VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Viruses and the Law: Why the Law is Ineffective

John Montana
Information Management Journal, Oct 2000 v34 i4 p57
ISSN 1535-2897
October 2000

[Back to index] [Comments]

COPYRIGHT 2000 Association of Records Managers & Administrators (ARMA)

Increasingly, the Internet and electronic document interchange are required business tools. Where even a few years ago, Web sites and e-mail were novelties, and e-commerce virtually non-existent, these are now commonplace. Businesses of any size have Web sites, e-mail is ubiquitous, and e-commerce is booming.

Unfortunately, the increase in Internet usage and dependence has been accompanied by a commensurate increase in illegal and improper activities. Some of these phenomena are merely electronic versions of older activities - stock kiting, pyramid schemes, and the like, while others are uniquely Internet-based - viruses, worms, and other devices designed to disrupt Internet service or damage computers.

These objects' creators are somewhat unique in that there is apparently no economic motive for their actions. They are vandals, pure and simple, and their vandalism is enormously costly to the world economy. It has been estimated that viruses cost the U.S. economy several billion dollars a year (Violino 1996).

What is a Virus?

At its simplest, a virus is a small piece of self-replicating computer code. It may or may not contain instructions that cause an infected computer to erase directories, reformat drives, or send infected e-mails to other computers. Many other programs within a computer are capable of sending these commands as well. The only difference in the case of a computer virus is that the commands are sequenced in such a way as to do damage.

Legal Issues

In many countries, the nature of the legal system makes criminalizing of viruses a relatively simple matter. China, for example, has laws in place forbidding even discussion of computer viruses (Grable 1996). In the United States, however, things are not so simple; the very nature of viruses puts them in a category of objects that are difficult to regulate.

Any computer code is intellectual output and property with certain legal protections just the same as books or sound recordings. In the United States, such intellectual properties are legally considered a kind of speech and are entitled to legal protection under the Constitution's First Amendment.

Although there are limits on the protections afforded under the First Amendment, (e.g., you cannot shout "fire" in a crowded theater and claim First Amendment protection), generally, the government cannot prevent the creation or free dissemination of "speech." The government may impose "reasonable" time, place, and manner limitations on speech, but these limitations can only be put in place in response to an immediate need to protect the public welfare in a particular case. For example, people wishing to hold a public demonstration may have to get a permit or restrict their protest to a particular area.

When it comes to the mere creation of words or ideas, however, time, place, and manner restrictions are very difficult to enact in a manner that will withstand scrutiny by the courts. Over the years, a great many potentially dangerous intellectual products have appeared in the United States - books containing instructions on how to make bombs, magazine articles on assassination, books on how to make drugs, and many others. On a number of occasions, either federal or state government has attempted to suppress them on the grounds that they would encourage illegal or dangerous activity. The courts have routinely struck down such laws as restraints on free speech.

A similar analysis has been applied to computer code. The U.S. government attempted to restrict dissemination of encryption software by passing a law forbidding its posting on Internet sites, citing law enforcement and national security interests as the justification. A court determined that the code was speech and that the government could not so restrict its dissemination.1 As a result, it is not really possible, at least in the United States, to make mere development or possession of virus code illegal. Virus code is thus freely available through various Web sites and Internet chat groups.


Restrictions on the government's ability to regulate an object are not, however, absolute. Although the possession of virus code cannot be criminalized or prohibited, using it can. Thus, it is illegal to distribute computer code or place it in the stream of commerce with intent to cause damage or economic loss.2 Conceptualized in this manner, computer code regulation is comparable to regulation of firearms or other potentially harmful objects. It is not mere possession, or thoughts, or words that are regulated; rather, actions are regulated or criminalized. In this case, the damage to computer systems and the economic losses arising out of it are the focus of the law. This is the approach taken by the Computer Fraud and Abuse Act (CFAA)3, which provides criminal penalties for either knowingly or recklessly releasing a computer virus into computers used in interstate commerce.4

Penalties for perpetrators are potentially severe. In the United States, a successful prosecution under the CFAA can result in a prison sentence as long as 20 years5 and a fine up to $250,000 dollars.6 The perpetrator may face criminal charges under state law as well. Both the federal government and the courts have inclined toward severity for virus authors. Recent prosecutions under the CFAA and other computer crime statutes have resulted in significant jail sentences.7

Problems in Obtaining a Conviction

To prosecute someone for doing something knowingly, it is necessary to prove that they intended to do the culpable act. Intent is a mental state. Therefore, a successful prosecution requires that the state prove the defendant's mental state in order to obtain a conviction.

This may be done inferentially by deducing mental state from actions. Nonetheless, it remains an element of the offense, and failure to prove it to a judge's or jury's satisfaction may result in an acquittal. Even if the prosecution only attempts to prove reckless behavior, it must still prove that the defendant acted in blatant disregard of some standard of care - again, an element of mental culpability. The inherent difficulties are illustrated thusly: the first defendant convicted under the CFAA promptly challenged his conviction on the grounds that the court had misconstrued the element of intent.8

In addition, damage, or the potential for damage, must also be proven. For a widespread and virulent virus that erases hard drives or does other severe damage, it is relatively easy; however, the burden of proving these things and tying them to the defendant adds to the burden and complexity of the government's case.

The Global Nature of the Problem

Simply getting to the point of bringing a defendant to trial poses formidable challenge. Viruses are often released through spurious, stolen, or temporarily commandeered addresses. Therefore, tracking down the location of release is difficult. In addition, viruses may come from any country.

Studies have indicated that a substantial percentage of viruses are created in eastern block countries such as Bulgaria and the former Soviet Union (Davis 1994). Although many countries have strict laws against dissemination of viruses,9 others, particularly developing countries, do not (ABC News, 2000). Even if the originating country has such laws, it may be disinclined to impose severe penalties. The Taiwanese author of the destructive Chernobyl virus, for example, received only a reprimand from his school (Herbona, 1999).

Even with laws and the wish to enforce them, originating countries may not have trained personnel to collect and analyze the technical evidence critical to such a case. Their receptivity to help from law enforcement personnel from other jurisdictions may vary considerably, depending upon the country's politics and culture.

Collectively, these barriers are formidable obstacles. Legally, authorities first must identify the release location from among many potential locations over the entire planet; second, they must identify a potential perpetrator and tie the perpetrator to both the location and the virus; and last, they must prove a mental state of intent to cause damage and the actual damage, all beyond a reasonable doubt.

In the case of a foreign perpetrator, there is the need to

Political and cultural considerations often make accomplishing these things difficult or impossible. As one commentator observed about cyber-crime generally, "There are serious evidentiary and jurisdictional questions in these cases. Law enforcement may be presenting you with a perfectly good case, against a defendant in Kuala Lumpur" (ZDNet News, quoting Rasch, 1999). A perpetrator who disables computers in western countries may be viewed as a hero and may profit considerably from his actions. The Chernobyl virus' creator, for example, was eagerly sought after for employment by Taiwanese high-tech firms (Reuters 1999).

There remains one final hurdle. The above commentator also noted, "Juveniles are frequently the ones who get caught. So while the FBI may be able to put together a perfectly cohesive case against a juvenile, that's the kind of case that may be declined by the United States Attorney's office at their discretion" (ZDNet News, quoting Rasch, 1999).

The Result

The end result is that few virus perpetrators are found and prosecuted. In the average month, as many as 500 new viruses may be created and set loose on the Internet (Vibert 1998). Only occasionally is the author successfully located and prosecuted. In 1998, the FBI and all other federal investigative agencies sent 419 computer crime cases to federal prosecutors, of which only a handful involved viruses. In only 83 cases were charges actually filed. Of cases completed the same year, there were only 21 convictions for computer crimes of all types (ZDNET News, quoting Banisar, 1999). Again, only a handful were for virus dissemination.

Will this change? Will the law someday successfully discourage virus authors from their nefarious work? Probably not. The issues discussed are difficult to change or overcome. Ultimately, the solution is technical - better anti-virus software, e-mail packages, and the like - and cultural - people must learn to be careful about backups, e-mail attachments, and so on. In this respect, viruses are like many other criminal activities; however draconian the sanctions may be, the behavior easily eludes all but a few prosecutions, a reality that is simply inadequate to deter future perpetrators. Ultimately, the solutions rest with us, the user community.


1 Bernstein v. United States Department of State, No. C-95-0582, (N.D. Calif. 1997)

2 The Computer Fraud and Abuse Act, 18 U.S.C. [sections] 1030.

3 18 U.S.C. [sections] 1030

4 The reader may wonder why release into interstate commerce is a requirement. This is due to the federal nature of the U.S. system of government. Under the provisions of the U.S. Constitution, only certain powers are enumerated to the federal government. All others are left to the states. Thus, if the federal government is to legally regulate or criminalize an activity, it can only do so of the activity is related to a federal power. One of the enumerated powers is the power to regulate interstate commerce, and this power has commonly been used as the vehicle for regulating a wide variety of activities that, without the interstate commerce concept, would clearly be state questions.

5 18 U.S.C. [sections] 1030 (c)(B).

6 18 U.S.C. [sections] 3571(b)(4).

7 See, e.g., United States v. Mitnick, No. CR 96-881-MRP, (Cen. Dist Calif.) (3 1/2 year prison sentence).

8 United States v. Morris, 928 F.2d 504, (2nd Cir 1991), cert. denied 502 U.S. 817

9 See, Grable, Jim. "Treating Smallpox with Leeches: Criminal Culpability of Virus Writers and Better Ways to Beat Them at Their Own Game." Computers and the Law, no. 24 (Spring 1996).


John C. Montana, J.D., is an attorney and records management consultant based in Landenburg, Pennsylvania. He may be reached at [email protected]

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka