 of criminal law. People often want to see into the future and today that's what we're going to do. We're going to look at what's going to happen. What is the future? Some people say that technology is the future, but we all know that the real future is globalization. And what globalization is going to bring us is international computer crime laws, not global at first, but eventually that's what we're moving towards. And what I want to look at is the first major, probably to be successful initiative to have an international computer crime law. Why do we need international computer crime laws? Because the internet is an international system because computer crime and crime of all sorts now can cross boundaries. In the old days I had to go into the library with the candlestick if I was going to kill Colonel Mustard. I had to actually physically be there and while being there I could leave behind all sorts of evidence from fingerprints to hair samples, eyewitnesses who may have seen me enter the room all the way to today leaving behind DNA. Now I can be the criminal in one country, I can attack a victim in another country and the evidence can be strewn in any number of countries in between. And police hate that. But there is some major obstacles towards developing a uniform theory of what computer crime should be. And what are those obstacles? First of all, between, there's a lot of areas of agreement which in most of the European nations and in the United States, we have a consensus as to what should be illegal. And some of those areas of obvious agreement where there's not a lot of problem for people to say yes I agree that should be illegal are, for example, with child pornography, the destruction of data, data theft. These are offenses which we can tend to agree ought to be made illegal. But there are great areas of disagreement. One of the major areas of disagreement is substantive. What is or what should be a crime? And countries don't necessarily agree on this even in some basic ways. For example, in the United States unauthorized access, simple trespass to a computer without permission is a crime. Other countries may not have a crime, may not have a statute that prohibits that at all, or when they do have a statute that prohibits it, they may have some added additional things that go with it. They don't think that simple trespass is a crime. For example, in Germany, their unauthorized access computer crime law requires that the person have circumvented some kind of security measure in order for that trespass to then be unauthorized. So if you just happen upon the password file in a web server in the United States, you could be convicted of unauthorized access because you exceeded your authorization when you went to look at this password file. In Germany, that wouldn't be the case. The people just left their password file on the web server without any kind of security protection or means of authenticating permissible viewers, so it wouldn't be a crime under that statute. So even with something as simple as unauthorized access, we can have great disagreement. Another problem is the relative competence or incompetence of local law enforcement officials. Here in the United States, we've had a lot of effort to try to train our FBI agents to be up to snuff in the techniques necessary to do a good forensic analysis of computer crime data. In other countries, they do not have the resources necessarily or, screen favor. They don't have the resources necessarily or the information or the expertise for them to investigate computer crimes in such a way as to necessarily find the proper perpetrator or to do it in a way in which it could be used in a court, for example, in the United States where you're going to have defense attorneys to challenge that evidence. There may be somebody who commits an offense in another country and the United States is interested in locating and prosecuting that person, but local law enforcement authorities here may have little or no power to go to another country where the perpetrator may be located or where the evidence may be located to investigate. So there's no agreement on what powers one nation has to interrogate, search, seize evidence in another nation and nations differ from country to country as to what kind of privacy protections they have for their internet users and thus what kind of evidence they can permissively collect from an ISP and the question is then can they simply seize evidence from the ISP? Can they simply do they just have to request it? Do they need a court order or perhaps a warrant or do they need nothing? Or is there no way for them to obtain that information? Is it over, is it so protected you can't, a law enforcement person can't get it at all? There's the territorial problem with the lack of cooperation between a local law enforcement agency or one nation's law enforcement agency and the law enforcement agency of another nation. We've all seen those movies where the FBI comes in and the local police are mad because they're on their territory. Well that sort of internacing rivalry is that many more times worse when we're not even talking about officials in the same country. And finally, if we do manage to discover who is the perpetrator of an offense and where they are located, there are disagreements over whether we have the authority, one nation has the authority to bring that person to that country for trial and whether the home nation is going to extradite that person. So all of these elements make at this point in time international computer crime difficult to deal with. Let's look at some examples. Who's familiar with the I love you virus case? Okay, so I won't go into it in too much detail. A gentleman in the Philippines decided it wasn't fair that no one in the Philippines could afford internet access. He thought a good way for people to get internet access would be to use the accounts of other people to have their password. So he wrote as part of his school paper virus that would go out through the internet and it would collect passwords. This I love you virus and it was an email that was titled I love you and of course everybody always hopes that somebody loves them. So when they would get an email from your friend that said I love you, you would click on it, open it up and what it would do is it would go through all your email addresses if you happen to use Microsoft Outlook and send itself to all of those people a note from you saying that you loved them. And there were great complications for corporate networks as they tried to clean this bug out of their system. But essentially what it was supposed to do is harvest these passwords and send them home. Eventually the United States authorities with the cooperation of the Philippines was able to trace this virus back to a small apartment in Manila where this gentleman lived with his girlfriend or with his sister and her boyfriend I believe. And eventually, first they thought it was the boyfriend but when this guy's school told the authorities that actually he'd written his graduate thesis paper on exactly this topic they realized that it was him. So corporations here in the United States were claiming millions of dollars of loss for all the time and effort that they had had to take to clean this virus out of their system because everybody was getting way too many emails. And they were eager to prosecute this sort of latter day Robin Hood here in the United States or the Philippines just along with something happened to him. But it turned out that the Philippines does not have or rather did not have a law against writing and sending viruses. So there was nothing to prosecute him for and this gentleman was set free much to the consternation of local authorities here in the United States. Of course, cases, bad cases always make bad law and Philippines ran out to quickly pass a antivirus law which in the long run is a good thing. But at the time since there was no law it couldn't be applied to him prospectively and this gentleman there's no legal recourse. There's no legal punishment that can to fall him. And that was extremely aggravating to the United States. But not as aggravating in some ways as the case involving the Russians. Because at least in the I love you virus case the Philippines was cooperative. In the case involving these two Russians the let me just add that because it was not a crime in the Philippines with the gentleman who wrote the I love you virus he could not then be extradited to the United States for trial here even though it is a crime here in the United States. So nothing could be done. And with the Russians they these were two Russian guys who had stolen a bunch of credit card information done some other stuff but basically stolen a bunch of credit card information from companies like PayPal which is a online payment provider and the FBI with some assistance was eventually able after a year or so of investigation to trace these thefts back to Russia. They called the Russian authorities and asked them for assistance and the Russians simply did not return their telephone calls. They could not get the Russians to be interested in arresting these two guys. Not only couldn't they get them interested in arresting the two guys or interrogating the two guys they couldn't get them to even collect any evidence over there from these two guys. Their requests for assistance were totally ignored and the United States has no power to obtain a search warrant for a computer server that's located in Russia. Without that information they couldn't charge them here and of course without the cooperation of the Russian authorities they couldn't extradite them here to the United States. So the FBI came up with a great social engineering hack. They didn't have Russian cooperation. They didn't have any evidence and they didn't have great technological expertise but what they did do was they set up a fake company in Seattle and they called these Russian guys up and they said hey we've got this computer security company and we think you guys are really good. We might want to hire you. Why don't you guys fly here to Seattle for an interview. So these that's right. So these two guys know times are tough. The economy is bad. So these two guys flew from Russia to the to Seattle to go to this company Invita it was appropriately called and while they were there they went through the sort of interviewing process and the FBI agents posing as human resources personnel said well you know show us what you can do hack into our network. So the Russian guys sat down at the company computers and logged into their server in Russia to get their hacking tools that they had stored there. Unbeknownst to them the FBI had a sniffer running on that system and captured their username and password. After they entered that information into the computer the Russians were arrested and with that username and password the FBI logged on to the server in Russia collected that information brought it over here to the United States zipped it up then went and got a search warrant to open the file that they had downloaded from Russia after having obtained it. The defense attorney in that case did challenge that on fourth amendment grounds and the judge denied his motion but I'm sure that that it will be appealed. So with cases like that there's been an immense interest on the part of international law enforcement to to try to come to some kind of terms of cooperation some terms of agreement so that we don't have these problems that arise in the future. The Council of Europe's cyber crime treaty is the most developed in the most advanced of these efforts. Something of a gleam in the eye of the Hoover institution only four years ago it's now rapidly on its way towards ratification and we're going to talk in detail about the provisions of that treaty but I just want to mention that there has been a lot of international cooperation in many fields other than other than crime lately. The G8 which is the eight industrialized nations has also been very concerned with cyber crime and has developed a list of principles which have been incorporated into the Council of Europe treaty. We've also seen international treaties on copyright law and a new one that we're in the process of debating which is the Hague treaty which is about the enforcement of foreign judgments. Now you may remember as I said globalization is the future internationalism is the trend and we are looking at a vast effort to homogenize the law across nations most often in the way that the United States thinks the law ought to be. With law with conventions or treaties like the Byrne Convention or the WIPO treaty we're looking at exporting the United States view of what copyright law is to other nations and if you'll remember it is the WIPO treaty that brought us the Digital Millennium Copyright Act and I know that that was discussed here at this conference earlier so I won't belabor it but you know I think we're familiar with the problems that the DMCA poses for people doing research for reverse engineering for encryption research and and other important and valuable efforts of that nature. You know basically Mickey Mouse is getting his way and the rest of us are going to have to follow in step. The Hague treaty is even more dangerous in many ways. The Hague treaty is a treaty that's designed to enforce foreign judgments. Now most treaties and the Council of Europe cyber crime treaty I include in this want the signatories the countries that join the treaty to change or amend their laws to be in accordance with what the treaty says. The Hague treaty is a little bit different in that what it says is whatever your law may be we're going to respect that here in the other countries that are members of the treaty. So instead of saying here's what our basic standards are going to be for the law the Hague treaty says hey if you break the law in this country or that country and there's a judgment against you we're going to let that judgment be enforced here in the United States. So if you get sued for defamation or liable or something like that in the United Kingdom which does not have the same free speech protections we have here and there's a judgment against you here in the United States we're going to allow that judgment to be enforced. So this is not about the Hague treaty perhaps it should be and we can talk more about that later but the Hague treaty raises a lot of problems and those problems basically the problems of difference is in values differences in procedure differences in protections for privacy free speech and important rights of that nature are those are problems we're going to see here with cybercrime and also that are very much issues with the Hague treaty. I have a question there. The question was whether the Hague treaty prevents our government from prosecuting us for foreign laws and while the Hague treaty does not prevent that here in the United States you can be prosecuted under United States laws. Our government has to enforce our laws. So the Hague treaty will not give our government new power to to prosecute for other laws but what it will do is it will say that our government has to enforce judgments in other countries under their laws. So as I said if you were if there was if you were sued in the United Kingdom for insulting McDonald's and the McDonald's won a judgment against you there then the United States government would be a party or a accomplice to enforcing that judgment against you here even though under United States law your comments about McDonald's would have been protected under the First Amendment and not something for which you could have been sued civilly. Okay the gentleman with the white hat the he's asking who it applies to and that's a good question because obviously if it applies to we certainly don't want judgments from some countries whose laws are extremely different from ours to be enforced here for example if you were violated that ankle showing law in Afghanistan and now I'm going to get caned we certainly wouldn't want that judgment to be enforced against me here in the United States it'd be something of a spectacle but it's for nations that signed the Hague Treaty or any of these treaties and right now as with the as with the cyber crime treaty we're basically looking at the western Europe nations with cyber crime treaty it's the western European nations plus the I forget what they call them right now but sort of the friendly observer nations United States Canada Japan and maybe one other that we're looking at it as inviting to be to be members of this treaty yes you okay so this is a basic jurisdiction question and the answer to that is if you do something from United States soil you are subject to United States law even if it affects someone outside the country if you do something from outside the country that affects someone on United States soil then again you're probably subject to United States law now whether you can get here or not whether the will you'll we'll get you here or not as part of that whole extradition treaty question but so the answer is so the answer is well I'm not a specialist in in British law I think the answer is the same if the server is in the United Kingdom and people can read it in a use net group there even though you're located here theoretically you could be subject to United Kingdom law however this is part of the whole problem or part of the whole good thing about the Internet which is that what are they going to do I mean who's going to prosecute you for something you've done over there but also how can they stop you for example when Yahoo had people selling Nazi memorabilia across their network they're subject to laws in Germany and France and you know other nations that prohibit the selling of that kind of material but so what are they going to do they take that stuff off of Yahoo.fr but you can still get that on Yahoo.com and a person in France can easily access Yahoo.com so that is one of the one of the issues with the Internet you know are we going to have a basic dumbing down where all we see on the Internet is what's is what's palatable to every nation the lowest common denominator or are we going to see a higher level of discourse on the Internet where you know what's appropriate you know where we don't have that kind of those kinds of restrictions yes okay so this is a this is a question about where the account is located and what I'm going to what I'm going to say is this there are innumerable what ifs in this area of the law and the law is not certain about any of these things what I just said about jurisdiction is the general principle but some of these questions you know I'm not you we can't really answer because we don't know these things haven't happened there's no agreement on it and what I really want to I will take your question and then yours but then I want to move on so that I can talk about what the Council of Europe is trying to do to address these problems because the way the law is right now is not necessarily the way the law is going to be in the future and I'm happy to take tons of what ifs after but right now I sort of want to begin to move on through exactly what the law is I mean there's the jurisdictional problem is huge and that's why countries want to enter into these multilateral treaties to try to resolve exactly the kind of problems that this person just raised yes and it's a question whether there's like any country that has separate laws for foreigners than for their own nationals and I don't know the answer to that and the question was isn't the Hague Treaty as I described it something that allows international law to override our our domestic protections for free speech and rights of that nature and the answer to that is yes and that's one of the reasons why people are so concerned about the Hague Treaty and Richards well the treaty is not the Hague Treaty is in its early stages and one of the reasons why I mentioned is because you'll see as we go through the provisions of the cybercrime treaty that there have been a lot of lobbying efforts on there has been a lot of lobbying efforts on the part of computer security professionals encryption researchers and people of that nature to try to change the European cybercrime treaty and make it more palatable and the same thing needs to be done to the Hague Treaty the Hague Treaty either needs to be amended from where it stands now or it needs to be killed Richard Stallman wrote a great rant about why the Hague Treaty is bad and I recommend that people take a look at that and think about you know what we can do in order to either ameliorate the downsides of these international laws or kill them all together let's take a look at how that happened in the process of negotiating and arguing about the European cybercrime treaty okay the treaty is currently in its final draft form you can look at what the treaty says at that URL that I have that I have up there and the treaty is as I said earlier one of these types of documents that requires the member nations the signatories to amend there or to pass local laws that will meet make them in concurrence or in agreement with all the other signatory nations they have to pass new laws that will agree with the provisions of the treaty and the treaty has three basic areas in which agreement is in which we we agree to agree one is the substance that we need to have a substantive consensus we agree on what is a crime we amend our laws to make sure that everything that's in the treaty that would they say should be a crime is a crime in the United States and not just in the United States but in all the member nations of the Council of Europe second is a procedural consensus that we agree that there are processes whatever those processes may be for the retention of data and the collection of evidence and then the disclosure of that information to local law enforcement and finally the third thing is the international cooperation aspect if local law enforcement can collect the evidence then local law enforcement can turn it over to the law enforcement agents of other nations the nations where for example the crime may have had its worst effect you want to see the site oh I'm not sure if it's on Lexus actually so I don't really know what where that would be I don't I don't know where it would be on Lexus that I know that's where it is on the web sorry okay so here we have a little picture of our hero from the I love you virus case and he's representing everything that we're gonna now agree is going to be illegal first illegal access illegal access meaning access without right initially this law required every signatory nation to make illegal access simple trespass or exceeding authorized access illegal just as it is here in the United States with lobbying from other nations the illegal access provision now allows variations on that theme as per the law that already exists in Germany they now allow you to require either that there be some kind of damage first or that some security measure have been circumvented or something like that that was the result of lobbying and we have illegal interception of data wiretap or sniffing data interference stealing data or racing data altering data that sort of thing system interference denial of service misuse of devices this is very controversial and was formerly a provision called illegal devices which controls the development possession and use of hacker tools like scanners exploits password crackers anything that is primarily designed to do the first four illegal access interception data interference or system interference computer related forgery computer related fraud child pornography and those are basically things that we traditionally think of as criminal offenses Kim oh wait hold on to second Kim the question was about the misuse of devices provision and we're going to talk about that kind of in detail later and then if I don't answer your question please do ask it again who was the other person who wanted to oh okay so now we get into a new kind of crime maybe not here in the United States but for most of these places copyright this treaty would require the signatory nations to criminalize copyright in the United States up until not that long ago copyright offenses were generally treated as a civil matter now they're treated as a criminal matter and what this treaty would do is it would require other nations to also create copyright laws that are punished criminally now I know that most of you probably know this but the difference between a civil case and a criminal case is a civil case is where somebody sues you for money a criminal case is where the government pursues you to take away your liberty and you go to jail and the treaty the treaty specifically states that member nations must pass laws that make you go to jail for copyright infringement there's also provisions for aiding and abetting corporate liability and as I said these all are laws that the signatory nations not only must pass but also must punish with a potential sentence of imprisonment the gentleman in the back who changed his mind and wants to ask his question again the question is does this imply only to copyright infringement like a copying of songs on Napster or something of that nature does it also apply to purchasing or even producing counterfeit items like like fake Levi jeans or something of that nature and basically the answer is it would apply to all those kinds of things if they happened in the signatory nations anything that is a copyright infringement under the burn convention or the white boat treaty or any of a number of other international copyright treaties the question is what is illegal access mean and I ask myself that pretty much every day under the I'm not kidding pretty much eat at this point in time each country certainly has its own hacker laws and whether those laws prohibit illegal access or don't prohibit illegal access require you to circumvented some security measure or not they're there all over the map the idea behind this treaty is to make everybody agree within reason there have they have had to make some concessions because of lobbying and because of differences between countries but the basic idea is to get everybody in the Council of Europe plus some other big nations like the United States to all agree on the same definition essentially the same definitions of crimes yeah I can't really hear your question I'm sorry the question is what if United States intelligence organizations attack something in one of the treaty countries does that then become illegal and I asked myself that question when thinking about the Russians case I mean here we have FBI agents they sniffed the network okay it was their own network maybe that's okay maybe it's not but then they used a password which they knew was not their own to gain unauthorized access to a server located in Russia and to take data from that server and I thought to myself that sounds pretty much like a violation of United States law in the United States law there's a provision that says that law enforcement agents can do stuff like that if they have legal authority of course they didn't have a warrant or anything and we don't really know what the legal authority necessarily would look like there but you know it sounds to me like it's arguably a 18 USC 1030 violation of course we don't see the Department of Justice going after these FBI agents to prosecute them so my answer to you is that there will still be some variations between the laws of the member nations and we they we still have possibly provisions that say there's an exception for law enforcement or something of that nature and that even though that exception for law enforcement may or may not apply because it doesn't seem like they got legal authority law enforcement may still go ahead and do stuff like that and the answer is we don't know the answer because that's the beauty of the Internet it's still too young for us to really have everything nailed down so it's a good question and a complicated answer I'll take that gentleman in the back uh-huh okay did everybody hear that okay yes I mean it's it now it's all broken down so those are the I'm going to go without that then those are the substantive rules that need to be that that signatory nations need to agree on there's also procedural rules that the nations need to agree on and those procedural rules are basically about the collection of data and the preservation of data so that we can have evidence collection by local law enforcement at least which will lead us up to the third provision which is that once local law enforcement collects this data we're going to go and hand it over to foreign law enforcement agents so first there are procedural rules that require system administrators to preserve stored computer data computer data up to 90 days upon request and that that 90 day period can be extended if further requested system administrators must be able to must there must be laws that require system administrators to preserve traffic data and to disclose that data to law enforcement agents so I put a little picture of a computer server here because one of the great complaints that these provisions have had and one of the powerful lobbying efforts made against these provisions was by ISPs who said look we don't have the resources to store all this information for you all the time this is a great financial burden on us and we simply can't do it and the Council of Europe as a whole has generally disregarded that complaint on the part of the ISPs right not all data it is upon request and actually that's a very that's a very good question and something that we'll talk about a little while later these there have been some amendments to these provisions to make them a little more palatable in fact the treaty does say that it is upon request but countries can still require whatever legal process they need before this information is disclosed so if the United States still requires a court or a warrant to get certain information that's okay generally that's interpreted at the treaty is interpreted as not conflicting with already existing United States privacy protections however the treaty does not impose requirements on other signatory nations to have or to institute privacy protections at all before this type of information is turned over so if nations want to have privacy protections they still can but there's no encouragement or inducement for them to do so yes okay that's an excellent question an excellent follow-up to the point that the gentleman over here made and this was one of the major battles in this treaty the question of whether or not ISPs or other service providers could be forced to construct their technology in such a way as to allow for this type of recording of data and surveillance and there was great concern about this because in the United States we had passed a law that we call Kalea which many of you may be familiar with and Kalea basically was a law that required telecommunications providers to have technological capabilities within their systems that permitted law enforcement eavesdropping that facilitated law enforcement eavesdropping and when this treaty was being is was being negotiated people were very concerned that this provisions that these provisions about procedural data collecting were another kind of Kalea for the for the ISPs for the data for that have to do not with telecommunications but with data communications and through great efforts at lobbying the treaty has added a provision that says that this type of data collection has to be within the technological capabilities of the ISP that there's not a Kalea type provision in here that requires ISPs or remalers or that sort of thing to enable this type of evidence collection or surveillance many people feel that those provisions as they now stand in the treaty are not strong enough but there is that language in the treaty and the notes that explain what the Council of Europe was thinking when they were writing this thing which I also often ask myself say that they specifically do want to avoid this what what is called the Kalea problem so thanks for that question search and seizure is another issue yes well I the question is will ISPs be prohibited from informing customers when these requests are made and the answer is that yes there are provisions in this treaty that say that you there has to be a way to hide the fact of this investigation from from the customer now what the parameters of that of that provision are I'm not totally familiar with but I have a copy of the treaty with me and we can look it up so if you want to come up after and people who are interested in the in the nuances of that question we can look at we can look that up in the treaty and see if it's possible for us to decipher what in fact it might mean search and seizure is an issue and the main question with search and seizure was a problem with trans border searches are we going to let law enforcement agency from France or Britain or you know other countries come into the United States and search our computer servers here basically the way that that problem was resolved was to say no we're not going to allow that but what we are going to allow is we're going to enable local law enforcement to do searching and then we're going to have local law enforcement promise that they're going to cooperate one part of this search and seizure provision is that the law enforcement there should have to be laws passed which allow law enforcement to order a person with knowledge about the system or about the data protection measures to provide the ability to search seas or copy the data so we're going to talk about that a little bit but just think about that for a second I'm sorry is provide different from enable you should be a lawyer because that's a good question I mean we don't know basically what that provision has been interpreted as meaning is that it is a challenge or a danger or a threat to to encryption rights in countries that the person who's protected the day his data or her data with an encryption key would then have to be able to provide the ability to law enforcement to search that data meaning that they may have to turn over their key and that butts up directly against 5th amendment prevent 5th amendment protections here in the United States as well as creates a host of other of other problems so whether provide means enable I don't know but if you're asking me whether that means that encryption rights are threatened the answer is yes the question is does the treaty say that the authorities can go back to the person whose data it is and command to decipher it for them and that is what the treaty looks like it says that is what the treaty looks like it says and is a source of great of great concern the treaty allows data interception it can it requires signatory countries to pass laws that will force service providers to do real-time collection of traffic data and to cooperate with authorities when they do real-time collection of traffic data and as we talked about earlier because of the good question in the back that is within the service providers existing technical capacity so there's no Kalea problem they're not required to build snooping into their system but they do have to cooperate with with data intercepts just as the telecommunications companies do here when they're given a wiretap order and there are and the final the final essence of all of this is that once we once the signatory nations pass the laws that state what is a crime and we all agree on what's a crime and once the signatory countries pass laws that say here's data collection can happen and here's how data collection will happen then they all agree that once they that they will then exchange that data that's the essence of the treaty and how these international problems are to be overcome and these jurisdictional question that that's the cooperation problem and added to that is a definition of jurisdiction where a nation has jurisdiction is defined as on their territory on one of their ships on one of their aircraft and once we have this agreement that the nations have jurisdiction and that the we have agreements about all these crimes we can agree on extradition because usually we don't have extradition unless the offense is a crime in both nations now it's a crime in both nations so we agree that we extradite it requires both first that it's punishable by both parties but also that it be an offense that is punishable by more than one year and an offense that's punishable by more than one year is a felony by less than one year is a misdemeanor that's the that's the essential difference okay so consensus can be bad why because we don't have a laboratory approach where we can see a lot of variations in the ways that different computer crime laws can help or hurt computer security and we also are heading towards a situation where we have a substantive agreement on these laws without having any greater agreement on human rights on free speech on due process or on any of these things which could result not only in injustice in those other countries but it results in our law enforcement agents and our country and our tax dollars being spent to pursue or prosecute cases in other countries that would never be pursued or prosecuted here because of because of these rights article six is one of the more controversial of the provisions initially it regulated all hacker tools and it was interpreted as preventing the development of any hacker tools through great lobbying efforts it's been amended and it now says that there's no liability when the tool is designed for the authorized testing or protection of a computer system that wasn't enough for many people because you know who's to determine whether it's for authorized it's whether it's designed for authorized testing or designed for hacking hacking tool looks very much like a security tool in fact they're often the same tools so because of great pressure from countries from encryption experts and from researchers in different countries that provision is now one that you can opt out of however I think we can look I think the trend of the future is that we're going to have to be battling a lot of laws that prohibit hacker tools the Australian government has recently is considering now a law which would just ban all hacker tools without these exceptions for computer security research child pornography you wouldn't think it's controversial but it is this law will this treaty will export the United States definition of child pornography which includes not only actual child porn but virtual child porn pornography in which no children were harmed but which appears to be a visual depiction of a child at the very least this treaty requires that the virtual child porn be a picture in the United States that's not a requirement and I read in the New York Times two days ago that somebody was sentenced to prison for 10 years for a written depiction of child pornography we talked about all this so what's the bad news about the cyber crime treaty are there what the question is whether any lawyers involved in this process and I think that the answer is clearly that there were too many lawyers involved in this process the question is whether the child pornography law has implications far beyond that the limited ones that I said and before I answer that question I want to ask whether I have till 12 or 12 30 does anybody know okay well my answer to that then is yes it does I want to go back here oops oh now I messed it up gonna make the slides available yeah I will make them available on Defconn as you can see I mean with the child porn thing that little picture there is the picture from Lolita that's the picture from from Lolita which was you know it one of the classic it's a classic and also child porn so it's so child porn is it's a it's very controversial most people think oh you know it's a black and white issue but there are lots of complicated legal issues in it just like with movie endless love and that sort of thing what you raised okay so you saw the bad news and I will make that available but the question is what can I do and I don't want to leave you on the low point where you all feel like man that treaty really sucks we're in for we're in for something really bad so what can I do lobbying works okay I've raised many points and pointed out numerous times where lobbying by nations by researchers by encryption advocates has have resulted in modifications being made to the treaty that have made the treaty better so lobbying does work and it's not too late so I urge everybody who has interest in these issues and that does appear to be everybody in this room since you came here and you stayed for the entire hour on this early Saturday morning to get educated about these issues Sunday morning I see I'm the one with the problem and I've listed a couple of URLs here for organizations which have been heavily involved in trying to make the cybercrime treaty better and to to try to make sure that rights are protected that our rights and the rights of people in other nations are protected in the treaty so get out there and do some good thank you very much