Interesting People mailing list archives
Re: Draft Swiss AntiVirus regulation
From: David Farber <farber () central cis upenn edu>
Date: Thu, 14 Oct 1993 18:17:28 -0400
Date: Thu, 14 Oct 93 09:53:34 -0400 From: shap () viper cis upenn edu (Jonathan Shapiro) To: brunnstein () rz informatik uni-hamburg d400 de, bfi () ezinfo vmsmail ethz ch Cc: farber () central cis upenn edu Subject: Re: Draft Swiss AntiVirus regulation Mr. Frigerio, Mr. Brunnstein: I am pleased to see lawmakers using electronic information forums to discuss electronic information issues. Let us hope that the United States lawmakers will learn from you. Regarding your proposed legislation: ############################################################### Appendix 1: Entwurf zu Art. 144 Abs. 2 des Schweizerischen Strafgesetzbuches "Wer unbefugt elektronisch oder in vergleichbarer Weise gespeicherte oder uebermittelte Daten loescht, veraendert oder unbrauchbar macht, oder Mittel, die zum unbefugten Loeschen, Aendern oder Unbrauchbarmachen solcher Daten bestimmt sind, herstellt oder anpreist, anbietet, zugaenglich macht oder sonstwie in Verkehr bringt, wird, auf Antrag, mit der gleichen Strafe belegt." P.S.: gleiche Strafe =JBusse oder Gefaengnis bis zu 3 Jahren; bei grossem Schaden, bis zu 5 Jahren Gefaengnis sowie Verfolgung von Amtes wegen (Offizialdelikt) ############################################################### Draft of article 144 paragraph 2 of the Swiss Penal Code (English translation) Anyone, who, without authorization - erases, modifies, or destructs electronically or similarly saved or data, or anyone who, - creates, promotes, offers, makes available, or circulates in any way means destined for unauthorized deletion, modification, or destruction of such data, will, if a complaint is filed, receive the same punishment. P.S.: same punishment = fine or imprisonment for a term of up to three years; in cases of a considerable damage, five years with prosecution ex officio. Author: Claudio G. Frigerio, Attorney-At-Law, Swiss Federal Office of Information Technology and System, e-mail: bfi () ezinfo vmsmail ethz ch In my opinion, the proposed law has a serious flaw in the second clause. You are attempting to make the distribution of knowledge illegal, and this is not practical. It is also not in the public interest. Several years ago, the internet went through a long debate about a related issue: Is it proper to distribute detailed documentation of security holes over a public forum? Their conclusions were as follows: 1. What you don't know CAN hurt you. 2. The knowledge is already out there, because the security hole is discovered when someone breaks in successfully. This means that there is no benefit to the public in keeping silent. 3. Most users are ignorant. If they are not told about security problems, they are unable to fix them, and are therefore vulnerable. 4. Vendors do not fix security holes without significant market pressure, which cannot be created if the public doesn't know about the holes. Therefore, such knowledge should be widely disseminated. This policy has been proven sound by the Internet Virus. What is remarkable is not the number of machines that were victimized, but the number that successfully *repelled* the attack. In addition, the fact that the knowledge of the security problems was widespread allowed the virus to be defeated within 48 hours. I suggest that the issues for viruses are identical. There are people who, in the public good, document and distribute the code for viruses to ensure that the community is educated about the latest techniques so they can defend themselves. You do not wish to make their activities illegal. Perhaps you should consider rewording the law to reflect this. Jonathan S. Shapiro
Current thread:
- Draft Swiss AntiVirus regulation David Farber (Oct 13)
- <Possible follow-ups>
- Re: Draft Swiss AntiVirus regulation David Farber (Oct 14)