Viruses, Worms and Trojan Horses
Early in August of 2003, a new piece of malicious code was propagated widely throughout the internet. The code was known as W32.Blaster.Worm and exploited certain deficiencies in Microsoft Windows. Compromised systems were then unwittingly put to use in locating and further compromising other computer systems. Symptoms included the automatic shutdown of Windows whenever the user went online. The Blaster Worm also had the ability to launch a denial-of-service type attack against windowsupdate.com, although this eventuality was precluded by Microsoft prior to its planned execution on 16 August 2003. A full technical breakdown of the Blaster Worm can be found on a number of websites, including the fulsome treatment found on Carnegie Mellon University’s CERT Coordination Center.
Of course, despite some protestations to the contrary, viruses and other malicious code can cause widespread damage with millions of pounds worth of damage (in data loss, time taken etc.) accruing to companies, charities and government organisations. Although the W32.Blaster.Worm was (comparatively) benign, the author and propagator was certainly in breach of the law – and may (who knows?) one day be called to account for his or her actions.
First, some terminology. There are a bewildering variety of terms used in this field (including retrovirus; polymorphic virus; and stealth virus) which can sound more like medical conditions than computer programs. The three most common are as follows. A virus is a program which replicates itself, infecting computer files and often deleting or corrupting data, or otherwise causing mischief. A worm is a virus which copies itself, often through e-mail, and may damage or compromise computer or network security. A Trojan horse is a virus which hides inside another file, and relies on the user to replicate it (often masquerading as a joke file or similar to induce replication). These and many other useful terms are explained by Authentec International.
In terms of online information on the law as it applies to information technology and its uses, the best of the bunch is provided by Edinburgh firm Murray Beith Murray WS on their specialist sub-site, Elaw.co.uk. As the site explains in its helpful free advice section, computer misuse (such as distributing viruses or hacking computer systems) may constitute one or more of several relevant offences. The pertinent provisions can be found in: Copyright Directive 2001/29/EC; Criminal Justice (Scotland) Act 1980; Data Protection Act 1998; at common law; and, of course, the Computer Misuse Act 1990.
The Computer Misuse Act 1990 is, obviously, over ten years old now. In I.T. terms, ten years represents several generations, yet the Act has managed to retain its effectiveness (when used) by concentrating on the intent and purpose of the computer use, rather than forbidding any particular actions, which would quickly become obsolete. It sets out three offences, relating to:
- unauthorised access to computer material (Section 1);
- unauthorised access with intent to commit or facilitate commission of further offences (Section 2); and
- unauthorised modification of computer material (Section 3).
Although it may sound like Section 3 is intended to forbid nefarious switching of your keyboard keys, it actually covers the kind of modifications that viruses seek to effect in computers worldwide.
Interestingly, the scope of the Act is pretty much global. For example, the sheriff has jurisdiction in relation to Section 3 offences where the unauthorised modification took place within the sheriffdom. A similar rule applies to unauthorised access under the first and second sections. Therefore, the author and propagator of the W32.Blaster.Worm which infiltrated my laptop all last week, although he or she probably didn’t realise it, was committing an offence under UK law, for which he or she could (in theory) be tried in Glasgow Sheriff Court and sentenced, on indictment, to up to five years imprisonment and fined.
The Act has, in fact, recently been put to such use, with 22 year old web designer Simon Vallor from North Wales convicted for writing and spreading the Gokar, Redesi and Admirer viruses which infected over 27,000 computers in over 42 countries worldwide. Despite an unsuccessful appeal to reduce his sentence, he received a two year prison sentence for his efforts. Not all jurisdictions take such a hard line. The author of the virulent "Anna Kournikova" worm received just 150 hours community service from a Dutch court in 2001.
There seems to be a discrepancy in sentencing terms, between the treatment of offenders who use computers to inflict damage and those who do it the old fashioned way, with a half-brick or baseball bat. Recent (somewhat farfetched) attempts to paint hackers and virus authors as "cyber-terrorists" may serve to change judicial attitudes (particularly in the US). There are also difficulties where the local jurisdiction has no adequate laws forbidding the would-be cyber-criminal. For example, the suspected author of the "love bug" escaped prosecution because the Philippines had inadequate computer crime legislation. Perception on the part of the victim is also removed from the reality. As Graham Cluley of Computer Weekly points out in an excellent article titled "Cybercrime and Punishment":
"If you arrived at the office one Monday morning and found your desk ransacked and private documents missing, you would call the police immediately. Yet comparable crimes take place on business computers every hour of every day and are almost always left unreported to the authorities."
One of the problems in the "Anna Kournikova" worm prosecution was a lack of businesses wishing to own up to having been effected and having suffered loss due to the worm (as this would have highlighted the deficiencies in their own IT security).
If perceptions of viruses are not as they might be among the victims of crime, then what can we expect from the perpetrators? Simon Vallor tried to argue that his viruses did no real harm, though this was demonstrably untrue. There is a debate which rages (mainly online) about the ethics of creating viruses. One interesting point made is that those who create viruses are simply exercising their rights to free speech (US Constitution) or freedom of expression (European Convention on Human Rights) in that viruses are merely a type of computer program (which is a form of speech or expression) and therefore should not be restricted as to do so would run contrary to what the internet should be all about. This issue and many others are explored in a comprehensive and thorough article by Sophos Anti-Virus called "Is virus writing really that bad?". Needless to say, Sophos take the line that it is, and call for more consistency and severity in law enforcement approaches worldwide. One contributor, in calling for the extradition of virus creators, compares them to "murderers and terrorists"!
The legal issues are not just criminal, either. As London law firm Elborne Mitchell outline in their article "Short Changed", there may be significant civil liability arising from a viral infection – even possibly extending to those who have negligently passed a virus on. There is also the more significant issue of insurance. The article suggests that "computer virus" may have to be specified as an insured risk in order to be covered for damage caused in that way, but the position may be different for "all risk" policies. The article is well worth reading, as is one by another English law firm, Neil Myerson Solicitors. The article confirms that a company or organisation may be held liable in civil damages for spreading a virus in breach of contract or negligently. It suggests that an appropriately worded disclaimer be included in all e-mail headers, websites and in terms and conditions of business. A free style disclaimer is available for download from the Elaw.co.uk site.
This article was written by Iain Nisbet of Govan Law Centre.
It first appeared in SCOLAG Legal Journal in September 2003.
Please read our disclaimer.