By Karen Gullo
Security researchers’ work discovering and reporting vulnerabilities in software, firmware, networks, and devices protects people, businesses and governments around the world from malware, theft of critical data, and other cyberattacks. The internet and the digital ecosystem are safer because of their work.
The UN Cybercrime Treaty, which is in the final stages of drafting in New York this week, risks criminalizing this vitally important work. This is appalling and wrong, and must be fixed.
One hundred and twenty four prominent security researchers and cybersecurity organizations from around the world voiced their concern today about the draft and called on UN delegates to modify flawed language in the text that would hinder researchers’ efforts to enhance global security and prevent the actual criminal activity the treaty is meant to rein in.
Time is running out—the final negotiations over the treaty end Feb. 9. The talks are the culmination of two years of negotiations; EFF and its international partners have raised concerns over the treaty’s flaws since the beginning. If approved as is, the treaty will substantially impact criminal laws around the world and grant new expansive police powers for both domestic and international criminal investigations.
Experts who work globally to find and fix vulnerabilities before real criminals can exploit them said in a statement today that vague language and overbroad provisions in the draft increase the risk that researchers could face prosecution. The draft fails to protect the good faith work of security researchers who may bypass security measures and gain access to computer systems in identifying vulnerabilities, the letter says.
The draft threatens security researchers because it doesn’t specify that access to computer systems with no malicious intent to cause harm, steal, or infect with malware should not be subject to prosecution. If left unchanged, the treaty would be a major blow to cybersecurity around the world.
Specifically, security researchers seek changes to Article 6, which risks criminalizing essential activities, including accessing systems without prior authorization to identify vulnerabilities. The current text also includes the ambiguous term “without right” as a basis for establishing criminal liability for unauthorized access. Clarification of this vague language as well as a requirement that unauthorized access be done with malicious intent is needed to protect security research.
The signers also called out Article 28(4), which empowers States to force “any individual” with knowledge of computer systems to turn over any information necessary to conduct searches and seizures of computer systems. This dangerous paragraph must be removed and replaced with language specifying that custodians must only comply with lawful orders to the extent of their ability.
There are many other problems with the draft treaty—it lacks human rights safeguards, gives States’ powers to reach across borders to surveil and collect personal information of people in other States, and forces tech companies to collude with law enforcement in alleged cybercrime investigations.
EFF and its international partners have been and are pressing hard for human rights safeguards and other fixes to ensure that the fight against cybercrime does not require sacrificing fundamental rights. We stand with security researchers in demanding amendments to ensure the treaty is not used as a tool to threaten, intimidate, or prosecute them, software engineers, security teams, and developers.
For more on the treaty:
Karen Gullo is an award-winning former journalist working as an analyst and senior media relations specialist at EFF, collaborating with the organization’s lawyers, activists, and technologists on strategic communications and messaging to amplify their amazing work defending civil liberties in the digital world. As a writer, editor, and former reporter with over two decades of experience at Bloomberg News and Associated Press in San Francisco, Washington D.C., and New York, Karen helps develop EFF’s responses to media inquiries, and writes press statements and releases and op-eds about EFF’s advocacy of online privacy and free speech, encryption, Fourth Amendment rights, copyright abuse, and much more. As an analyst, Karen writes blog posts and contributes to white papers on subjects ranging from student privacy and mass surveillance to private censorship, the First Amendment, and international surveillance and data protection treaties. She has worked on EFF activism projects holding social media platforms accountable for bad content moderation practices, exposing Amazon Ring’s cozy relationships with local law enforcement, and pushing for the inclusion of human rights safeguards in the Council of Europe’s revised Budapest Convention. She is also a contributing writer for feminism website SeismicSisters.com. Prior to joining EFF, Karen was a reporter at Bloomberg News from 2002 to 2015, where she broke stories about Google’s legal challenge to FBI national security letters. Before Bloomberg, Karen was a reporter for the Associated Press in New York and Washington, covering politics—including the 2000 presidential election—the Justice Department, campaign finance, federal contracting practices, and much more as a member of an investigative reporting team. Karen is the recipient of national and local journalism awards, including the Jesse H. Neal Award Business Journalism Award and the San Francisco Peninsula Press Club’s excellence in journalism awards. She grew up in Oak Park, Illinois, and resides in San Francisco.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.