[Comp.Sci.Dept, Utrecht] Note from archiver<at>cs.uu.nl: This page is part of a big collection of Usenet postings, archived here for your convenience. For matters concerning the content of this page, please contact its author(s); use the source, if all else fails. For matters concerning the archive as a whole, please refer to the archive description or contact the archiver.

Subject: [alt.comp.virus] FAQ Part 3/4

This article was archived around: 23 Mar 2000 20:09:06 GMT

All FAQs in Directory: computer-virus/alt-faq
All FAQs posted in: alt.comp.virus, comp.virus
Source: Usenet Version


Archive-name: computer-virus/alt-faq/part3 Posting-Frequency: Fortnightly URL: http://www.sherpasoft.org.uk/acvFAQ/ Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
-----BEGIN PGP SIGNED MESSAGE----- alt.comp.virus (Frequently Asked Questions) ******************************************* Version 1.1 : Part 3 of 4 Last modified 19th August 1999 ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `. ``-..-' _..`--'_..-_/ /--'_.' ,' (il),-'' (li),' ((!.-' ADMINISTRIVIA ============= Disclaimer - ---------- This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. It should not be assumed that this document is up-to-date in all respects. Not all the views expressed in this document are those of the maintainers, and those views which *are* those of the maintainers are not necessarily shared by their respective employers. Copyright Notice - ---------------- Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. B-) It may not be reproduced for profit or distributed in part or as a whole with any product or service for which a charge is made, except with the prior permission of the copyright holders. To obtain such permission, please contact one of the co-maintainers of the FAQ. David Harley <D.Harley@icrf.icnet.uk> George Wenzel <gwenzel@telusplanet.net> Bruce Burrell <bpb@umich.edu> [Please check out the more detailed copyright notice at the beginning of part 1 of the FAQ] - ------------------------------------------------------------------------ TABLE OF CONTENTS ***************** ++ See Part 1 of this FAQ for the full Table of Contents Part 3 ------ (13) What are the legal implications of computer viruses? (13) What are the Legal Implications of Computer Viruses? ========================================================= ********************************************************************** The material in this section has no formal legal standing. It consists of several persons' attempts to interpret and clarify the legal issues, and cannot possibly be authoritative. If you want bona-fide legal advice, seek a qualified lawyer. This section hasn't been updated in a good while, and isn't likely to be in the near future, so it can't possibly be more than a rough guide to the issues. ********************************************************************** Overview - -------- It isn't possible to deal briefly with all the relevant legislation in one country, let alone all of them. In the USA, local statutes may be much more rigorous than federal legislation, which is, arguably, more concerned with computers in which the government has an interest than it is with those belonging to individuals. In many countries, writing of viruses is not an offence in itself, whereas in others, not only is this not the case, but distribution, even the sharing of virus code between antivirus researchers is, at least technically, also an offence. Once a virus is released 'into the wild', it is likely to cross national boundaries, making the writer and/or distributor answerable for his/her actions under a foreign legal system, in a country he/she may never have visited. Where virus writing and distribution may not apply locally in a particular case, the individual may nevertheless be subject to civil action: in other words, where you may be held to have committed no offence, you may still be sued for damage. Some of the grounds on which virus writing or distribution may be found to be illegal (obviously I'm not stating that all these grounds will apply at all times in all states or countries!) include: * Unauthorized access - you may be held to have obtained unauthorised access to a computer you've never seen, if you are responsible for distribution of a virus which infects that machine. * Unauthorized modification - this could be held to include an infected file, boot sector, or partition sector. * Loss of data - this might include liability for accidental damage as well as intentional disk/file trashing. * Endangering of public safety * Incitement (e.g. making available viruses, virus code, information on writing viruses, and virus engines) * Denial of service * Application of any of the above with reference to computer systems or data in which the relevant government has an interest. Since the law does vary widely from country to country (and even within countries), it is entirely possible for one to break the law of another country, state, province, or whatever, without ever leaving your own, and since extradition treaties do exist, perhaps it's best to assume that any act that might be construed as being or causing wilful and malicious damage to a computer or computer system could get you a roommate with undesirable tendencies and no social graces. :) The best advice to give to any one contemplating a possibly illegal act would be to contact their local Crown Prosecutor, Crown Attorney, District Attorney, or whatever label the local government prosecutor wears. Acting on the advice of one's own attorney doesn't render one immune from prosecution, and the cost of defence can be high, even if successful. An extremely biased opinion is that very often attorneys attempt to provide the answer they believe the client wishes to hear, or give an opinion in areas where they have no real expertise. Prosecutors, on the other hand, tend to look at a particular action in the light of whether a successful prosecution can be mounted. If the local Crown Prosecutor were to suggest that something was a Bad Thing, I should be extremely nervous about doing it. :) USA & Canada - ------------ The following is an interpretation of the laws in the USA and Canada, and has no legal standing as an authoritative document in those countries or any other. Relevant legislation in other parts of the world may be very different and in some cases far stricter. Many thanks to David J. Loundy for his assistance with the legalities regarding computer crime. A valuable source of information on this topic can be found in his E-Law paper, which can be accessed via the URL: http://www.Loundy.com/E-LAW/E-Law4-full.html It is illegal in both the USA and Canada to damage data within a computer system which is used or operated by the government. This means that if you write a virus, and it eventually infects a government system (highly probable), you are in violation of the law. Inclusive in this category are damages incurred due to computer stoppages (i.e. writing a virus that causes a computer to crash or become unusable), and viruses that destroy data. The question regarding the writing of malevolent computer viruses being illegal isn't really that hard to answer: It is illegal to write and spread a virus that infects a government system. Federal law is unclear as to whether this extends to private computer systems as well, but State statutes are frequently unequivocal about defining virus-related crimes against property. The question has come up, however, about the distribution of viruses and virus-related programs. A general guideline is that it is legal to distribute viruses, for example, on a BBS, as long as the people who are downloading the virus know EXACTLY what they are getting. If you intentionally infect a file and make it available for downloading, you may be subject to prosecution. Your conscience should be your guide in this kind of a situation. If a virus distributed by you is used to damage or otherwise modify a major system, you can be held accountable. Note that there are different kinds of distribution for viruses. If you simply make a virus available on a web page, and clearly label it as such, then you are unlikely to face any (criminal) consequences. The possibility exists, however, that you could be charged under "incitement" laws - in other words, it could be argued that distributing viruses on web pages (even if clearly labeled as such) amounts to inciting other people to use the viruses to break laws. If you distribute the virus via newsgroups, however, you may be held liable. Distributing viruses via newsgroups, e-mail lists, and the like can lead to prosecution because these media 'push' viruses to people who would otherwise not want them on their systems. This is not the case with simply placing a virus on a web page (provided your ISP doesn't have problems with it). Keep in mind, however, that an ISP's stance on viruses can change quickly if negative publicity comes about due to their inaction in removing the viruses on their systems. The reason that the explanations in this section are vague is that the laws in various states, provinces, etc., are different, and you should check with your local police before you decide you want to distribute viruses. If you spread a virus unknowingly, you generally cannot be prosecuted unless it can be proven that you spread the virus due to pure carelessness. The definition of carelessness has not been tested in a court of law, as far as I know at the date of writing (9/22/95) The Canadian Criminal Code - -------------------------- Please bear in mind that the following information was culled from the Criminal Code in 1993 and those sections may have been expanded or revised since then, or possibly some computer-specific legislation may have been enacted of which we are unaware. No mention is made in the Code (as of 1993) of computer viruses as such, but it would seem that prosecution under Sec. 430 (Mischief) or section 342.1 (Unauthorized use of computer) would be appropriate. Apparently the laws governing trespass have not been considered as having any application in cyberspace. Offenders under section 342.1 would be charged with mischief, which covers a multitude of sins under Canadian law. The penalties stipulated in Sec. 342.1 are the same as the penalties for sabotage, just as a point of interest. A prosecutor would probably deal with incitement (i.e. inciting somebody else to maliciously use viruses) under Sec. 21 (Parties to offence), Sec. 463 (Attempts), or Sec. 465 (Conspiracy). Sec. 21-24 of the Criminal Code may be of interest because they detail aiding and abetting, incitement, and related issues which have some application in the realm of viruses. Under certain circumstances, laws in other countries may be applicable in cyberspace, where there are no formal territorial boundaries. For instance, Sec. 465 (4) of the Canadian Criminal Code stipulates that every one, "while in a place outside Canada" conspires to commit an offence in Canada "shall be deemed to have conspired in Canada to do that thing." The UK - ------ In the UK, the Computer Misuse Act makes it a crime to make an unauthorised modification on a computer. If you own a computer, you can authorise anything you want for that computer, so you can spread a virus on a computer you own. A virus makes a modification, so if someone deliberately spreads a virus on someone else's computer, that's a crime. Giving a virus to someone else isn't a crime if it's with his/her knowledge and permission, however. So, sending a diskette with a virus on to an AV company, together with a note saying "There's a virus on this disk, please investigate it for me" is legal. If an action is a crime, then encouraging that action can also be a crime ("incitement"). If you spread a virus unwittingly, then it isn't a crime, as you don't have "intent". If someone is negligent, and so spreads a virus (even unwittingly), then there could be a civil action for damages through negligence. Further Information - ------------------- Computer Crime (Icove, Seger, Von Storch) - O'Reilly Computer Law & Security Report (periodical) - Elsevier Advanced Technology Dr. Alan Solomon includes information on Hacking and Virus Laws in the UK and elsewhere on his webpage at: http://www.pcug.co.uk/~drsolly/ The ICSA has details on state computer crime laws: http://www.icsa.net/icsalaws/ Try also: http://www.law.cornell.edu/ - ----------------------------------------------------------------------- End of a.c.v. FAQ Part 3 of 4 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> Comment: PGP Key ID 0xDCC35C75 available on Keyservers iQCVAwUBN7xpObcpzG7cw1x1AQELYAP/XC7bnLxDZLO46JQNy5SN9Y7nlVbGhzen 31HAtN1Xsz2vLaqHV/EUKgFQFz+JFUJY35F24iVGqknZLYu2edyC/tjO/FOAv/kX qHOh4mEeXYXEf/AsXck3hrnwDMw3z+DR7lgSqeJzE4bri8DKEDsBrCyuBmE0DmsK BpFyL0Jc6ak= =ogr9 -----END PGP SIGNATURE-----