VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Viruses and Criminal Law

Michael Gemignani
Communications of the ACM, Volume 32 Number 6, pp.669-671
ISSN 0001-0782
June 1989

PDFDownload PDF (729.26Kb) (You need to be registered on forum)
[Back to index] [Comments]

Harry the Hacker broke into the telephone company computer and planted a virus that he expected would paralyze all telephone communications in the United States. Harry's efforts, however, came to naught. Not only did he make a programming error that made the virus dormant until 2089 instead of 1989, but he was also unaware that the telephone company's computer was driven by a set of preprogrammed instructions that were isolated from the effects of the virus. An alert computer security officer, aided by automated audits and alarm systems, detected and defused Harry's logic bomb.

A hypothetical situation, yes, but not one outside the realm of possibility. Let us suppose that Harry bragged about his feat to some friends in a bar, and a phone company employee who overheard the conversation reported the incident to the police and gave them Harry's name and address. Would Harry be guilty of a crime? Even if Harry had committed a crime, what is the likelihood that he could be convicted.

Before attempting to answer these questions, we must first know what a crime is. A crime is an act that society, through its laws, has declared to be so serious a threat to the public order and welfare that it will punish anyone who commits the act. An act is made criminal by being declared to be a crime in a duly enacted statute. The statute must be clear enough to give reasonable notice as to what is prohibited and must also prescribe a punishment for taking the action.

The elements of the crime must be spelled out in the statute. In successful prosecution, the accused must have performed acts that demonstrate the simultaneous presence of all of the elements of the crime. Thus, if the statute specifies that one must destroy data to have committed an alleged crime, but the act destroyed no data, then one cannot be convicted of that crime. If the act destroyed only student records of a university, but the statute defines the crime only for a financial institution, then one cannot be convicted under the statute.

All states now have criminal statutes that specifically address certain forms of computer abuse. Many misdeeds in which the computer is either the instrument or object of the illicit act can be prosecuted as more traditional forms of crime, such as stealing or malicious mischief. Because we cannot consider all possible state and federal statutes under which Harry might be prosecuted, we will examine Harry's action only in terms of the federal computer crime statute.

The United States Criminal Code, title 18, section 1030(a)(3), defines as criminal the intentional, unauthorized access to a computer used exclusively by the federal government, or any other computer used by the government when such conduct affects the government's use. The same statute, in section 1030(a)(5)(A), also defines as criminal the intentional and unauthorized access to two or more computers in different states, and conduct that alters or destroys information and causes loss to one or more parties of a value of at least $1000.

If the phone company computer that Harry illicitly entered was not used by the federal government, Harry cannot be charged with a criminal act under section 1030(a)(3). If Harry accesses two computers in different states, and his action alters information, and it causes loss to someone of a value of at least $1000, then he can be charged under section 1030(a)(5)(A). However, whether these conditions have been satisfied may be open to question.

Suppose, for example, that Harry plants his logic bomb on a single machine, and that after Harry has disconnected, the program that he loaded transfers a virus to other computers in other states. Has Harry accessed those computers? The law is not clear. Suppose Harry's act does not directly alter information, but merely replicates itself to other computers on the network, eventually overwhelming their processing capabilities as in the case of the Internet virus on November 2, 1988. Information may be lost, but can that loss be directly attributed to Harry's action in a way that satisfies the statute? Once again, the answer is not clear-cut.

And what of the $1000 required by the statute as an element of the crime? How is the loss measured? Is it the cost of reconstructing any files that were destroyed? Is it the market value of files that were destroyed? How do we determine these values, and what if there were adequate backups so that the files could be restored at minimal expense and with no loss of data? Should the criminal benefit from good operating procedures on an attacked computer? Should the salaries of computer personnel, who would have been paid: anyway, be included for the time they spend to bring the system up again? If one thousand users each suffer a loss of one dollar, can one aggregate these small losses to a loss sufficiently large to be able to invoke the statute? The statute itself gives us noguidance so the courts will have to decide these questions.

No doubt many readers consider questions such as these to be nit-picky. Many citizens already are certain that guilty parties often use subtle legal distinctions and deft procedural maneuvers to avoid the penalities for their offenses. "If someone does something wrong, he or she should be punished and not be permitted to hide behind legal technicalities," so say many. But the law must be the shield of the innocent as well as a weapon against the malefactor. If police were free to invent crimes at will, or a judge could interpret the criminal statutes to punish anyone who displeased him or her, then we would face a greater danger to our rights and freedoms than computer viruses. We cannot defend our social order by undermining the very foundations on which it is built.

The difficulties in convicting Harry of a crime, however, go beyond the questions of whether he has simultaneously satisfied each condition of some crime with which he can be charged. There remain the issues of prosecutorial discretion and the rules of evidence.

Prosecutors have almost absolute discretion concerning what criminal actions they will prasecute. That a prosecutor can refuse to charge someone with a crime, even someone against whom an airtight case exists, comes as a shlck to many citizens who assume that once the evidence exists that someone has committed a crime, that person will be arrested and tried.

There are many reasons why a prosecutor may pass up the chance to nail a felon. One is that the caseload of the prosecutor's office is tremendous, and the prosecutor must choose the criminals who pose the greatest danger to society. Because computer crimes are often directed against businesses rather than persons and usually carry no threat of bodily injury, they are often seen as low priority cases by prosecutors. Even computer professionals themselves do not seem io think that computer crime is very serious. In a 1984 survey by the American Bar Association, respondents rated computer crime as the third least significant category of illicit activity, with only shoplifting and illegal immigration being lower. With such attitudes among those responsible for computer security, who can blame prosecutors for turning their attention to crimes the public considers to be more worthy of law enforcement's limited resources?

Even if the prosecutor is quite knowledgeable about computers, few judges and even fewer jurors are. The presentation of the case, therefore, will be more difficult and time consuming, and the outcome less predictable.

Underlying the assessment of priority is a general lack of understanding about computers among prosecutors. Thus, a prosecutor would have to spend an unusual amount of time to prepare a computer crime case as opposed to a case that dealt with a more traditional, and hence better understood, mode of crime. Moreover, even if the prosecutor is quite knowledgeable about computers, few judges and even fewer jurors are. The presentation of the case, therefore, will be more difficult and time consuming, and the outcome less predictable. I am familiar with a case that took hundreds of hours to prepare and resulted in a conviction, but the judge sentenced the convicted criminal to pay only a small fine and serve two years probation. With such a result, one cannot be surprised that prosecutors ignore computer criminals when there are so manv felons that courts obviously consider more worthwhile.

Suppose, for the sake of argument, that we have a prosecutor who is willing to seek an indictment against Harry and bring him to trial. Even then, computer-related crimes can pose special evidentiary problems. Remember that to convict Harry, the prosecutor must convince a jury beyond a reasonable doubt that Harry committed an act in which all of the elements of the crime were found simultaneously. The elements of the crime cannot be found to exist in the abstract; they must be found to apply specifically to Harry.

Apart from having to prove that the act caused the requisite amount of damage and that the computers used were those specified by the statute, the prosecutor would have to show that Harry committed the act and that he did so intentionally and without authorization. Because Harry was using someone else's account number and password, tying Harry to the crime might be difficult unless unusual surveillance was in place. A gunman and his weapon must be physically present at the teller's window to rob the bank, but a computer criminal may be thousands of miles away from the computer that is attacked. A burglar must physically enter a house to carry off the loot and may, therefore, be observed by a witness; moreover, it is generally assumed that someone carrying a television set out of a darkened house in the middle of the night is up to no good. By contrast, a computer criminal can work in isolation and secrecy, and few, if any, of those who happen to observe are likely to know what he is doing.

The evidence that ties the computer criminal to the crime, therefore, is often largely circumstantial; what is placed before the jury is not evewitness testimonv, but evidence from which the facts can only be reasonably inferred. Although convictions on the basis of circumstantial evidence alone are possible, they are often harder to obtain.

Adding to the prosecutor's difficulties in getting convincing evidence about Harry's acts are the unsettled constitutional issues associated with gathering that evidence. Does Harry have a reasonable expectation that his computer files are private? If so, then a search warrant must be obtained before they can be searched and seized. If Harry's files are enciphered, then must Harry furnish the key to decryption, or would he be protected from having to do so by his Fifth Amendment right against self-incrimination? The evidence that would convict Harry won't do the prosecutor much good if it is thrown out as having been obtained by impermissible means.

In the face of these difficulties, some have introduced bills into Congress and into some state legislatures that prohibit planting a virus in a computer system. But drafting a responsible computer crime bill is no easy task for legislators. The first effort at federal computer crime has proscribed, and even imposed heavy penalties for, standard computing practices. It did not clearly define what acts were forbidden. It was so broad that one could have been convicted of a computer crime for stealing a digital watch, and it did not cover nonelectronic computers. The bill was never enacted.

If we want a statute that targets persons who disrupt computer systems by planting viruses, then what do we look for in judging the value of proposed legislation?

Is the proposed statute broad enough to cover activity that should be prohibited but narrow enough not to unduly interfere with legitimate computer activity? Would an expert be able to circumvent the statute by designing a harmful program that would not be covered by the statute? Does the proposed statute clearly define the act that will be punished so as to give clear notice to a reasonable person? Does the act distinguish between intentional acts and innocent programming errors? Does the statute unreasonably interfere with the free flow of information? Does it raise a First Amendment free speech problem? These and other questions must be considered in developing any new computer crime legislation.

Where do I personally stand with regard to legislation against viruses, logic bombs, and other forms of computer abuse? It is not enough to say I am against conduct that destroys valuable property and interferes with the legitimate flow of information. The resolution of legal issues invariably involves the weighing of competing interests, e.g., permitting the free flow of information v. safe-guarding a system against attack. Even now, existing criminal statues and civil remedies are powerful weapons to deter and punish persons who tamper with computer systems. I believe that new legislation should be drawn with great care and adopted only after an open discussion of its merits by informed computer professionals and users.

The odds are that Harry the Hacker will never be charged with a crime, or, if charged, will get off with a light sentence. And that is the way it will remain unless and until society judges computer crimes, be they planting viruses or stealing money, to be a sufficiently serious threat to the public welfare to warrant more stringent and careful treatment. If such a time comes, one can only hope that computing professionals and societies such as the ACM will actively assist legislatures and law enforcement officials in dealing with the problem in an intelligent and technologically competent manner.

Michael Gemignani
Senior Vice President and Provost
University of Houston at Clear Lake
Houston, TX 77059
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka