Re: Draft Swiss AntiVirus regulation

[David Farber <farber () central cis upenn edu>]

Date: Thu, 14 Oct 93 09:53:34 -0400
From: shap () viper cis upenn edu (Jonathan Shapiro)
To: brunnstein () rz informatik uni-hamburg d400 de, bfi () ezinfo vmsmail ethz ch
Cc: farber () central cis upenn edu
Subject: Re: Draft Swiss AntiVirus regulation


Mr. Frigerio, Mr. Brunnstein:


I am pleased to see lawmakers using electronic information forums to
discuss electronic information issues.  Let us hope that the United
States lawmakers will learn from you.


Regarding your proposed legislation:


   ###############################################################
   Appendix 1:
   Entwurf zu Art. 144 Abs. 2 des Schweizerischen Strafgesetzbuches


   "Wer unbefugt elektronisch oder in vergleichbarer Weise gespeicherte oder
   uebermittelte Daten loescht, veraendert oder unbrauchbar macht, oder Mittel,
   die zum unbefugten Loeschen, Aendern oder Unbrauchbarmachen solcher Daten
   bestimmt sind, herstellt oder anpreist, anbietet, zugaenglich macht oder
   sonstwie in Verkehr bringt, wird, auf Antrag, mit der gleichen Strafe
belegt."


   P.S.: gleiche Strafe =JBusse oder Gefaengnis bis zu 3 Jahren;
         bei grossem Schaden, bis zu 5 Jahren Gefaengnis sowie Verfolgung
         von Amtes wegen (Offizialdelikt)


   ###############################################################
   Draft of article 144 paragraph 2 of the Swiss Penal Code
   (English translation)


    Anyone, who, without authorization
      - erases, modifies, or destructs electronically or similarly
        saved or data, 
    or anyone who,
      - creates, promotes, offers, makes available, or circulates in any way
        means destined for unauthorized deletion, modification, or destruction 
        of such data,
    will, if a complaint is filed, receive the same punishment.


   P.S.: same punishment = fine or imprisonment for a term of up to
         three years; in cases of a considerable damage, five years
         with prosecution ex officio. 


   Author: Claudio G. Frigerio, Attorney-At-Law, Swiss Federal Office of
   Information Technology and System, e-mail: bfi () ezinfo vmsmail ethz ch




In my opinion, the proposed law has a serious flaw in the second
clause.  You are attempting to make the distribution of knowledge
illegal, and this is not practical.  It is also not in the public
interest.


Several years ago, the internet went through a long debate about a
related issue: Is it proper to distribute detailed documentation of
security holes over a public forum?  Their conclusions were as
follows:


        1. What you don't know CAN hurt you.


        2. The knowledge is already out there, because the security
           hole is discovered when someone breaks in successfully.
           This means that there is no benefit to the public in
           keeping silent.


        3. Most users are ignorant.  If they are not told about
           security problems, they are unable to fix them, and are
           therefore vulnerable.


        4. Vendors do not fix security holes without significant
           market pressure, which cannot be created if the public
           doesn't know about the holes.


        Therefore, such knowledge should be widely disseminated.


This policy has been proven sound by the Internet Virus.  What is
remarkable is not the number of machines that were victimized, but the
number that successfully *repelled* the attack.  In addition, the fact
that the knowledge of the security problems was widespread allowed the
virus to be defeated within 48 hours.


I suggest that the issues for viruses are identical.


There are people who, in the public good, document and distribute the
code for viruses to ensure that the community is educated about the
latest techniques so they can defend themselves.  You do not wish to
make their activities illegal.


Perhaps you should consider rewording the law to reflect this.




Jonathan S. Shapiro