Tonnerre Lombard

FFII’s coordinator for Switzerland

An attempt at forbidding «hacker tools» in Switzerland

The Federal Department of Justice and Police recently proposed to introduce legislation illegalizing so-called «hacker tools» in Switzerland as well. However, the proposed paragraph deviates massively from the original European cybercrime convention which it attempts to implement. Consequently, the legislation would not only outlaw «hacker tools» which can be used only by evildoers breaking into other people’s machines without permission, but in fact any type of tool used to test or ensure system security (such as Nessus, Metasploit, or even simple administrative tools used for network debugging, such as tcpdump, snoop or wireshark).

The currently proposed version introduces an article simply stating that «Whoever publishes programs or other data or makes them available in spite of having to assume that they will be used for any purpose mentioned in article 1 [i.e. breaking into systems], shall be punished with prison for up to three years or with a fine.» This article appears to be based on the false assumption that software which can be used to break into systems is per se evil, and that no dual use exists. However, with the possible exception of combined attacking and spam software (e.g. botnet software), every system and network security tool is basically a dual use tool. This is due to the very nature of network security. IT security companies are basically just hackers who are getting paid to break into the customer’s systems in order to discover and verify existing security problems. Surely, a tool used in such a so-called «penetration test» could be used in the very same way without the target’s prior consent. An IT security tool cannot determine if consent of the target has been granted, the difference is purely administrative.

Moreover, for companies such as Internet service providers, network traffic monitoring tools are a very crucial element in determining connectivity problems. Of course, however, the same tools could be used to read passwords transmitted over the line, thus making it usable as a tool in a «hacking» attack. However, without the network traffic monitoring tools, debugging network problems becomes an insurmountable task for network administrators.

The current proposal can thus be considered as totally inappropriate, and will need a complete makeover. In order to convince the federal council and EJPD of this, everybody is invited to submit a response to the currently running hearing on the proposal to the EJPD.