NationStates Jolt Archive

Updated! Comments? Thoughts?

Computer Crimes Acts

NOTING the increasing trend for computer networks to be interconnected and to transcend national borders;

AWARE that the vast majority of businesses and most national and international economies rely on these systems and the information contained within;

ALERT to the dangers of allowing such a vital and grand-scale system to remain unprotected by international law; dangers which could cause massive economic, and other, damage to individuals, corporations and states alike through the damage or theft of computer systems or the information contained therein;

PROHIBITS the following practices:

1) The use, spread, and creation without proper safety precautions, of computer viruses and other similar malicious programs including worms, Trojans, or any other program which damages, or otherwise adversely affects, computer systems; or destroys, damages, manipulates or steals information without authorisation. This excludes security specialists in their attempts to find new ways of defending against viruses, so long as they are creating and using such programs solely for that purpose, and do not use them without the authorisation of the owners of the computer system. They still may not spread them, and they must make adequate provisions to ensure that there is no possibility of it spreading.
2) Computer hacking, defined as the intentional unauthorised access to, or unauthorised use, theft, manipulation or damage of information stored electronically.
3) Identity theft, defined as any unauthorised attempt to use or steal elements pertaining to another individual’s identity, including credit card details.

MANDATES that any business, organisation (either governmental or non-governmental) must take security measures to protect any confidential data contained in them, especially that data that pertains to information about their customers or members of the public. Such measures may include, but are not limited to, password protection of systems, data encryption, firewall installation, and virus scanning software, etc.

URGES all UN nations to implement security measures or legislation to protect these computer networks and the information contained on them through the promotion of, and education on, such measures, including encryption, password protection, firewalls, virus scanning software, and the use of secure operating systems, etc.

ENCOURAGES international cooperation between national law enforcement agencies, as well as the voluntary co-operation of the computer and Internet industry, in an attempt to reduce computer crime and improve the security of global computer networks and systems

ESTABLISHES the International Computer Security Institute (ICSI) whose tasks shall be to:
1) monitor international computer crime and work with law enforcement agencies to prevent it
2) promote and encourage the development of new security systems to help prevent computer crime
3) create and co-ordinate education programmes on computer crime prevention
and which shall be funded by voluntary donations by states, organisations, businesses or individuals.

I like it, and will approve it. I know that we can't mention Linux or open source in a resolution as they would be interpreted as RL references. However, perhaps you could add a line encouraging a switch to more secure operating systems and web browsers.

I like it. Only one minor quibble - 1) The creation and spread of computer viruses and other similar malicious programs including worms, Trojans, or any other program which damages computer systems or destroys/steals information without authorisation. The loophole in this is that non-damaging viruses are not covered. Like that christmas tree one that went around ages ago, it didn't do any harm, but was bloody annoying. Surely they should be covered as well?

I like it. Only one minor quibble - The loophole in this is that non-damaging viruses are not covered. Like that christmas tree one that went around ages ago, it didn't do any harm, but was bloody annoying. Surely they should be covered as well?

Ok, so what if I amend it to read something like

"or any other program which damages, or otherwise affects, computer systems or destroys/steals information without authorisation"

Which covers basically any unauthorised tampering.

This resolution, though well-intentioned, is vague and includes several limiting factors that actually do more harm than good.

1) The creation and spread of computer viruses and other similar malicious programs including worms, Trojans, or any other program which damages computer systems or destroys/steals information without authorisation.

"The creation" implies writing the actual code for the said program, which severely limit those who fight against viruses and other malicious programs. Many security specialists and software companies will write "proof-of-concept" programs that try to find exploits and vulnerabilities in their own software and systems before hackers do, so they can go ahead and pre-emptively patch the systems, increasing security. But this clause would outlaw such practices, and only benefit those who already code and release viruses illegally.

2) Computer hacking, defined as the unauthorised access to, or unauthorised use, theft or manipulation of information stored electronically.

"Access to" does not take into account accidental stumbling upon various open systems, such as in a school or shopping center network. Even if accessed unintentionally by an innocent web surfer, your clause states that they are guilty of an international crime.

3) Identity theft, defined as any unauthorised attempt to use or steal elements pertaining to another individual’s identity, including credit card details.

This clause about identity theft, though it can be applicable, opens up traditional identity theft as a computer crime. Was this intentional?

This resolution, though well-intentioned, is vague and includes several limiting factors that actually do more harm than good.
As i said, its just a basic rough draft to gather some ideas on the topic so i can bolster it up a bit. Such as the suggestions you have made which will be incorporated :)

"The creation" implies writing the actual code for the said program, which severely limit those who fight against viruses and other malicious programs. Many security specialists and software companies will write "proof-of-concept" programs that try to find exploits and vulnerabilities in their own software and systems before hackers do, so they can go ahead and pre-emptively patch the systems, increasing security. But this clause would outlaw such practices, and only benefit those who already code and release viruses illegally.

Then I will introduce a clause that excludes security specialist from this ruling so long as they are creating and using such programs solely for that purpose. They still may not spread them, and they must make sure that there is no possibilty of it spreading.

"Access to" does not take into account accidental stumbling upon various open systems, such as in a school or shopping center network. Even if accessed unintentionally by an innocent web surfer, your clause states that they are guilty of an international crime.

"Intentional unauthorised access" will be referred to instead.


This clause about identity theft, though it can be applicable, opens up traditional identity theft as a computer crime. Was this intentional?

I was referring to it in a computer context given the title of the resolution. I can change that too to be more specific.

Ok, so what if I amend it to read something like

"or any other program which damages, or otherwise affects, computer systems or destroys/steals information without authorisation"

Which covers basically any unauthorised tampering.
Yeah, thats sounds good. I know squat about the web, but that wouldn't affect those cookie things would it?

It needs to be reworded and refined a bit, but it is just a draft. Looks pretty good so far.

Now that you have a motivation, you need the details. For instance, you imply that this will be an international crime, in addition to any national laws broken by the offender. So you might want to recommend the establishment of a committee to oversee the monitoring and judging of these cases, or a group that would work with national law enforcement agencies to track offenders down.

I like it, and will approve it. I know that we can't mention Linux or open source in a resolution as they would be interpreted as RL references. However, perhaps you could add a line encouraging a switch to more secure operating systems and web browsers.
i like this point. linux would be a RL ref, but open source wouldnt, i dont think.

Gwenstefani, finally.... FINALLY a proposal that is very much worth concideration (not a dig at you, just one at the others). looking forward to the second draft. also, since the UN has no police force, maybe something stating 'nation's police force' in there to ensure no 'but the UN has no police force' comments.

Should I enforce any kind of penalty system? Otherwise I suppose individual nations could make it a crime but have an extremely lenient punishment, effectively getting round the whole proposal?

Ok, so what if I amend it to read something like

"or any other program which damages, or otherwise affects, computer systems or destroys/steals information without authorisation"

Which covers basically any unauthorised tampering.

Actually, I'd leave that be. Firstly, if you start messing with the wording there, there is going to be some quibbles over what "affects" computer systems. Secondly, it's taking U.N. legislation just a bit too far - you want to focus on dangerous computer viruses, sure, but annoying smiley faces that jump randomly around your screen don't pose any kind of real threat. Thirdly, harmless viruses are actually sometimes pretty funny. Basically, its just an overcomplication that abstracts it a tad and I wouldn't bother. This is a good resolution as is.

Should I enforce any kind of penalty system? Otherwise I suppose individual nations could make it a crime but have an extremely lenient punishment, effectively getting round the whole proposal?

The penalty for smiley viruses is DEATH!

*cough* Sorry.

The new version:

Computer Crimes Acts

NOTING the increasing trend for computer networks to be interconnected and to transcend national borders;

AWARE that the vast majority of businesses and most national and international economies rely on these systems and the information contained within;

ALERT to the dangers of allowing such a vital and grand-scale system to remain unprotected by international law; dangers which could cause massive economic damage to individuals, corporations and states alike through the damage or theft of computer systems or the information contained therein;

CALLS for the introduction of the Computer Crimes Act (CCA) which outlaws the following practices:

1) The creation and spread of computer viruses and other similar malicious programs including worms, Trojans, or any other program which damages, or otherwise adversely affects, computer systems; or destroys, damages, manipulates or steals information without authorisation. This excludes security specialists in their attempts to find new ways of defending against viruses, so long as they are creating and using such programs solely for that purpose. They still may not spread them, and they must make adequate provisions to ensure that there is no possibility of it spreading.
2) Computer hacking, defined as the intentional unauthorised access to, or unauthorised use, theft, manipulation or damage of information stored electronically.
3) Identity theft, defined as any unauthorised attempt to use or steal elements pertaining to another individual’s identity, including credit card details.

CALLS for the introduction of the Data Protection Act (DPA) which mandates that any business, or organisation (both governmental and non-governmental) must take security measures to protect any confidential data contained in them, especially that data that pertains to information about their customers or members of the public. Such measures should include, but are not limited to, password protection of systems, data encryption, firewall installation, and virus scanning software, etc.

URGES all UN nations to implement security measures or legislation to protect these computer networks and the information contained on them through the promotion of, and education on, such measures, including encryption, password protection, firewalls, virus scanning software, and the use of secure operating systems, etc.

ENCOURAGES international cooperation between national law enforcement agencies, as well as the voluntary co-operation of the computer and Internet industry, in an attempt to reduce computer crime and improve the security of global computer networks and systems

ESTABLISHES the International Computer Security Institute (ICSI) whose tasks shall be to:
1) monitor international computer crime and work with law enforcement agencies to prevent them
2) develop new security systems to help prevent computer crime
3) create and co-ordinate education programmes on computer crime prevention
and which shall be funded by voluntary donations by states, organisations, businesses or individuals.

Free trade or international security for categorisation purposes?

International security sounds more like it to me. Nice proposal. :)

Definitely International Security. Excellent proposal, best of luck.

Well done. Except that I would wonder how this would come into play in times of war. Some nation could use computer viruses to disable their ememies war capability. Or....what if the UN could use a computer virus to bring an oppressive nation to its knees instead of sacreficing lives.

Just a few thoughts.

Well done. Except that I would wonder how this would come into play in times of war. Some nation could use computer viruses to disable their ememies war capability. Or....what if the UN could use a computer virus to bring an oppressive nation to its knees instead of sacreficing lives.

Just a few thoughts.

I had actually considered this. And I almost wrote a clause to exempt war conditions. However, as mentioned at the beginning of the proposal, most computer systems are interconnected. It is extremely difficult then to attack just one computer system. And due to the transnational nature of computer networks, it could even be difficult if not impossible to contain the effects of said "electronic weapon" to just one country.

*Sigh*

I realised it would probably be international security, no matter how much I mentioned the economy.

I just really wanted to write a free trade proposal, but I ended up with this.

It was inspired by the 0 of 0 bug!

Update:

Computer Crimes Act

NOTING the increasing trend for computer networks to be interconnected and to transcend national borders;

AWARE that the vast majority of businesses and most national and international economies rely on these systems and the information contained within;

ALERT to the dangers of allowing such a vital and grand-scale system to remain unprotected by international law; dangers which could cause massive economic, and other, damage to individuals, corporations and states alike through the damage or theft of computer systems or the information contained therein;

PROHIBITS the following practices:

1) The use, spread, and creation without proper safety precautions, of computer viruses and other similar malicious programs including worms, Trojans, or any other program which damages, or otherwise adversely affects, computer systems; or destroys, damages, manipulates or steals information without authorisation. This excludes security specialists in their attempts to find new ways of defending against viruses, so long as they are creating and using such programs solely for that purpose, and do not use them without the authorisation of the owners of the computer system. They still may not spread them, and they must make adequate provisions to ensure that there is no possibility of it spreading.
2) Computer hacking, defined as the intentional unauthorised access to, or unauthorised use, theft, manipulation or damage of information stored electronically.
3) Identity theft, defined as any unauthorised attempt to use or steal elements pertaining to another individual’s identity, including credit card details.

MANDATES that any business, organisation (either governmental or non-governmental) must take security measures to protect any confidential data contained in them, especially that data that pertains to information about their customers or members of the public. Such measures may include, but are not limited to, password protection of systems, data encryption, firewall installation, and virus scanning software, etc.

URGES all UN nations to implement security measures or legislation to protect these computer networks and the information contained on them through the promotion of, and education on, such measures, including encryption, password protection, firewalls, virus scanning software, and the use of secure operating systems, etc.

ENCOURAGES international cooperation between national law enforcement agencies, as well as the voluntary co-operation of the computer and Internet industry, in an attempt to reduce computer crime and improve the security of global computer networks and systems

ESTABLISHES the International Computer Security Institute (ICSI) whose tasks shall be to:
1) monitor international computer crime and work with law enforcement agencies to prevent it
2) promote and encourage the development of new security systems to help prevent computer crime
3) create and co-ordinate education programmes on computer crime prevention
and which shall be funded by voluntary donations by states, organisations, businesses or individuals.

Proposal has now been submitted!

Please endorse it if you can.

Thankyou.

Proposal has now been submitted!
And I have endorsed it.

I'll see what I can do, endorsment wise.

<The Dictator of Neoscelus sits at his desk, a Neoscelan banner draped behind him, as he makes an official address>

To the respected delegates of the United Nations,

I am here to explain our stance on the newly proposed Computer Crimes Act.
Although it is doubtless an act with good intentions, it is simply too full of holes.

For one, the proposal deals with what the enforcement procedures would entail, but like most international law, it gets hazy when it comes to matters of punishment. If the enforcement of this law is to be done with the participation of the international community, how can we determine punishment for computer criminals? In one country perhaps, they would like their criminals to be punished harshly. However, another member of the enforcement committee may dissaprove of that. Nations will not wish to be party to a correctional system they do not approve of in another country.

Furthermore, some nations may not wish to use their resources for a committee that extends its duties to another nation that has committed less resources to the project.

These aforementioned issues being the most important in any discussion involving international law enforcement, the only substance this proposal has, is to ensure that companies with highly sensitive information take actions to keep that information safe. Why is this necessary to legislate? Presumably any organization with confidential information will take whatever precautions are necessary and cost effective. Legislating beyond this may simply cause undue strain on the resources of some organizations to provide redundant security systems.

Considering the lack of practicality and obviousness of this proposal, the nation of Neoscelus votes against it, and encourages a tighter, stronger proposal for this issue in the future.

<End transmission>

I suggest posting this in the official discussion thread, which should be the first or second sticky you see in the forum.

I suggest posting this in the official discussion thread, which should be the first or second sticky you see in the forum.
They did. (http://forums.jolt.co.uk/showpost.php?p=8928318&postcount=118)