, SecurityFocus 2000-05-22
The Love Letter worm threatens to spark a New World Order, where security tools are outlawed and your crypto key is every government's business.
It's a lot easier to get bad proposals adopted when the meetings are held in far away places and closed to the public and press
After meeting secretly for years, these agencies now have stepped out from the shadows and made public proposals that would place fundamental restrictions on privacy, anonymity and encryption in the name of preventing cybercrime.
Last week, the Group of 8 (G-8), a high level organization made up of eight major industrialized countries and the European Union, met in Paris to discuss responses to cybercrime.
Going into the meeting, it was widely expected that the G-8 would issue recommendations on a variety of issues, most notably the creation of a supranational cybercrime force. Thankfully, that did not quite happen. Much of the conversation at the meeting involved speakers marveling at the novelty of government officials actually talking with someone outside of government about the subject. The industry and government representatives who met discussed cooperation, and many in industry expressed wariness about governmental proposals. Other governments objected to the creation of some form of international cybercrime force, even though it was unclear if that was ever actually on the table in the first place. In the end they issued a weak press release that said almost nothing, except to call for more dialog.
However, lurking in the background and heavily promoted at the meeting was the controversial Council of Europe (COE) "Draft Convention on Cyber-crime," which rolls over user's rights like a Sherman tank. Besides the generally agreed-on prohibitions on hacking that most countries except The Philippines have already adopted, it includes several pages of bonus provisions guaranteed to warm the hearts of any spy.
The COE draft requires countries to pass laws guaranteeing that "any person who has knowledge about ... measures applied to secure" computer data can be ordered to "provide all necessary information" to allow law enforcement to access that data. Remember key escrow? This section would require people to give up their encryption keys on demand - something that only Malaysia and Singapore do now.
It also bans basic security tools by creating penalties for "the production, sale, procurement for use, import, distribution or otherwise making available" of programs designed to crack system, with the intent to use the program for unlawful means. Who defines intent? Why the government of course. Another section requires that ISPs keep detailed logs of their users for an undefined period of time, with governments and ISPs debating on between 40 days and a year.
To make it more difficult politically to oppose, they threw in some copyright and child porn provisions for good measure.
Ominously, after working on this for three years, the COE left blank in the public document two sections on interception of communications. I can't wait to see those, just at the last minute of course. Perhaps they will finally unveil the mandatory "Digital Angel" chip in everyone's neck to make it easier to bug communications. At a minimum, I expect mandatory built in surveillance for all communications and network technologies, an expansion of "emergency" warrentless wiretapping, and cell phones that will track you down to which stall you are using in the bathroom (in Singapore, an optional "Flush Check" routine will automatically fine you if you fail to pull the lever).
If you think these proposals sound familiar, you're right. It's all of the bad U.S. policies rolled up in one nice little package. It's no coincidence that the draft convention looks a lot like the "Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet" report released a few months ago by the Justice Department. According to the COE, the U.S. was "very active" in the treaty's development. This practice could best be described as "policy laundering." When the U.S. government cannot get a controversial policy adopted domestically, they pressure an international group to adopt it, and then bring it back to the U.S. as an international treaty -- which obliges Congress to enact it.
It's a lot easier to get bad proposals adopted when the meetings are held in far away places and closed to the public and press, in intergovernmental organizations where the U.S. provides a large portion of the budget and demands the ability to set the agenda. We have seen this many times in the last few years, on issues such as copyright, with the WIPO treaty resulting in the Digital Millennium Copyright Act, and crypto, where the U.S. tried to get the OECD to adopt a ban on encryption. That cryptography ban nearly went through, until human rights groups from around the world got together with foreign government officials and industry groups to stop it.
At the G-8 meeting, only one consumer representative was invited and no civil liberties, cyber-rights or privacy groups were to be found -- unless they were hiding in the press gallery or among the kitchen staff. For the U.S. Government, and many others, it's always nice to include industry, but it's important to keep the rabble out. They might just call attention to what is going on.
The Convention is open to the 41 members of the Council of Europe, which is nearly every country in Western and Central Europe -- at least those with net connections beyond a tin can and wire, and to countries that were involved in the development which includes the US, Canada, Japan and South Africa. At the G-8 meeting, the French Government, which will be the Presidency of the EU, recommended that the convention be opened to all countries. The Chinese government will have a ball implementing these net restrictions.
The COE says that comments are welcome. So read