Viruses 101

Anti-Virus Software

The Role of CERT

Legal Implications

Social Impact

The Future

Legal Implications
[Introduction]  [Computer Fraud and Abuse Act]  [Viruses and the Law]  [Need for Improvement]  [Sources]

Introduction to Cybercrime
In May of 2000 CBS News did a report on the contemporary "Hacking Culture". The story focused on an interview with an ex-hacker named Kevin Mitnick. "[Hacking] was a hobby, if you will", Mitnick told a CBS News Correspondent. Like many hackers, Mitnick would spend up to six hours a day in front of a computer trying to break into supposedly foolproof systems, "unconcerned by the potential consequences". Mitnick's hobby, something he did solely for "the thrill and the intellectual challenge", sent him to prison for almost five years. "As I was doing the act I didn't think about the consequences or the chances you might get caught doing it, because that wasn't really an option", he explained. Mitnick learned the hard way. Computer crime can and does have grave legal implications.

Although Mitnick claims he hacked with "ethics" - that he never stole, caused damage or profited from his practices- not all hackers adhere to these principles. And as computers become more and more common, so are incidents of hacking and other computer-related crimes. Computer crime, also known as cybercrime, includes such activities as hacking, virus creation and distribution, forgery, theft and denial of access. Computes have essentially unlocked the gates to a new era in lawbreaking. Due to technological advances, crimes are committed today that could not have existed a decade ago and the traditional crimes are being made easier. Michael A. Vatis, Director of the National Information Infrastructure Protection Center, notes: "Whether we like it or not, cybercrime presents the most fundamental challenge for law enforcement in the 21st Century. By its very nature, the cyber environment is border-less, affords easy anonymity and methods of concealment to bad actors, and provides new tools to engage in criminal activity". The unique nature of computer crime has caused a debate among law enforcement experts. Some believe that cybercrime is just a conventional crime committed with high-tech devices. Others argue, however, that cybercrime is a totally new phenomenon that, in order to be dealt with effectively, requires new law enforcement techniques and new legislation.

The Computer Fraud and Abuse Act  [Top]
In 1984, the United States Congress adopted the latter "new phenomenon" view and enacted the Counterfeit Access Device and Computer Fraud and Abuse Act. This statute, which is codified at 18 U.S.C. § 1030 , made a clear statement to the law enforcement community and to computer owners and users about legal conduct in the realm of computers. The Act prohibited the following behavior:
  • To knowingly access a computer without authorization, or in excess of authorization, in order to obtain classified United States defense or foreign relations information with the intent to harm the United States or benefit a foreign nation.
  • To obtain information, via unauthorized access, from the financial records of a financial institution or from any protected computer if the conduct involves interstate or foreign communication.
  • To access a computer to use, destroy, modify, or disclose information found in a "federal interest" computer system, as well as to prevent authorized use of any computer used for government business if the usage interferes with government activities.
  • To knowingly and with the intent to defraud participate in the trafficking of passwords or similar information through which computers can be accessed without authorization.

The history of the Computer Fraud and Abuse Act illustrates the complexity of cybercrime legislation. The first person charged with violating the Computer Fraud and Abuse Act was Robert T. Morris Jr., author of the first computer virus. Morris was charged with releasing a "worm" that, according to Morris, unintentionally caused harm to many government and university computers. The legal language applied in the case was to someone who:

(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby (A) causes loss… of a value aggregating $1,000 or more.

The District Court in the Morris case interpreted the law as only requiring the intent to access a computer, not the intent to cause actual damage, and thus Morris was convicted. Morris' lawyer, Thomas Guidoboni, described the Computer Fraud and Abuse Act of 1986 as "perilously vague" because it treated well-intended intruders just as harshly as it treated ill-intended intruders.

As a result of this and other gaps in the legislation, the Computer Fraud and Abuse Act has since been amended. The most notable amendments occurred in October of 1996 with the enactment of the National Information Infrastructure Protection Act. Listed below are some of the changes made to the legal code:

  • The phrase"[I]ntentionally accesses a Federal interest computer" has been substituted by the clause "through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system…"
  • In order to broaden coverage of the law, "Federal interest computer" has been replaced with the term "protected computer".
  • The intentional accessing of a protected computer that recklessly causes damage has been added as an offense. This applies to people like Robert Morris who intentionally let a virus loose, though not necessarily with malicious intent.

The Computer Fraud and Abuse Act has become a landmark in the fight against cybercrime. The Act provided a single piece of code that specifically addressed computer-related offenses, thus eliminating the need to rely on legislation written for other crimes which often proved inadequate when applied to computer activity. For example, the statute pertains to interstate transportation of stolen property, 18 U.S.C. § 2314, applies to "goods, wares and merchandise," and thus has been held by several courts not to apply to intangible property such as stolen data. The existence of the Computer Fraud and Abuse Act also means that when new computer technology is introduced, instead of having to scan through the entire United States Code amending every statute potentially affected, law makers can focus on essential amendments to only this legislation.

Computer Viruses and the Law   [Top]
A computer virus crime usually involves the intent to cause damage through the creation and/or distribution of a destructive computer program. The legislation most applicable to computer viruses is just general cybercrime legislation. In the United States, the distribution of a virus that affects computers used by government or by financial institutions is a federal crime under the Computer Fraud and Abuse Act. In addition to the Morris computer worm case, there have been other successes. In December of 1999, David L. Smith pleaded guilty to creating and distributing the "Melissa" virus that caused more than $80 million in damage. Smith faces a maximum sentence of five years in prison and a $250,000 fine. The "Melissa" virus was so devastating and widespread that it affected both computers belonging to individuals and those belonging to the government. This is not always the case. Thus, since federal legislation is primarily concerned with "federal interest" computers, local statutes tend to be stricter when dealing with personal computers.

As evident, the legal implications of computer viruses are not well defined. The laws pertaining to computer viruses change from state to state and from country to country. In many countries the writing of viruses is not an offence in itself. In others even the sharing of virus code between anti-virus researchers could potentially be considered an offense. To make matters more complicated, once a virus is released it is free to cross state lines and national borders, making the author or distributor of the virus accountable for his or her action under a very different legal system. For a list of the anti-virus and cybercrime laws available in US states and other countries see http://vx.netlux.org/texts/laws/laws.htm.

The newsgroup alt.comp.virus provides the following list of the grounds on which virus creation or distribution may be found to be illegal:

  • Unauthorized access - you may be held to have obtained unauthorized access to a computer you have never seen, if you are responsible for distribution of a virus which infects that machine.
  • Unauthorized modification - this could be held to include an infected file, boot sector, or partition sector.
  • Loss of data - this might include liability for accidental damage as well as intentional disk/file trashing.
  • Endangering of public safety
  • Incitement - includes making available viruses, virus code, information on virus creation, and virus engines.
  • Denial of service
  • Application of any of the above with reference to computer systems or data in which the relevant government has an interest.

The question of distribution is an interesting issue unique to computer viruses. If one makes a virus available on the web, but clearly labels it as such so that people downloading the file are aware of what they are getting into, can the distributor be held accountable? The consensus is that if the file is labeled then the person will probably not face criminal charges, although he or she may be sued for damages. The distributor could also potentially be charged under "incitement", for encouraging illegal behavior. The distribution of viruses via newsgroups and e-mail lists is easier to prosecute because these media practically force viruses onto people who do not know what they are receiving. In addition, there are the unsuspecting victims who unknowingly distribute viruses. At this point is not illegal to ignorantly pass on a virus unless it can be proven that the virus was spread due to "carelessness".

Laws Still Need to Improve
Although legislation against computer viruses does exist, there is still much work to be done. In August of 2000 prosecutors were forced to dismiss all charges against Onel de Guzman, a former computer college student accused of having released the "I Love You" virus that attacked email systems around the world and caused an estimated $10 billion in damages. The reason for the dismissal of the charges was the lack of applicable legislation in the Philippine legal code. President Joseph Estrada immediately signed a law outlawing most computer-related crimes, but the law could not be applied retroactively to the "Love Bug" author. Unfortunately, this is not an isolated incident. According to the report "Cyber Crime… and Punishment?", conducted by the technology management consulting firm McConnell International, only nine of the 52 countries surveyed have amended their laws to cover cybercrimes. "The long arm of the law does not yet reach across the global Internet,"stated Bruce McConnell, president of McConnell International. "Organizations must rely on their own defenses for now."

So what is being done to improve the situation? In April of 2000, the Council of Europe, an organization established to strengthen human rights, and to promote democracy and the rule of law in Europe, released its draft Convention on Cyber-Crime. This represents the first multiparty attempt to address the problems presented by the spread of crime on computer networks. Former President Clinton also established an interagency Working Group on Unlawful Conduct on the Internet. The group, chaired by the Attorney General, was created in order to provide an initial analysis of legal and policy issues surrounding the misuse of the Internet. There seems to be a common theme among these national and international courses of action; they both involve the cooperation between many different people, agencies and governments. Cybercrime is a problem that defies all borders and boundaries, hence so must the law enforcement tools used against it.

For more information see the Justice Department's cybercrime site: http://www.cybercrime.gov

http://www.cbsnews.com/now/story/0,1597,192671-412,00.shtml : "The Hacking Culture," CBS News, May 19, 2000.

http://www.usdoj.gov:80/criminal/cybercrime or http://www.cybercrime.gov : Cybercrime website for the Department of Justice.

http://www.Loundy.com/E-LAW/E-Law4-full.html#VII : David J. Loundy. "E-LAW 4: Computer Information Systems Law and System Operator Liability," Seattle University Law Review, Volume 21, Number 4, Summer 1998.

http://vx.netlux.org/texts/laws/laws.htm : Links to anti-virus legislation for several states and countries.

http://www.landfield.com/faqs/computer-virus/alt-faq/part3/ : FAQ's for alt.comp.virus.

http://special.northernlight.com/compvirus/weaklaws.htm : "Computer Crimes Face Weak Laws," Associated Press, December 7, 2000.