Cybercrime Convention Workshop at HAL 2001 and possible next actions At the HAL 2001 [1], Gus Hosein [2] and I [3] made a workshop on the cybercrime convention. After a brief presentation on the history and actual status of the cybercrime-convention [4] I tried more to focus on the direct consequences on the cybercrime-convention on the hacker-scene, internet security and signal intelligence next to possible strategies to avoid the implementation of the cybercrime-convention, if we fail to avoid the signing of the cybercrime-treaty by the COE at September 15th. Because we had only 1 hour of time, we continued the discussion on possible strategies to avoid the cybercrime-convention to become national law together with about 20 people from the audience at the ccc-space at hal. With this document I want to give a short overview on what we discussed and through this give you - whereever located - some ideas for local actions. I didn´t coordinate this paper with the other participations of this workshop, forgive me that is not complete and objective in all it´s points. Work with it. * Some threats of the convention/treaty (this list is rough & incomplete): -> Outlawing Security / Test Tools through Article 6 -> Possible Widening of "content-related offences" with other than the easily-to-gain-acceptance child-pornography-argumentation with all kinds of national or economic sensitiveness through article 9 (by the way, what has child-pronography to do with cybercrime? We´re talking about the abuse of human beeings here, not of computers) -> Mixture of "Cybercrime" with "Intellectual Property" issues and possible DMCA-like criminalization of information / tools that ignore or take away so called "copy protection mechanisms" through article 10 -> ignorance of the key-principle of data protection laws to save as little data as possible when asking for traffic data acces through articles 16 / 17, 20, 21 -> Possible Governmental Access to Keys (GAK) or at least criminalizing to not give encryption keys in an inverstigation through Article 19 (4) -> possible knock-out of things, that are allowed in one jurisdiction, because they´re forbidden elsewhere on the planet through article 22 and part III * Some strategic issues & problems: -> even if one country will implement only some parts of the cybercrime- treaty, at the next distruted denial of service attacked, caused by whomever, one country which has full implementation might say, that the attack cannot be stopped / investigated, because the other country has not fully implemented the cybercrime treaty. -> politicians, especially for the interior, are mostly not understanding the technical issues of internet security AND feeling in an "have-to-do-something" mode, when an internet attack (virus etc.) get´s enough public attention. so called public security is mostly not the objectiv measurable, but the feeling of security of the citizen. people who are responsible in this field "need to do something" even if it does not make sense, it gives the people the fealing "something is done" -> the above described situation, a mixture of "obscurity" (caused by not-understanding) and fear (caused by media attention) is an ideal situation for all kinds of clandestine operation, creating attacks / viruses and let the people beleave it´s these "hackers" even if the operations obvious hack budget´s and not computer systems (like the January 2000 distrubed denial of service and the NIPC budget). -> the situation is hardly to change to the better, as long as this orwellian-marketing can work on the base of stupidity and a missing vision for an open communication society. currently we only have the "what makes us fear and should be forbidden" discussion to kill anonymity on the net (child-pornography brings acceptance), sanction forms of communication in the style of DMCA (hollywood will die and the artists will have nothing to eat), explain that e-commerce (what ever that is) doesn´t work cause of missing security in the internet and this endless list of other bullshit... -> digital signatures defined by the government have to be watched as a possible key issue in the paradigm, because communication combined with "real" personal data makes not only identification, but also sanctioning of communication behaviour much easier. -> we´ll need to educate public & politicans how things work, what the problems are and how to fix them. And: we have to make clear, that here a key issues in the field of the security politics in the information age, that affect freedom of speech, privacy and possible misuse / control of public media and communication structures. * Arguments against the Cybercrime-Treaty: -> is not helpful for security -> lack of information & tools creates a crisis in the development of information technology (can already be watched through DMCA) -> ill conceived legislation by politicans who don´t unterstand technical measures -> country´s who sign will loose their souvereignity in the information-sphere -> questions civil rights and human rights -> was not created by elected representatives -> process was non transparent, creation in secret -> missing public interests in the adresses matters -> new degree of secret service -> creates SIGINT/COMINT rights for secret services instead of computer-security -> can easily be misused politically for economic spionage which is always spionage on people (who work in companies etc.) ----- [1] http://www.hal2001.org/ [2] gus@privacy.org, http://is.lse.ac.uk/staff/hosein/ [3] andy@ccc.de, http://www.ccc.de/~andy/ [4] http://is.lse.ac.uk/staff/hosein/cyb.html