One distinction however is that with viruses and worms we are generally talking about users who don’t know they are infected. So, it isn’t so much like retaliating with reasonable force to a mugger who is attacking you. A better example would be a person who parks their car on a hill and doesn’t set the parking brake. When they walk away from their car and it begins rolling down the hill toward your house are you within your rights to jump in and stop it or divert it with whatever “reasonable” method you can? Would you be prosecuted for grand theft auto for getting in the car or willful destruction of property if you somehow diverted the car to crash into something else? I doubt it.
When we talk about the fact that Nimda is still actively traveling about the Internet infecting un-protected users it affects the whole community. The user may have sovereignty over their computer, but they don’t, or shouldn’t, have sovereignty on the Internet. They can do what they want with their computer in their own world, but once they connect to the Internet and impact the community they should be subject to certain expectations and guidelines for participating in the community.
I don’t think that individual users should take to retaliating just like individual citizens shouldn’t hunt down criminals. Unfortunately, we have police and other law enforcement agencies that are responsible for hunting down criminals in the real world, but we have no Internet equivalent. There is no group or agency with the authority to police the Internet and reprimand or penalize those who violate the guidelines of the community. To try and establish such an organization would be daunting because of the global nature of the Internet. A rule that applies in the United States may not apply in Brazil or Singapore.
Even without a “police force” with the authority to enforce rules or guidelines on the Internet, should there be an organization or organizations with the authority to create counter-worms or virus vaccines that would proactively seek out infected computers and attempt to clean them? Ethically, would invading a computer with the intent to clean it be any better than the virus or worm that invaded the computer in the first place?
There are more questions than answers right now and it is somewhat of a slippery slope to start down on. Counter-attacking seems to fall into a large gray area between reasonable self-defense and stooping to the level of the original malicious code developer. The gray area needs to be investigated though and some direction needs to be given on how to handle members of the Internet community that continue to be vulnerable to and / or propagating threats for which fixes are readily and freely available.