Swiss AntiViral legislation

[David Farber <farber () central cis upenn edu>]

Date:  Thu, 21 Oct 1993 16:33:37 +0100
From: Klaus Brunnstein <brunnstein () rz informatik uni-hamburg d400 de>
Subject:  Re:Swiss AntiViral legislation


Colleagues and friends, thanks for the very helpful and positively critical
comments. I append Mr. Frigerio's reply for your information. Klaus
(Oct.21,1993)


PS: Mr. Frigerio will have another fight with lawyers who think that any
legislation is dangerous as it may also hurt the "good viruses". I argued that
"good viruses" exist only in Dr. Cohen's head, as those applications which he
always mentions can be realized by non-replicative methods. Moreover, any auto
matic reproduction has an unwished side-effect, as copyrights for any software
does only apply to the original (=uninfected) program, so viruses "steal" also
legal rights from both the originator and the user (who looses the guarantee,
if any, of a working program :-)


> > > > > > > > > > > > > > > > > > > > > > > Mr. Frigerio's response <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


Thanks to everybody who replied on the subject of Swiss Anti-Virus Legislation.


As somebody noticed there was a word missing in the English translation. It
should have been: "... destructs electronically or similarly saved or
TRANSMITTED data will..."


The text posted to the net, was a trial to include into the "data damaging"
even creation and dealing/circulating computer viruses. The idea behind this,
is that the virus itself already carries the malicious intent of his author.
Therefore it is dangerous in any circumstance. Actually a virus can not be
abused, as the idea of abuse includes the possibility, that a virus can be
used in a good way too. As I have been told by specialists, there is no such
"good use" of a virus as any unauthorized change of data has the potential of
interfering with other data and/or programs in environments, that the virus
author did/could not foresee. And even the unauthorized use of storage space
is a damage, as this space will not be available for authorized uses of the
computer system. Computer virus are an "absolute danger", and as any other
dangerous thing (like explosive, poison, radioactive materials or genetic
materials in specialized labs) computer virus should not be created or
circulated without restrictions.


It has been remarked that in the text there was no word about the requisite
intent or requisite knowledge of the committer. This way any BBS sysop would
always risk criminal charges, if his BBS carries any virus infected software
but the sysop isn't aware of it.


I apologize for not having told that Swiss Penal Law only considers
intentional crimes, if there is no explicit indication that negligent acts are
punished too. Therefore according to Swiss Penal Law terminology and system,
the text posted to the net only considers who "knowingly and willingly"
commits the act. That means that the author of the virus has to know it was a
virus, what he created: this is always the case. And who circulates the virus
has to know it was a virus and he wanted to circulate it. The knowledge that
SW was or carried a virus can be proved easily by the fact that nobody
knowingly stores viruses without labeling or marking them in any way, in order
not to be infected himself (yes, I know: if there really is somebody so
foolish, I have to find another way to prove his knowledge). For BBS a "Virus
Directory" containing viruses or virus source codes is evidence enough for the
"requisite knowledge and intent". The law does no want to punish accidental
distribution of viruses.


The phrase "means destined for unauthorized deletion" has been considered
unclear. "Means" certainly includes not only software, but source code (on
paper as on disks) too. It has been remarked that it's the classical toolmaker
problem: a knife can be used as woodcarver to make a great work, but it might
be used by a thug to commit murder.  I realized this problem, but would you
consider a knife as generally destined to commit murder? Or would you consider
explosive as generally destined to create damage? We have to be aware that
most items can be used in a legal or abused in an illegal way.  Seldom an item
can only be used in an illegal way, but computer viruses are such items!  I do
not speak about software using virus specific reproduction techniques (like
"killer viruses" for copyright enforcement or "anti-viruses" supposed to fight
viruses) that make data changes with the explicit (contract/license) or
implicit (highly probable agreement of the user) authorization of the user.
This kind of SW is actually not included in the definition of "means destined
for unauthorized deletion, modification, or destruction of data".  Therefore
you cannot say that Norton Utilities, WipeFile or any other similar general
purpose SW or utilities are "destined for unautorized deletion, modification
or destruction", although they certainly could be used for this.


The text doesn't say anything about malice, malicious intents or the intent to
damage, as these elements are very difficult to prove in trial, if the accused
denies any such intention. Actually I considered these subjective elements as
not really necessary, as the virus already carries the malicious intent of its
author: the malice of the author is proved by his virus, and the malice of
somebody circulating the virus is proved, if his knowledge, that he was
circulating a virus, is proved.


According to general principles of penal law the site of crime is the main
link to charge somebody. If a virus has been created or circulated outside the
national borders of Switzerland, Swiss Penal law cannot be applied. But if a
virus created outside Switzerland is transferred electronically to
Switzerland, the downloader will be held responsible, no matter if he was in
Switzerland or abroad, as "importing" as a way to circulate the virus.  The
"success" of the act will take place in Switzerland. Anyway Art. 7 of Swiss
Penal Law follows the principle of territoriality and the "Ubiquitaetsprinzip"
(sorry: didn't find the correct English word: an act is considered being
committed not only where the committer was, when he started his crime, but
also where the "success" has been realized. Anyway I do consider clarifying
this by inserting that "importing" virus is considered as "circulating in any
way".


As this crime is prosecuted as soon as police or prosecution authority knows
about it (so called "ex officio", there is no need for a specific complaint: a
detailed information about a fact is enough to start investigations, no matter
where the information came from (e.g. abroad).


There is no doubt, that professional ant-virus specialists and scientists
should have access to viruses and be allowed to even create viruses. As long
as this is covered by the aim of studying strategies to fight computer
viruses, this is OK. I actually planned a system of registering these people
with a federal authority (e.g. the IS Security Dptm. at the Swiss Federal
Office of Information Technology and Systems or the Ministry of Justice). The
posted text would be then need to be completed as follows: "Who, without being
registered with the proper federal authority, creates...  Only trustworthy
individuals, who are professionally or scientifically active in combatting
such means, may be registered on demand."


The Swiss legislator is actually not only considering "data damaging" but
"hacking", "time theft" and computer fraud too, but these ARE NOT subjects of
the discussion in this forum now. The same applies to software piracy, already
ruled by another law. I will gladly email/fax the German, French or Italian
text of the Penal Law draft to anybody interested. Please do not ask me an
English translation of these, as I am not a professional English translator of
legal text.


I am aware that the UK and Italy have/are going to have laws allowing to
prosecute the creation and circulation of computer viruses. If anybody knows
of other countries, may he please let me know in any way and as soon as
possible.


On Monday, 25 October 1993, there will a meeting with the Ministry of Justice
in order to convince them to propose this to the Parliament. This will be very
very difficult, as there generally is very little knowledge on, or concern for
the threat through computer viruses. Most people have simply never suffered an
attack of computer viruses.


Thanks again for following this item with your comments.


Claudio G. Frigerio


P.S.: Please do not suggest to me to send them a floppy with a ..... just
to make them more aware of the risks...
P.P.S.: You can phone/email/fax/write to me in Italian, German, French,
Spanish or English.


Claudio G. Frigerio, Bundesamt fuer Informatik/Stabsdienste, Feldeggweg 1,
CH-3003 Bern (Switzerland) +41/31/325-9381 bfi () ezinfo vmsmail ethz ch