Cybercrime treaty gets it wrong ... again
Back in the 1980s, when cell phones first became popular among the rich and powerful, it became apparent that people were eavesdropping on cell phone conversations with radio scanners available at any Radio Shack. Instead of informing cell phone users of the limitations of the current technology, or building encryption technology into the phones, the cell phone manufacturers lobbied to criminalize listening to "their" section of the radio spectrum. And Congress complied -- making listening illegal with the Electronic Communications Privacy Act (ECPA) of 1986.
About the only thing that this accomplished was to disallow law enforcement from using evidence gathered from intercepted cell phone conversations in court. Worse, the act gave people a false sense of security: No one is listening because it is illegal. Uh-huh. We can't be sure if anyone actually stopped listening because there really is no way to detect someone doing that. I don't know of any cases that were prosecuted under this law.
So people went on eavesdropping.
The FCC got into the act in 1994 and made is illegal to manufacture a scanner that could receive cellular frequencies or be "easily" altered to receive these frequencies. So companies that made receivers had to do extra work to make sure they weren't making a technology that could receive what was illegal. This seemed like the wrong side of the equation for the legal system to be forcing a technical solution on.
Shouldn't this work be going on at the cell phone companies? Shouldn't they be required to produce a secure solution if that is what they are selling? Does anyone really think that these laws and regulations stopped anyone from listening to cell phone calls?
So now we have a new generation of digital phones. They are covered by all the same anti-listening laws. As a security researcher I cannot legally test any of these phones to see if they can be easily intercepted, even on behalf of a client. We have to take the manufacturers word for it. Now imagine this system being applied to computer software. Imagine not being able to legally test the security of Windows or Linux for yourself; you would have to just take the manufacturer's word for it.
The Council of Europe's latest cybercrime treaty, with the hope of stopping computer criminals, will ban most of the tools that are used to find the security problems in networks, operating systems and Internet applications. This is because the same tools that can be used for good can be used for evil.
Take Nmap for example. It is a network scanner. It can be used by a computer criminal to find the vulnerabilities in a particular computer system in order to target and attack. It also can be used by a system administrator to make sure she secured her particular system properly. Additionally, a security researcher can use Nmap to find security holes in a firewall or operating system.
As a security researcher I am often given applications or devices, without source code or design specifications, and asked to test the product for vulnerabilities. This is usually done on behalf of a third party who wants to use the product but wants to test the claims of the manufacturer. I don't know of any other way to do this than to use the scanners and network sniffers that would be banned by this treaty.
To be certain a particular device can withstand a denial of service attack you need the tools to create that attack. To test to see whether old vulnerabilities are reintroduced in new versions of a program it is useful to regression test with old exploits. These are basic engineering practices that will be outlawed if "only outlaws can have exploits."
A future where security is dictated by laws and not by sound testing and engineering will be a failure. Outlawing listening to cell phone calls just gave consumers a false sense of security -- it did nothing to solve the privacy problem. If lawmakers want to use their power to actually solve the security problem, make it a crime to ship products marketed as secure without a certain level of security testing.
Don't take away the few tools we have to verify and find security problems.