Digg this story   Add to del.icio.us  
Love Letter's last Victim
David Banisar, SecurityFocus 2000-05-22

The Love Letter worm threatens to spark a New World Order, where security tools are outlawed and your crypto key is every government's business.

The biggest victim of the ILOVEYOU worm might not be the users of the estimated 40 million computers that were afflicted, but rather everyone's basic right to privacy as law enforcement and intelligence agencies from around the world jump on this opportunity to demand new powers.

After meeting secretly for years, these agencies now have stepped out from the shadows and made public proposals that would place fundamental restrictions on privacy, anonymity and encryption in the name of preventing cybercrime.

Last week, the Group of 8 (G-8), a high level organization made up of eight major industrialized countries and the European Union, met in Paris to discuss responses to cybercrime.

Going into the meeting, it was widely expected that the G-8 would issue recommendations on a variety of issues, most notably the creation of a supranational cybercrime force. Thankfully, that did not quite happen. Much of the conversation at the meeting involved speakers marveling at the novelty of government officials actually talking with someone outside of government about the subject. The industry and government representatives who met discussed cooperation, and many in industry expressed wariness about governmental proposals. Other governments objected to the creation of some form of international cybercrime force, even though it was unclear if that was ever actually on the table in the first place. In the end they issued a weak press release that said almost nothing, except to call for more dialog.

However, lurking in the background and heavily promoted at the meeting was the controversial Council of Europe (COE) "Draft Convention on Cyber-crime," which rolls over user's rights like a Sherman tank. Besides the generally agreed-on prohibitions on hacking that most countries except The Philippines have already adopted, it includes several pages of bonus provisions guaranteed to warm the hearts of any spy.

The COE draft requires countries to pass laws guaranteeing that "any person who has knowledge about ... measures applied to secure" computer data can be ordered to "provide all necessary information" to allow law enforcement to access that data. Remember key escrow? This section would require people to give up their encryption keys on demand - something that only Malaysia and Singapore do now.

It also bans basic security tools by creating penalties for "the production, sale, procurement for use, import, distribution or otherwise making available" of programs designed to crack system, with the intent to use the program for unlawful means. Who defines intent? Why the government of course. Another section requires that ISPs keep detailed logs of their users for an undefined period of time, with governments and ISPs debating on between 40 days and a year.

To make it more difficult politically to oppose, they threw in some copyright and child porn provisions for good measure.

Ominously, after working on this for three years, the COE left blank in the public document two sections on interception of communications. I can't wait to see those, just at the last minute of course. Perhaps they will finally unveil the mandatory "Digital Angel" chip in everyone's neck to make it easier to bug communications. At a minimum, I expect mandatory built in surveillance for all communications and network technologies, an expansion of "emergency" warrentless wiretapping, and cell phones that will track you down to which stall you are using in the bathroom (in Singapore, an optional "Flush Check" routine will automatically fine you if you fail to pull the lever).

Policy Laundering
If you think these proposals sound familiar, you're right. It's all of the bad U.S. policies rolled up in one nice little package. It's no coincidence that the draft convention looks a lot like the "Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet" report released a few months ago by the Justice Department. According to the COE, the U.S. was "very active" in the treaty's development. This practice could best be described as "policy laundering." When the U.S. government cannot get a controversial policy adopted domestically, they pressure an international group to adopt it, and then bring it back to the U.S. as an international treaty -- which obliges Congress to enact it.

It's a lot easier to get bad proposals adopted when the meetings are held in far away places and closed to the public and press, in intergovernmental organizations where the U.S. provides a large portion of the budget and demands the ability to set the agenda. We have seen this many times in the last few years, on issues such as copyright, with the WIPO treaty resulting in the Digital Millennium Copyright Act, and crypto, where the U.S. tried to get the OECD to adopt a ban on encryption. That cryptography ban nearly went through, until human rights groups from around the world got together with foreign government officials and industry groups to stop it.

At the G-8 meeting, only one consumer representative was invited and no civil liberties, cyber-rights or privacy groups were to be found -- unless they were hiding in the press gallery or among the kitchen staff. For the U.S. Government, and many others, it's always nice to include industry, but it's important to keep the rabble out. They might just call attention to what is going on.

The Convention is open to the 41 members of the Council of Europe, which is nearly every country in Western and Central Europe -- at least those with net connections beyond a tin can and wire, and to countries that were involved in the development which includes the US, Canada, Japan and South Africa. At the G-8 meeting, the French Government, which will be the Presidency of the EU, recommended that the convention be opened to all countries. The Chinese government will have a ball implementing these net restrictions.

The COE says that comments are welcome. So read the draft convention, decide for yourself, and don't miss this opportunity to send them a LOVE note at: daj@coe.int

    Digg this story   Add to del.icio.us  
Comments Mode:
What can we do? 2000-05-22
Aaron Katz <akatz (at) ccs.neu (dot) edu [email concealed]> (1 replies)
What can we do? 2000-05-29
Here it is. 2000-05-23
How to stop it 2000-05-23
Anonymous (2 replies)
How to stop it 2000-05-26
How to stop it 2000-05-29
wake up and smell the coffee 2000-05-24
That's the wrong way to deal with this... 2000-05-25
Anonymous (1 replies)
Big Brother? 2000-05-26


Privacy Statement
Copyright 2010, SecurityFocus