else to go along with our silly shenanigans (especially these ridiculous 'e-piracy', think-of-the-children policies)? They didn't with Iraq (for the most part) and escaped unscathed (mostly). Why not tell the current US administration to stop being stupid by not agreeing to participate in its bullshit?

We're really not a bad country or a bad people. Unfortunately, the filth has risen to the top. Certainly we can do our part to help stop all this, but voting takes time. Please help us stop this train speeding off its track by not supporting/recognizing the US' inane global commercialization laws and regulations. In the end, it will be better for all of us.

We are, as a world, beginning to define what a global economy really is. This is our (the world's) chance to make life better place for everyone, and even turn a buck doing it. Please help the US stop being stupid not for the sake of the Bush family or those that give us a bad name, but for the regular folks here who work to feed their families and really do want to spread freedom and wealth around the world.

Americans really aren't bad people. The leadership class just needs a little reminder every once in a while that they are PART of the world, not the fucking owners of it.

This is certainly no call for violence. Just a simple request that other countries not participate in nor support our stupidity.

Re:data-retention policies for network traffic ???

[narf501]

This is something I am trying to get people to do, to little avail.

In the old PGP documentation (and I'm mangling the wording), it stated that one should encrypt even trivial E-mail. Its just the same as putting something in an envelope rather than writing all your personal stuff on a postcard and sending it.

Signing and encrypting E-mail is easy these days. You use a S/MIME compatible E-mail client (Thunderbird, Mail.app, Outlook, Pegasus Mail, Eudora, mutt, even elm and pine have ways of being able to understand S/MIME certs.) You then either use a self-signed cert, grab one from StartCom or Comodo, or if you desire the Verisign check, plop your $19 down. Pretty much a four-step process... enroll, wait for the confirmation E-mail, browse to the URL, type in the confirmation code, then backup your certificate and private key to a secure place.

Now, you have signing and encryption. S/MIME has some small issues(always check the certificate because E-mail from addresses is trivial to fake a sender,) but its a very easy way to keep what should be private E-mail that way.

Instant messaging is the same or similar. You can use PGP Professional as a wrapper or use certificates in a number of IM clients similar to how its used in secured E-mail.

For web pages, I try to have the websites I run use SSL whenever possible, even when a user is just doing a search of content on the site.

The more encrypted traffic is generated, the better. Most people don't want everything they do on their computers to be an open book, but don't bother to take any steps to batten down hatches.

Re:data-retention policies for network traffic ???

[Seumas]

Of course, there is a lot of email that can NOT be encrypted. For example, my company has a strict policy that encrypting any communications can be cause for immediate termination. So while encrypting email is fine for personal communications sent through personal accounts via non-company networks and hardware, it still leaves a huge swath of communications open.

Frankly, I would love to see all email clients come with built-in encryption in such a manner that you NEED to create a key (it could be a very simple process) and that all email will be communicated via that key and encryption by default. Otherwise, all you have is a bunch of people (like me) who really wish we could communicate via encrypted methods all the time, but know that 95% of the people we communicate with will not, can not and do not have a way to receive and read them

In the long run, it won't matter. Denying a request to search your home or car or person will be probable cause in and of itself. And encrypting any communications will become enough probable cause in and of itself to consider you suspect.

I would love to see personal privacy and civil liberties upheld without any exception, but I think we are only heading downhill in the long run. I expect to see all expectation of privacy eradicated within my lifetime. You need only look to things such as the prevalence of public cameras on city streets to "stop crime" and parents fingerprinting their children as if having their fingerprints will somehow imbue them with a magical protection against kidnapping or molestation to see where society is headed.

Encrypt the channel.

[khasim]

At work there are other considerations to use. But TLS is very simple. You can send the emails in plain text ... over an encrypted channel.

This is handy for me because it is far more likely that I'll have to grep through a month's worth of email looking for one message than it is that the government will have any LEGIT reason to search through the same mail.

But for just about everything you send from your personal account, spend some time and do it encrypted.

Re:data-retention policies for network traffic ???

[newt0311]

Hmm... If enough people started using encryption, Intel and AMD would probably start adding it as well. I doubt the extra hardware ill take more than a few thousand transistors. with the current limit of several hundred million, that should be trivial.

Internet contrasts with postal system

That's an excellent point. Anonymous speech is a cornerstone of our democracy. A sign at the postal museum in Washington D.C. reads:

At the beginning of the new America, nearly all the news came by mail. When the Constitution was signed, it was rushed by post riders to every town that had a printing press. And that's how the newspapers were able to bring the resounding news of how we were to govern ourselves. The newspapers knew of it first by mail.

In England, for centuries, the mail was frequently scrutinized by agents of the Crown or of the Parliament. It could be worth your life to write a letter that might be seen as having the seeds of treason. This did not happen here. From the beginning, by and large, the U.S. mails have been free of eyes other than our own and those of the sender.

To the framers of the Constitution, the mail made the engine of democracy run--along with the newspapers. And newspapers then printed a good deal of correspondence. Rufus Putnam, a key military figure in the Revolutionary War, said, "The knowledge diffused among the people by newspapers, by correspondence between friends" was crucial to the future of the nation. "Nothing can be more fatal to a republican government than ignorance among its citizens."

As a journalist, I have sometimes been asked where my leads for stores come from. Much of the time, they come from opening the mail. Readers from all over the country send personal stories, newspaper clippings, local court decisions, and student newspaper editorials arguing for the First Amendment rights of students. There is no other way I would have known about these stories except through the mail. It is through letters that I often receive highly confidential stories about unfairness in the justice system from people who would not trust any other form of communication.

The framers of the Constitution knew how vital the mail would be when Article I was written to protect privacy of communication through the mail.

Nat Hentoff is a columnist for the Washington Post and the Village Voice, and the author of Free Speech for Me, but Not for Thee. How the Left and Right Relentlessly Censor Each Other.

yep - there it is

[vic-traill]

This was pretty quick find in terms of the status in Canada:

- we signed
- it isn't ratified by Parliament yet
- the bureaucrats are working on it

It is noted that a number of laws have to be changed in advance of ratification, so

Complementary or further amendments could be made to other existing laws , such as the Competition Act, in order to modernize them in accord with the Convention, notably in the areas of real-time tracing of traffic data (see section on Specific Production Orders below) and interception of e-mail.

There are a couple of beauties in here; the options being examined for the cost of building a required "interception capability" for ISP's include the ISP's paying for it, the ISP's paying for it when "significant upgrades" to their networks occur but not required to pay for changes to existing networks. This all adds up to the customer paying for the mechanisms that Johnny Law gets to use to bust those same customers. What a schmozzle in the making.

http://www.justice.gc.ca/en/cons/la_al/a.html

I don't have much of an alternative to contribute here, though. Crime on the Internet is apparently on the rise (I don't know if I believe stories of DOS-extortion, they always seem to be a rumour, not a news story, but maybe I'm naive). Internationally there needs to be a mechanism for a guy in France to charge a guy in Canada (yo MafiaBoy!) for DOS'ing his business, but this is Big Brother shit running wild.

Why aren't existing extradition treaties sufficient, and used in concert with whatever updates occur in the laws of respective countries? If you think someone's guilty, make your case in extradition court. Is the requirement of evidence so much higher for cyber-crime than other crimes?

... Puzzled ...