Global hacker agreement could affect bug hunters

The Council of Europe's Draft Convention on Cybercrime aims to foster a common international criminal policy that addresses offenses directed against computer systems, data or networks. The treaty is intended to encourage legislation around the world.

More than 40 countries, including the United States, are participating in the treaty, which is set to be signed by December and adopted by the council's Committee of Ministers in early autumn 2001.

The proposed treaty prohibits "the production, sale, procurement...or distribution" of a device, including a computer program, that is designed to commit offenses such as damaging, deleting or altering computer data without authorization. It would make it illegal for anyone to possess, write or implement tools--including software, a computer password, access code or similar data--that are used to attack a system.

The council hopes that those rules would prevent hacker attacks, which have been prevalent across continents, such as the recent attack on Microsoft's computer system as well as the infamous "I Love You" virus, also known as the Love bug, that is believed to have started in the Philippines.

"Cybercrime goes across different states and across different countries. As recent news events point out, you can have a hacker in the Philippines wreaking havoc in California," said Julius Finkelstein, the head of high-tech crimes prosecutions in San Jose, Calif. "So in general, there needs to be more cooperation in trying to investigate and prosecute persons who would use the Internet to commit crimes."

The backers of the treaty include the Justice Department's Computer Crimes and Intellectual Property division, which has played a pivotal role in consulting with the council and writing parts of the treaty.

Kevin DiGregory, deputy assistant attorney general in the DOJ's Criminal Division, told the European Parliament that officials "are increasingly dependent on cooperation with foreign law enforcement agencies in fighting computer crime."

"When one country's laws criminalize certain activities on computers and another country's laws do not, cooperation in solving a crime and prosecuting the perpetrator may not be possible," DiGregory said in a statement. "Take the recent investigation of the Love bug virus, for example. Although our investigators continue to work closely with investigators in the Philippines, international coordination would have proceeded more quickly and effectively had there existed common computer crime laws between our countries."

Not everyone is happy with the treaty, however.

This past summer, security experts and educators sent a letter to the council, saying they are concerned that portions of the treaty may inadvertently make illegal techniques and software commonly used to make computer systems resistant to attack.

"Security tools are a double-edged sword. They could be used for good or bad, and trying to determine the intent of the author of the tool is not something easily done in a lot of cases," said SecurityFocus.com chief technology officer Elias Levy, who signed the letter. "So what should be criminalized, and it is criminalized, is the actual actions of using such tools to break into the computer system."

One such tool is nMap, a port scanner that sends packets to a remote machine to try to determine what port numbers are open. The tool is not necessarily used to break into a machine, but it's normally used before someone attacks a computer to find a vulnerability. At the same time, it is used by system administrators to maintain an inventory of machines and their network and what services they're offering.

"The question becomes, Would the person who wrote the tool not have written it had this law been enacted then for the fear of being held liable because of the tool?" Levy said.

Levy added that security experts who spend their time searching vulnerabilities and who are less well-known might also be held liable under the proposed treaty.

"That's the fear: that unless you have some type of credentials where you can claim that you're not doing this maliciously, but that indeed you're a security expert, and you're doing it as part of research, then it may kill research by those people that are not as well-known or whose intentions may not be easily determined." Levy said.

Academics also have concerns about ambiguity in the treaty as to whether possessing tools to attack systems could be made a crime. They use such tools to educate students and in research to develop improved defenses.

Matt Bishop, associate professor in the department of computer science at the University of California at Davis, said that he uses tools in his classes to test defense techniques. He said that students would build something to see whether it will protect the system, and then they have to attack the system and gather the data to monitor the effects.

"The problem is if that's illegal, we're hosts," Bishop said. "What makes it even worse is many attack tools have perfectly legitimate uses."

Bishop said that the problem lies in not the possession of a tool but its use. He added that as a child, he moved boulders with a crowbar. Merely possessing a crowbar shouldn't be considered illegal, but if he used it to smash a window, he said that action would be illegal.

"It's the same thing here. The tools, if you like, are the crowbars; the use to which you put them is what is the problem," Bishop said.

He added that if one of his students had a copy of nMap, the student shouldn't be held liable unless the student used it to break into a system.

"None of us are sympathetic to people who want to break into systems. In fact, one of the reasons we exist is to stop that sort of thing. But on the other hand, you can't go overboard. You've got to retain some perspective," Bishop said.