Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Your Rights Online

Cybercrime Treaty — Hidden Costs For All 100

linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you."
This discussion has been archived. No new comments can be posted.

Cybercrime Treaty — Hidden Costs For All

Comments Filter:
  • by l2718 ( 514756 ) on Tuesday March 06, 2007 @08:14PM (#18257524)
    Someone must be a bit confused methinks. It is not now (and will never be) technologically feasible to keep a record of network traffic over any non-trivial amount of time.
    • by Anonymous Coward on Tuesday March 06, 2007 @08:30PM (#18257652)
      This is the reason we should make it as hard for them as possible to tell what's being sent.

      As long as the vast majority of connections are plaintext, it will be easy for the snoop-happy authorities to compress traffic down to the most important portions (URLs, text of IMs rather than protocol overhead, etc.) then log them permanently.

      If we encrypt everything, it will simply become infeasible to perform long-term dragnet surveillance of innocent people. When someone is suspected of a crime, police will need to investigate that specific person, rather than assume everyone alive is a criminal. If you work in a position where you have influence, where you can make programming and protocol design decisions, hopefully you'll take this into account and help stop the surveillance state before it encompasses everything.

      We need universal encryption for no less noble purpose than the preservation of any semblance of justice in society.
      • Yes yes yes! This is exactly right! A good starting point for everyone is encrypting your email.
        • Re: (Score:2, Interesting)

          by narf501 ( 1051136 )
          This is something I am trying to get people to do, to little avail.

          In the old PGP documentation (and I'm mangling the wording), it stated that one should encrypt even trivial E-mail. Its just the same as putting something in an envelope rather than writing all your personal stuff on a postcard and sending it.

          Signing and encrypting E-mail is easy these days. You use a S/MIME compatible E-mail client (Thunderbird, Mail.app, Outlook, Pegasus Mail, Eudora, mutt, even elm and pine have ways of being able to un
          • Re: (Score:3, Interesting)

            by Seumas ( 6865 )
            Of course, there is a lot of email that can NOT be encrypted. For example, my company has a strict policy that encrypting any communications can be cause for immediate termination. So while encrypting email is fine for personal communications sent through personal accounts via non-company networks and hardware, it still leaves a huge swath of communications open.

            Frankly, I would love to see all email clients come with built-in encryption in such a manner that you NEED to create a key (it could be a very sim
            • Encrypt the channel. (Score:3, Interesting)

              by khasim ( 1285 )
              At work there are other considerations to use. But TLS is very simple. You can send the emails in plain text ... over an encrypted channel.

              This is handy for me because it is far more likely that I'll have to grep through a month's worth of email looking for one message than it is that the government will have any LEGIT reason to search through the same mail.

              But for just about everything you send from your personal account, spend some time and do it encrypted.
              • Re: (Score:2, Insightful)

                by Seumas ( 6865 )
                Yeah, but encrypting transport methods only secures you against snooping. The greater problem is targeted retrieval and review of content. In my opinion, a company should want to encrypt the data as well. Perhaps they can have some master key for urgent or legal situations, but there is no reason every email from every employee should be sitting unencrypted in the mailstore for any number of people to access and read. Not to mention, if your system is ever the victim of malicious attack that allows access t
            • Of course, there is a lot of email that can NOT be encrypted. For example, my company has a strict policy that encrypting any communications can be cause for immediate termination.

              Huh? Could you please explain the reasoning behind this? In my organization, we're rapidly moving toward encrypting all internal email (and as much external traffic as we can). I can't imagine any organization where there's NO data that isn't recognized as sufficiently sensitive that it should be protected when it's put in em

              • I imagine that due to HIPAA, Sarbanes-Oxley or something with similar requirements, all electronic communications must be logged in his workplace by federal law. If they allowed encrypted email they would not be able to log that communication and his company could be in very serious trouble.
                • Thanks for the thought. I hadn't considered SOX or HIPAA. I work in a highly secure environment where we're required, under various laws dating back decades and mandating prison sentences for noncompliance, to keep data secure. We don't, however, have much in the way of logging requirements. Thus, I tend to think of data protection as being accomplished through access control; in practical terms this is accomplished via network privileges and encryption. In my environment, logging/tracking is a periphe
                • by J'raxis ( 248192 )

                  As long as the encryption keys are available or can be made available, I don't see why logging the encrypted communication would be a problem. This sounds like a paranoid company worried about people emailing off trade secrets or somesuch; they're probably reading all your email communications too.

                  Come to think of it, this might be a pretty good way around data-retention laws -- retain everything, just like the government want, but it's encrypted, and the encryption keys are in the hands of the individual

            • Or how about you try and do what you can to help reform the fucked up government we have. If you believe that you cannot stop it, then you won't even try. But the United States Government is not a force of God, it is full of people. Get rid of the people who want to treat everyone as scum, leave only those who are willing to give the average joe a chance to be a good citizen.

              How many times have you heard of some group of people being treated like criminals, only to then fulfill that prophecy and resort t

      • by max born ( 739948 ) on Tuesday March 06, 2007 @09:36PM (#18258032)
        If we encrypt everything, it will simply become infeasible to perform long-term dragnet surveillance of innocent people.

        Until they make encryption illegal. I think that's the next step when it doesn't work out for them.

        But really, what's new? Never in the history of humanity has there not been one group of people who felt it their god given right to tell another group of people what to say and think.

        Don't be lulled into thinking these folks are here to protect you.

        Just like the increased powers of search and seizure, designed to protect us from the terrorists, are used mostly to bust people for possession of pot; so the draconian measures enacted to save from the cyber criminals will mostly be used to bust you for downloading your favorite music.
        • Until they make encryption illegal. I think that's the next step when it doesn't work out for them.

          jkerhi~uy@yy?>fdsalj9oyhuiyuio%$ewq!
        • Until they make encryption illegal.

          Yup, that'll fly. It would be the end of DRM and copy protection. You know FairPlay, Plays4sure (or whatever it's called), CSS, AACS, and all those other copy protection mechanisms that those companies spent so much time and money on? All would be illegal. But I guess there are always casualties when you make laws like that.

          In fact, they would be the only casualties. Any kid with knowledge of Basic would be able to create a tool to encrypt files.

      • If we encrypt everything, it will simply become infeasible to perform long-term dragnet surveillance of innocent people. When someone is suspected of a crime, police will need to investigate that specific person, rather than assume everyone alive is a criminal.

        We could start by making HTTPS simpler, supporting TLS Server Name Indication on all web servers (and browsers), and having a free CA authority for encryption without necessarily needing strong authentication.

        Rich.

    • Quite true. When I worked for a university IT department, the security officer discussed this point following some MPAA run-ins. It is possible to intentionally monitor certain flows. It is possible to do real-time traffic analysis, but it is not possible indiscriminately retain the payloads. There is just too much data. You'd be amazed though how much can be gleaned from DNS logs and other similar sources.
    • True. But that's not the point.

      The point is that you have to do it, or you get the blame. You can't do it? Everyone knows that. But there's someone to shift the blame to and who has to pay the price.

      Just because something is impossible doesn't mean there can't be a law requiring it.
      • Its a catch all up there with the other regulations like FAR 91.13 "Careless or Reckless Operation."
        Part a: No person may operate an aircraft in a careless or reckless manner so as to endanger the life or property of another.

        Its a catch all. If you screw up while flying, you were probably flying an a careless or reckless manner. There are quite a few regulations like that floating about.
        • The difference is that it's not necessarily you who's screwing up. You're also liable if someone steals your plane and crashes it in some tower.
    • Re: (Score:2, Informative)

      by Augmento ( 725540 )
      this treaty is old news but as far as i can tell not enforced as such, i.e. we don't have terabytes of packet captures laying around my cubicle. bleh. just read the article and it doesn't even link the treaty http://conventions.coe.int/Treaty/EN/Treaties/Html /185.htm [coe.int] happy reading! oh and for the USA signing it, we did back in 2004! can you say old news? how do i get to tag stuff? OFN! http://www.securityfocus.com/news/8529 [securityfocus.com]
  • well... (Score:5, Insightful)

    by mastershake_phd ( 1050150 ) on Tuesday March 06, 2007 @08:15PM (#18257526) Homepage
    .....and closes loopholes that make it possible for criminals to escape prosecution by locating their activities offshore.

    Well it depends which shore, as long as there is a country that doesnt sign the treaty the dedicated criminals can avoid this while we suffer it.
    • by l2718 ( 514756 )
      And I always thought that dissidents relocating their subsersive activities to these shores (the US of A) was a good thing(TM) ?
      • And I always thought that dissidents relocating their subsersive activities to these shores (the US of A) was a good thing(TM) ?

        If I was a politician Id say you were soft on crime, and didnt think about the children!
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      You shouldn't have to be treated like a criminal on the internet. This is why networks like anoNet (http://www.anonet.org/ [anonet.org]) exist, but with this treaty, Tor and other networks like it may be compromised. Fight against data retention, encrypt your communications, and even join an anonymous community. The Internet should be ours, not theirs.
    • Well, here is the list of suckers [coe.int] so far.

      A little disappointed to see Canada on there, but at least we didn't x the "signature without reservation as to ratification" box like the US did.

      Anyway from my attempt at reading the treaty, it seems like all it *requires* is a country to make it possible for it's "competent authorities" to be able to record data when requested to do so. It doesn't say service providers are required to do more than facilitate this recording. See Article 20 and Article 21 [coe.int]. This

  • Just watch as US passes laws restricting rights to "comply with the treaty" they helped draft, just as with the Convention on Psychotropic Substances.
    • Yeah, there is a law that is already against this whacko treaty... "nor shall be compelled in any criminal case to be a witness against himself," IANAL... but its called the 5th Amendment.... http://caselaw.lp.findlaw.com/data/constitution/am endment05/ [findlaw.com]
      • by Dunbal ( 464142 )
        Yeah, there is a law that is already against this whacko treaty... "nor shall be compelled in any criminal case to be a witness against himself,"

              If medical records can be used against doctors all the time, why can't logs be used against netizens? Not that I agree or anything, but there is a certain consistency here.
      • although the courts cannot compel me to testify they can by god compel me to produce records that help to incriminate myself
    • by drmerope ( 771119 ) on Tuesday March 06, 2007 @08:45PM (#18257752)
      Just watch as US passes laws restricting rights to "comply with the treaty" they helped draft

      Yes this one reason why those people who advocate the idea that treaties can trump the Constitution do not appear to apprehend all of the consequences. This is one point at least that Scalia et al do get right: allowing defacto amendment of the Constitution via the treaty process could significantly impair our Constitutional protections.

    • by smchris ( 464899 )
      Yeah, but if French or German police try to go after some American neo-Nazi holocaust denying website and the U.S. government doesn't let them into the country just watch our free press expose the hypocrisy. Oh, wait.....
  • Unfair (Score:3, Insightful)

    by cedricfox ( 228565 ) on Tuesday March 06, 2007 @08:17PM (#18257550) Homepage
    I don't like it one bit. This is another law designed to keep the good people afraid, uncertain, and doubtful, while providing us less security.
  • Another law that only barely benefits regular people
  • by Em Ellel ( 523581 ) on Tuesday March 06, 2007 @08:25PM (#18257612)
    ...set up a small state, join the treaty, declare storage of any credit card information illegal and then demand that all companies doing business online turn over all their credit card information, as well as arrest of all of their employees...Could be fun....

    -Em
  • Can China join this (Score:5, Interesting)

    by wannabgeek ( 323414 ) on Tuesday March 06, 2007 @08:37PM (#18257674) Journal
    And demand information about bloggers posting from even outside their country?
    • by Anonymous Coward
      That's an excellent point. Anonymous speech is a cornerstone of our democracy. A sign at the postal museum in Washington D.C. reads:

      At the beginning of the new America, nearly all the news came by mail. When the Constitution was signed, it was rushed by post riders to every town that had a printing press. And that's how the newspapers were able to bring the resounding news of how we were to govern ourselves. The newspapers knew of it first by mail.

      In England, for centuries, the mail was frequently

  • by SmoothTom ( 455688 ) <Tomas@TiJiL.org> on Tuesday March 06, 2007 @08:39PM (#18257702) Homepage
    I have not had an opportunity to peruse the ins and outs of these new and proposed laws, but as a retired businessman, who runs a six node wired/wireless network for myself and family at home, I wonder if as a 'network operator' of my own private LAN I will need a few terabytes of storage, etc. to meet the retention requirements.

    Sounds ridiculous, but it all depends on the wording, eh?

    --Tomas
    • Re: (Score:3, Funny)

      by Migraineman ( 632203 )
      Funny, there hasn't been *any* activity on my home LAN for as long as I can remember. Yep, here are the printouts of the logs. See for yourself. Nuthin'. Backups? Got destroyed in the blizzard of aught-six. Sorry, nothing more I can help you with. You want to come in and see for yourself? I don't think Mr. Mossberg [mossberg.com] would like that ...
      • Re: (Score:3, Insightful)

        by Dunbal ( 464142 )
        Backups? Got destroyed in the blizzard of aught-six.

              You reported the back-ups lost within 90 days of the blizzard, didn't you citizen? I'm sure you wouldn't want to spend 2 years in jail for forgetting to file the appropriate form...like it says right here in subsection 39 paragraph C part xii...
        • Absolutely. I also had the receipt notarized as doubleplusgood. I'm certain the Bureau of Records and Community Surveillance has the form on file. After all, compulsory self-surveillance is the first step toward maintaining Citizenship!
    • Re: (Score:2, Funny)

      by rwwyatt ( 963545 )
      I'll need a few petabytes for my porn collection alone!
    • the only thing i could find the treaty about stored data is this which just pretty much states that any data the provider ALREADY HAS is retained in an expedited manner so it doesn't get over written. [quote]Article 16 - Expedited preservation of stored computer data 1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has bee
  • If only.. (Score:4, Interesting)

    by aero2600-5 ( 797736 ) on Tuesday March 06, 2007 @09:20PM (#18257934)
    If only the police would do their jobs, this wouldn't be necessary.

    What crimes can this help fight that can't be helped in other ways? As it is, everything leaves a digital trail, if not a physical one.

    Let's name some 'horrible' crimes. The only truly horrible crime I can think of on the internet is child pornography. It appears that, in light the large number of recent events, that they already know how to investigate this crime. In the event that didn't have a reasonable track record, there are still methods to combat this. The children are somewhere, find them. They're missing from somewhere, start there. There is money being made, follow that. The pervs get into these groups, so could the cops. The laws are pretty clear about child pornography: Have anything to do with it, and you'll go to jail for a long time.

    Let's talk about other crimes. DDOS? Will this law help stop Distributed Denial of Service attacks? Not likely. Most DDOS attacks are done remotely using a net of bots. This law would require terabytes worth of retained data created by these bots, while the people that created the bot-net will have done so in a manner that isn't traceable. This law won't help any.

    How about selling contraband over the internet? This law isn't necessary. The contraband is being created somewhere. The item is being shipped somewhere. Money is being transferred. There are standard methods to track all of this. The contraband is a physical item. Find it, you lazy fucks.

    In short, requiring network operators to retain a record of every digital transmission is a lot like banning guns. Ban guns, and then only the criminals will have them. Require that ISPs keep records, and then only the criminals will be able to move freely about the internet.

    Hey Keystone Kops, want to catch more bad guys? Work together better with your cohorts in other countries. Share that legally acquired data more efficiently. You found this item here. They're looking for this item there. Put two and two together, assholes.

    Why should network operators have to pick up the slack for inefficient and incompetent law enforcement?

    Aero

    "Any society that would give up a little liberty to gain a little security will deserve neither and lose both."
    • agreed.

      and finally, to the Keystone Kops:

      hire more qualified computer analysts. that means candidates with a BS in CS.
      that doesn't mean some yokel who took a certification course at the local diploma mill.
      that certainly doesn't mean training your officers in computer forensics.

      If cops could do computer forensics, they wouldn't be cops!
      I've known one cop in my life who wasn't a complete kludge with computers and he was a gamer.
  • HELP! (Score:5, Interesting)

    by photomonkey ( 987563 ) on Tuesday March 06, 2007 @09:41PM (#18258070)

    I am an American, and I love my country. I am, however, getting really sick and tired of constantly watching my country crap all over everyone's rights (or in some cases, preempt people from HAVING rights) both here and abroad all for the sake of a few super-mega-corps; all the while, we're pretty powerless to immediately end any of it.

    As I sit back and watch all the industry in this country die as we make the shift to a service-based economy, I watch us become less important in the global marketplace. Sure we have lots of cash (read: power) now, but what happens when we piss it all away? For Pete's sake, the Shanghai market shows instability and Wall Street shits the bed. We're on the verge of recession.

    There were times in history in which the US helped prevent other countries from making stupid mistakes. Now we are the ones making lots of stupid mistakes, and we're doing it over and over again.

    How does it benefit the EU or anyone else to go along with our silly shenanigans (especially these ridiculous 'e-piracy', think-of-the-children policies)? They didn't with Iraq (for the most part) and escaped unscathed (mostly). Why not tell the current US administration to stop being stupid by not agreeing to participate in its bullshit?

    We're really not a bad country or a bad people. Unfortunately, the filth has risen to the top. Certainly we can do our part to help stop all this, but voting takes time. Please help us stop this train speeding off its track by not supporting/recognizing the US' inane global commercialization laws and regulations. In the end, it will be better for all of us.

    We are, as a world, beginning to define what a global economy really is. This is our (the world's) chance to make life better place for everyone, and even turn a buck doing it. Please help the US stop being stupid not for the sake of the Bush family or those that give us a bad name, but for the regular folks here who work to feed their families and really do want to spread freedom and wealth around the world.

    Americans really aren't bad people. The leadership class just needs a little reminder every once in a while that they are PART of the world, not the fucking owners of it.

    This is certainly no call for violence. Just a simple request that other countries not participate in nor support our stupidity.

  • by buss_error ( 142273 ) on Tuesday March 06, 2007 @09:41PM (#18258072) Homepage Journal
    Some good points about possible abuses have been raised, and not a few real problems too. These should be addressed; however, the problem on the internet today are so over-arching that something must be done. Not the law in it's present form, but SOMETHING.


    I admin for a moderately sized internet farm, and I can tell you this: If you take the amount of spam you see in your inbox, and multiply each spam by hundreds of thousands, you'll only just begin to get a glimmer of the amount of malicious or covert packets running around your own network, let alone from other networks.

    Sadly, the day where internet facing services can go unmonitored and un-logged is past by seven years or more. Criminals are stealing millions of US dollars every day, day in and day out, and some times stealing tens or hundreds of millions. Data theft is rampant, espionage (corporate and government) is rife, trust is broken... It's a mad house out there.

    One of the things we've done is to insert known "markers" in our own databases. These markers let us find how and who accessed a database, from where, what time, and what user/password were used to extract that data. In other situations, we've taken care to be able to trace the data flow. Some cases have arisen that made my hair stand on end, it was so bad.

    No, the "wild west" days of the internet are at an end, and they must come to a close. Reasonable laws, reasonable requirements should and must be put on networks so that criminals can be brought to the bar for judgment of their crimes. To do any less is to fail civilization. And that's from someone who signs his posts with the below. It's a fine quandry I find myself in...

    • by catprog ( 849688 )
      So I assume you want a log of where every one goes and then if they do something that is illegal somewhere else they get prosucted for it?
      • I can see that you didn't bother to read where "reasonable" entered into my comments, nor my sig. If you fear for your anonimity in surfing the web, I share that concern.

        I could use a thousand examples from Phishing to "So, if you want child porn, you shouldn't be logged?" type arguements. However, I'll simply limit myself to pointing out that I've asked for "reasonable" limits and "reasonable" laws. What is reasonable? Well, I for one would start with

        child porn is unreasonable and should not be protected

        • You only suggested what needs to be stopped, which no one disagrees with, but not how, which is the issue at hand. And this legislation only feels like fuel to the witches fire.
          • You only suggested what needs to be stopped, which no one disagrees with,

            Part of defineing a solution is defineing the problems to be solved. An some DO disagree
            with what I think should be stopped. I think it's important to state that right up front.
            One of the things I think should be stopped is unsolicated bulk email, of what ever content.
            Another is to force ISPs to act on abuse reports. I've one IP I reported to AT&T over a year ago for sending viruses, put in my IPTABLES, and forgot about until

        • by catprog ( 849688 )

          child porn is unreasonable and should not be protected.

          And it is also illegal under todays laws finantial crimes are unreasonable and should not be protected. I see no need for 419 spammers getting off scott free. And it is also illegal under todays laws

          Impure drugs are unreasonable and should not be protected. (EG: almost all drug spams and all penis pill spams.) (see several drug administraion findings that the most popular erectile drug spams have pills that contain rodent fecal matter and no er

    • We (those with technical abilities) can fully secure the Net - or a substantial subset of it. We could do it this year. But we won't, largely because we respect outlawry too much. Why? Because there are too many jackass laws. When governments stop persecuting people for free thought, for music, for sex (other than with children), for drugs, for spiritual practices and political involvements - then we can lock down the Net, knowing that our work isn't going to further greater evil than it prevents, won't be
      • We (those with technical abilities) can fully secure the Net - or a substantial subset of it. We could do it this year.

        I firmly believe this month were we as techs and admins to do what we know we should do.

        But we won't, largely because we respect outlawry too much.

        Or we wish to continue our employment.

        Because there are too many jackass laws.

        As many "jackass laws" as their are, there are many more "jackassed" "management" teams overruled by brainless salesforces.

        When governments stop persec

    • by l0rd ( 52169 )
      I'm sorry, but how does logging what everybody does and giving that data away willy nilly help prevent the things you stated? These are stupid laws created by people who have absolutely no understanding of the internet or what constitutes a threat. The only people they inconvenience & punish are the innocent and they also create a dangerous precident for walking all over your rights.

      We are now opening a pandora's box with grave consequences.
  • yep - there it is (Score:2, Interesting)

    by vic-traill ( 1038742 )

    This was pretty quick find in terms of the status in Canada:

    - we signed
    - it isn't ratified by Parliament yet
    - the bureaucrats are working on it

    It is noted that a number of laws have to be changed in advance of ratification, so

    Complementary or further amendments could be made to other existing laws , such as the Competition Act, in order to modernize them in accord with the Convention, notably in the areas of real-time tracing of traffic data (see section on Specific Production Orders below) and interception of e-mail.

    There are a couple of beauties in here; the options being examined for the cost of building a required "interception capability" for ISP's include the ISP's paying for it, the ISP's paying for it when "significant upgrades" to their networks occur but not required to pay for

  • But when it comes to cybercrime, no one really expects law enforcement to keep up technologically with criminals--it's an arms race the criminals keep winning. An alternative is to raise the penalties, in hopes of deterring criminals who weigh the benefits of committing their crimes against the risk of getting caught.

    Clearly what is needed is the death penalty for all use of file sharing and other computer crimes. That is sure to reduce crime levels to near zero.

    In case you missed my sarcasm, my point is th

  • Could they then demand that ISPs and/or LAN admins hand over information on who uploaded pictures to a magazine website, then use this information to demand the extradition of employees of any magazine that showed so much as a woman's bare ankle? Find out who uploaded Sports Illustrated Swimsuit Edition pictures and yank them over to Saudi Arabia for a public flogging followed by 15 years in jail?

    An exaggeration, I'll admit, but just an extreme example of the types of things we could see if this is ratifi

Utility is when you have one telephone, luxury is when you have two, opulence is when you have three -- and paradise is when you have none. -- Doug Larson

Working...