Note from archiver<at>cs.uu.nl:
This page is part of a big collection
of Usenet postings, archived here for your convenience.
For matters concerning the content of this page,
please contact its author(s); use the
source, if all else fails.
For matters concerning the archive as a whole, please refer to the
or contact the archiver.
Subject: [alt.comp.virus] FAQ Part 3/4
This article was archived around: 23 Mar 2000 20:09:06 GMT
Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
-----BEGIN PGP SIGNED MESSAGE-----
alt.comp.virus (Frequently Asked Questions)
Version 1.1 : Part 3 of 4
Last modified 19th August 1999
`6_ 6 ) `-. ( ).`-.__.`)
(_Y_.)' ._ ) `._ `. ``-..-'
_..`--'_..-_/ /--'_.' ,'
(il),-'' (li),' ((!.-'
This document is an honest attempt to help individuals with computer
virus-related problems and queries. It can *not* be regarded as being
in any sense authoritative, and has no legal standing. The authors
accept no responsibility for errors or omissions, or for any ill effects
resulting from the use of any information contained in this document.
It should not be assumed that this document is up-to-date in all
Not all the views expressed in this document are those of the maintainers,
and those views which *are* those of the maintainers are not necessarily
shared by their respective employers.
Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed
and quoted - accurately, and with due credit. B-)
It may not be reproduced for profit or distributed in part or as a whole
with any product or service for which a charge is made, except with
the prior permission of the copyright holders. To obtain such permission,
please contact one of the co-maintainers of the FAQ.
David Harley <D.Harley@icrf.icnet.uk>
George Wenzel <email@example.com>
Bruce Burrell <firstname.lastname@example.org>
[Please check out the more detailed copyright notice at the beginning
of part 1 of the FAQ]
TABLE OF CONTENTS
++ See Part 1 of this FAQ for the full Table of Contents
(13) What are the legal implications of computer viruses?
(13) What are the Legal Implications of Computer Viruses?
The material in this section has no formal legal standing. It consists
of several persons' attempts to interpret and clarify the legal
issues, and cannot possibly be authoritative. If you want bona-fide
legal advice, seek a qualified lawyer.
This section hasn't been updated in a good while, and isn't likely
to be in the near future, so it can't possibly be more than a rough
guide to the issues.
It isn't possible to deal briefly with all the relevant legislation in
one country, let alone all of them. In the USA, local statutes may be
much more rigorous than federal legislation, which is, arguably, more
concerned with computers in which the government has an interest than
it is with those belonging to individuals.
In many countries, writing of viruses is not an offence in itself,
whereas in others, not only is this not the case, but distribution,
even the sharing of virus code between antivirus researchers is,
at least technically, also an offence.
Once a virus is released 'into the wild', it is likely to cross
national boundaries, making the writer and/or distributor answerable
for his/her actions under a foreign legal system, in a country
he/she may never have visited.
Where virus writing and distribution may not apply locally in a
particular case, the individual may nevertheless be subject to
civil action: in other words, where you may be held to have
committed no offence, you may still be sued for damage.
Some of the grounds on which virus writing or distribution may be
found to be illegal (obviously I'm not stating that all these grounds
will apply at all times in all states or countries!) include:
* Unauthorized access - you may be held to have obtained unauthorised
access to a computer you've never seen, if you are responsible for
distribution of a virus which infects that machine.
* Unauthorized modification - this could be held to include an infected
file, boot sector, or partition sector.
* Loss of data - this might include liability for accidental damage as
well as intentional disk/file trashing.
* Endangering of public safety
* Incitement (e.g. making available viruses, virus code, information
on writing viruses, and virus engines)
* Denial of service
* Application of any of the above with reference to computer systems or
data in which the relevant government has an interest.
Since the law does vary widely from country to country (and even
within countries), it is entirely possible for one to break
the law of another country, state, province, or whatever, without ever
leaving your own, and since extradition treaties do exist, perhaps it's
best to assume that any act that might be construed as being or causing
wilful and malicious damage to a computer or computer system could
get you a roommate with undesirable tendencies and no social graces. :)
The best advice to give to any one contemplating a possibly illegal act
would be to contact their local Crown Prosecutor, Crown Attorney,
District Attorney, or whatever label the local government prosecutor
wears. Acting on the advice of one's own attorney doesn't render one
immune from prosecution, and the cost of defence can be high, even if
An extremely biased opinion is that very often attorneys attempt to
provide the answer they believe the client wishes to hear, or give an
opinion in areas where they have no real expertise. Prosecutors, on
the other hand, tend to look at a particular action in the light of
whether a successful prosecution can be mounted. If the local Crown
Prosecutor were to suggest that something was a Bad Thing, I should be
extremely nervous about doing it. :)
USA & Canada
The following is an interpretation of the laws in the USA and
Canada, and has no legal standing as an authoritative document in
those countries or any other. Relevant legislation in other parts of
the world may be very different and in some cases far stricter.
Many thanks to David J. Loundy for his assistance with the legalities
regarding computer crime. A valuable source of information on this
topic can be found in his E-Law paper, which can be accessed
via the URL:
It is illegal in both the USA and Canada to damage data within
a computer system which is used or operated by the
government. This means that if you write a virus, and it
eventually infects a government system (highly probable),
you are in violation of the law. Inclusive in this category
are damages incurred due to computer stoppages (i.e.
writing a virus that causes a computer to crash or become
unusable), and viruses that destroy data.
The question regarding the writing of malevolent computer
viruses being illegal isn't really that hard to answer: It is
illegal to write and spread a virus that infects a government
system. Federal law is unclear as to whether this extends to
private computer systems as well, but State statutes are frequently
unequivocal about defining virus-related crimes against property.
The question has come up, however, about the distribution
of viruses and virus-related programs. A general guideline
is that it is legal to distribute viruses, for example, on a BBS,
as long as the people who are downloading the virus know
EXACTLY what they are getting. If you intentionally infect a
file and make it available for downloading, you may be
subject to prosecution. Your conscience should be your
guide in this kind of a situation. If a virus distributed by you
is used to damage or otherwise modify a major system, you can be
Note that there are different kinds of distribution for viruses.
If you simply make a virus available on a web page, and clearly
label it as such, then you are unlikely to face any (criminal)
consequences. The possibility exists, however, that you could
be charged under "incitement" laws - in other words, it could
be argued that distributing viruses on web pages (even if clearly
labeled as such) amounts to inciting other people to use the
viruses to break laws.
If you distribute the virus via newsgroups, however,
you may be held liable. Distributing viruses via newsgroups, e-mail
lists, and the like can lead to prosecution because these media 'push'
viruses to people who would otherwise not want them on their systems.
This is not the case with simply placing a virus on a web page (provided
your ISP doesn't have problems with it). Keep in mind, however, that
an ISP's stance on viruses can change quickly if negative publicity
comes about due to their inaction in removing the viruses on their
The reason that the explanations in this section are vague
is that the laws in various states, provinces, etc., are
different, and you should check with your local police before
you decide you want to distribute viruses.
If you spread a virus unknowingly, you generally cannot be
prosecuted unless it can be proven that you spread the
virus due to pure carelessness. The definition of
carelessness has not been tested in a court of law, as
far as I know at the date of writing (9/22/95)
The Canadian Criminal Code
Please bear in mind that the following information was culled from the
Criminal Code in 1993 and those sections may have been expanded or
revised since then, or possibly some computer-specific legislation may
have been enacted of which we are unaware.
No mention is made in the Code (as of 1993) of computer viruses as such,
but it would seem that prosecution under Sec. 430 (Mischief) or
section 342.1 (Unauthorized use of computer) would be appropriate.
Apparently the laws governing trespass have not been considered as
having any application in cyberspace. Offenders under section 342.1
would be charged with mischief, which covers a multitude of sins
under Canadian law. The penalties stipulated in Sec. 342.1 are the
same as the penalties for sabotage, just as a point of interest.
A prosecutor would probably deal with incitement (i.e. inciting
somebody else to maliciously use viruses) under Sec. 21 (Parties
to offence), Sec. 463 (Attempts), or Sec. 465 (Conspiracy).
Sec. 21-24 of the Criminal Code may be of interest because they
detail aiding and abetting, incitement, and related issues which
have some application in the realm of viruses.
Under certain circumstances, laws in other countries may be applicable
in cyberspace, where there are no formal territorial boundaries. For
instance, Sec. 465 (4) of the Canadian Criminal Code stipulates that every
one, "while in a place outside Canada" conspires to commit an offence in
Canada "shall be deemed to have conspired in Canada to do that thing."
In the UK, the Computer Misuse Act makes it a crime to make an
unauthorised modification on a computer. If you own a computer, you
can authorise anything you want for that computer, so you can
spread a virus on a computer you own. A virus makes a modification,
so if someone deliberately spreads a virus on someone else's
computer, that's a crime. Giving a virus to someone else isn't a
crime if it's with his/her knowledge and permission, however. So,
sending a diskette with a virus on to an AV company, together with
a note saying "There's a virus on this disk, please investigate it
for me" is legal.
If an action is a crime, then encouraging that action can also be a
If you spread a virus unwittingly, then it isn't a crime, as you
don't have "intent".
If someone is negligent, and so spreads a virus (even unwittingly),
then there could be a civil action for damages through negligence.
Computer Crime (Icove, Seger, Von Storch) - O'Reilly
Computer Law & Security Report (periodical) - Elsevier Advanced Technology
Dr. Alan Solomon includes information on Hacking and Virus Laws in the
UK and elsewhere on his webpage at:
The ICSA has details on state computer crime laws:
End of a.c.v. FAQ Part 3 of 4
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
Comment: PGP Key ID 0xDCC35C75 available on Keyservers
-----END PGP SIGNATURE-----