Take some random guy, for example, that has admitted to writing and
purposely releasing some virus that exploits a hole in both UNIX and
Windows NT/XP servers, exposing the administrator passwords to a
knowledgeable hacker. A number of major corporate and government
systems are compromised, causing several million dollars in costs for
lost time and services. However, he makes no personal use of the
access his virus granted him; unauthorized use was perpetrated by
others who took advantage of the presence of the virus.

My question is, in a case like this, is the virus writer legally at
fault? Can he be prosecuted? Please back up all information citing
specific laws or court cases. What laws and cases might the defense
use to prove he is innocent? The more sources from actualy laws and
court cases the better, as I am not so much looking for opinions as I
am facts. Thank you.

---

Request for Question Clarification by expertlaw-ga on 09 Apr 2003 05:55 PDT

Dear dvation,

As laws will vary between jurisdictions, did you have a particular
state or country in mind as the place where the virus writer would
create and release the virus?

---

Clarification of Question by dvation-ga on 09 Apr 2003 06:03 PDT

Yes, please assume this occured in New York State, USA.

---

Request for Question Clarification by mosquitohawk-ga on 09 Apr 2003 06:59 PDT

Hi dvation,

Only attorney are authorized to give legal advice. There may be a
researcher who is a licensed attorney, of that I don't know, but, you
may want to take a look at the 'Accessory' laws in your state. These
laws are probably going to cover the above scenario, even though the
original programmer did not actually commit the offense, his actions
'aided and assisted' the actual perpetrator.

---

Clarification of Question by dvation-ga on 09 Apr 2003 07:07 PDT

Well this is a hypothetical situation, I do not actually need legit
legal advice. The reason I asked this is mostly to become more
familiar with computer/internet law than anything else, which is why I
was looking for some facts. I have no intentions of using this
information in any way other than for my own education.

Dear dvation,

As the conduct you describe occurred in New York, it is most likely
that any criminal charges would be filed within New York, either in
the state or federal courts. Given the facts you assert, the
programmer would have significant difficulty defending against the
charges.


I. Federal Charges

Should the programmer be charged federally, he would face prosecution
under Title 18 of the United States Code, Section 1030 (18 USC 1030).
This statute can be reviewed on Cornell Law School's Legal Information
Institute website:
http://www4.law.cornell.edu/cgi-bin/htm_hl?DB=uscode&STEMMER=enSTYLE=s&URL=/uscode/18/1030.html

Given the facts you describe, the charges would most easily be brought
under subsection (a)5. To achieve a conviction, the prosecutor would
have to establish:

1. The programmer knowingly caused the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally caused damage without authorization, (18 USC
1030(a)5(A)(1)); and

2. The conduct caused (a) loss to 1 or more persons during any 1-year
period aggregating at least $5,000 in value; or (b) a threat to public
health or safety; or (c)  damage affecting a computer system used by
or for a government entity in furtherance of the administration of
justice, national defense, or national security, (18 USC 1030(a)5(B));
and

3. A protected computer was involved - that is,  exclusively for the
use of a financial institution or the United States Government, or, in
the case of a computer not exclusively for such use, used by or for a
financial institution or the United States Government and the conduct
constituting the offense affects that use by or for the financial
institution or the Government; or  which is used in interstate or
foreign commerce or communication, including a computer located
outside the United States that is used in a manner that affects
interstate or foreign commerce or communication of the United States.
(18 USC 1030(a)(5)(A)(1); 1030(e)(2)).


The following acts you describe would satisfy those elements:

1. The programmer knowingly released the virus (transmitting a
program) which exploits a security hole in both UNIX and  Windows
NT/XP servers, exposing the administrator passwords to a knowledgeable
hacker, without any authorization from the owners of the infected
systems.

2. A significant number of corporate and governmental computers were
affected, resulting in significant expense, possibly resulting in
threat to public health or safety (e.g., if a Center for Disease
Control or Food and Drug Administration computer were affected), and
possibly also affecting computer systems of agencies devoted to law
enforcement including the Justice Department, Federal Courts, or
Department of Defense.

3. Computers used by government agencies and most corporations are
used in the furtherance of interstate and foreign commerce.


The programmer may try to defend against these elements:

1. It would be difficult to dispute the first element following
confession, but if you were to change your facts such that the
programmer did not confess to authoring and releasing the virus, he
could force the government to prove that he was the author and that it
was he who released it.

2. The programmer may try to argue that the damage caused by his acts
through the release of the virus caused relatively light economic
harm. This defense would be difficult, as a single large corporation
or government agency is likely to claim damages in excess of the
$5,000 threshold, in association with simply checking computers for
the virus and cleaning the virus from their systems.

Whether or not the programmer would be able to avoid conviction for
creating a threat to public health or safety would depend upon which
computer systems were actually infected. However, please note that if
the virus reached computer systems relating to public health and
safety, the prosecution would only have to prove that a threat of harm
to the public was created – not that any actual harm was suffered.

For the programmer to be culpable under the provision regarding
conduct affecting a computer system associated with the administration
of justice, national defense, or national security, the facts of which
systems were infected would again be important. However, to achieve
conviction, the prosecution would not have to demonstrate any
financial harm to the affected agencies – it would simply have to
document that the virus effected unauthorized change to the agencies'
computers -- that of itself is a form of "damage".

3. Given the infection of corporate and government computers, it would
be essentially impossible to defend against the element that the
computers were used in the furtherance of interstate or foreign
commerce. The term "interstate commerce" is broadly interpreted, and
even acts which occur exclusively within a state may be held to affect
interstate commerce.


II. State Charges

The programmer might also face charges in state court. New York's
statutes are not as refined as the federal statutes when it comes to
computer crime. Article 156 of New York's penal code statute,
governing offenses involving computers, can be reviewed online through
the New York State Assembly website:
http://assembly.state.ny.us/leg/?cl=82&a=35

The programmer would likely face initial misdemeanor charges under
Article 156.20, "Computer Tampering in the Fourth Degree". To achieve
a conviction, the prosecution would have to establish that the
programmer used or caused to be used a computer or computer service
and  having  no right  to  do  so  intentionally  altered  in  any
manner or destroyed computer data or a computer program of another
person.

The term "Computer Service" is broadly defined as "any and all
services provided by or through
the facilities of any computer communication  system  allowing  the 
input, output,  examination,  or  transfer,  of computer data or
computer programs from one computer to another." That would include
the Internet.

The virus by its very nature would alter computer data or at least one
computer program on computers belonging to other people.


The prosecutor may then try to escalate the charge to a "class E"
felony, pursuant to Article 156.25, "Computer Tampering in the Third
Degree". To establish this felony charge, the prosecutor would have to
additionally prove that the programmer released the virus with an
intent to commit or attempt to commit or further the commission of any
felony, that he had a prior conviction for computer crime or "theft of
services", that he intentionally altered in any manner or destroyed
computer  material, or that he intentionally altered in any manner or
destroyed computer data or a computer program so as to cause damages
in an aggregate amount exceeding one thousand dollars. (Recall that
only one of these four prongs needs to be proved in order to achieve
this conviction.)

The prosecutor would attempt to establish the first prong
circumstantially, by arguing that the only reasonable inference that
can be drawn from the programmer's conduct is that he intended to
exploit the security hole for personal gain through the commission of
a felony, or in the alternate that he was in league with others who
exploited  the security hole for personal gain through the commission
of felonies.

The programmer's prior criminal history would dictate whether or not
the prosecutor could establish the second prong.

The third prong depends upon whether the virus altered or destroyed
"computer material" as defined in the relatively complex statutory
definition found at 156.00(5), which focuses on certain patient
records, public records, and trade secrets. Given that you have
described the virus as being of itself non-harmful to computer data,
it seems unlikely that the prosecutor would focus on this prong of the
statute.

The fourth prong can easily be satisfied through documentation of the
expense and manpower involved in cleaning the virus from infected
systems. It is likely that any business or government agency would
claim to have suffered virus-related losses in excess of the $1,000
threshold.


The prosecutor may then try to escalate the charge to a "class D"
felony, pursuant to Article 156.26, "Computer Tampering in the Second
Degree". This can be achieved by further demonstrating that the
economic harm suffered by those with infected computers had an
aggregate value in excess of $3,000.


Finally, the prosecutor may attempt to escalate the charge to a "class
C" felony, pursuant to Article 156.27, "Computer Tampering in the
First Degree", by further establishing that the economic harm suffered
by those with infected computers had an aggregate value of in excess
of $50,000.


It would be very difficult for the programmer to defend against the
underlying misdemeanor charge, as the facts he has confessed establish
that he released a virus through a computer network, and the virus
infected a significant number of systems. The prosecutor would present
representatives of the owners of certain systems, who would testify
that this was done without their permission.

His remaining defense, in this regard, is statutorily defined in
Article 156.50(2): It "shall be a defense that the defendant had
reasonable grounds to  believe that  he  had  the  right to alter in
any manner or destroy the computer data or the computer program". I do
not see facts in your scenario which would support this defense, but
absent the confession it might nonetheless be possible to attempt a
defense on the basis that the programmer meant to test only certain
systems which he was testing with permission, and the virus was
released only by accident.

In terms of avoiding the "Class E" felony charge, the programmer would
have to rebut the prosecutor's inference that no one would release
such a virus absent an additional criminal motive - the intention to
directly, or through accomplices, exploit the security hole. While the
prosecutor does have the burden of proof, that burden can be met
circumstantially, and most juries will be skeptical of the purity of
the programmer's motives.

Beyond motive, to avoid a felony conviction, the programmer would have
to present a coherent argument that the economic harm caused by his
virus was slight. Unfortunately for the programmer, courts routinely
accept reports that viral infections cause damages in the four and
five figure range for even a single business which has to check and
disinfect its computer systems.


III. Case Study

An interesting case study is outlined in " The worm that turned: A new
approach to hacker hunting", from the January 29, 2003 daily briefing
on GovExec.com:
http://www.govexec.com/dailyfed/0103/012903worm.htm

That case involves a scenario similar to what you describe - a
programmer released a virus (well, technically an Internet worm, but
few in law enforcement would appreciate the distinction) which created
a significant security hole in a significant number of computer
systems, but the programmer did not appear to be exploiting the hole.
As a result of the discovery of the virus, a federal task force took
up the job of tracking down the programmer. The programmer was
ultimately arrested, prosecuted, and convicted in his home country,
Great Britain.

The article is particularly hyperbolic in its tone, and the claimed
amount of damage (billions of dollars) attributed to the "Code Red"
virus may give you an indication of the type of claim that might be
made against your hypothetical programmer.


Research Strategy:

As a basis for my research, I have been involved in the defense of
people charged with computer crimes. Also, I obtained an "inside view"
of the prosecution of a relatively minor intrusion into a local
computer system, and what I considered to be outlandish claim for
damages made by one of their users which was accepted without question
by the prosecuting attorney's office.

Google Search - New York Statutes
://www.google.com/search?q=new+york+statutes

Review of computer-crime related federal statutes through the Cornell
Law School's Legal Information Institute website:
http://www.law.cornell.edu/

Review of New York State statutes, through the New York State Assembly
website:
http://assembly.state.ny.us/leg/?sl=0

A friend of mine who works for the federal government sent me the
GovExec.com article several months ago. Your scenario brought it to
mind.


I hope you find this helpful,

- expertlaw

That answer was right on. Thank you very much for your efforts, I'm
eating this stuff up!

Hi, dvation:

Some remarks that might help you clarify your question:

You hypothesize that the hacker admits "purposely releasing" the
virus.  The intent of the virus writer would have a bearing on almost
any criminal liability.  What precisely are you assuming was the
"purpose" of the release?

The standards for civil liability would be different.  Are you
concerned with criminal or civil liability?  A civil suit could
certainly be brought in a case like this; are you concerned with the
likelihood of a corporation prevailing in such a suit?

While a finding of "fault" would be possible for a court in a civil
proceeding, courts never make findings of "innocence".  In a criminal
prosecution the court would find the defendant "guilty" or "not
guilty", which is not the same as finding a person innocent.

regards, mathtalk-ga

"You hypothesize that the hacker admits "purposely releasing" the
virus.  The intent of the virus writer would have a bearing on almost
any criminal liability.  What precisely are you assuming was the
"purpose" of the release?"

...he released it because he thought he was doing the computing
community a favor by showing them how vulnerable this exploit was.


"The standards for civil liability would be different.  Are you
concerned with criminal or civil liability?  A civil suit could
certainly be brought in a case like this; are you concerned with the
likelihood of a corporation prevailing in such a suit?"

...I am looking at this from the perspective of the companies that
lost money in the downtime caused by the virus. In other words, I am
asking this question assuming it is the Corporations affected that
would be bringing the case to court.
 
"While a finding of "fault" would be possible for a court in a civil
proceeding, courts never make findings of "innocence".  In a criminal
prosecution the court would find the defendant "guilty" or "not
guilty", which is not the same as finding a person innocent."

...I completely agree and understand. Though the burden of proof does
indeed lie with the prosecution, the virus 'author' would still want
some kind of defense to make sure the jury never finds him guilty
beyond a resonable doubt. Citing past court cases would be one such
example of precendence that might help him avoid being convicted.


Thanks for your questions I hope it helped clarify.

I found expertlaw-ga's analysis of the applicable criminal laws very
interesting and obviously well researched.

The most likely deterrant to being vigourous sued in the circumstances
outlined might be relative poverty by the hacker and all parties
associated with him.  In other words the injured parties would be
likely to prevail on the merits of their case but be unable to achieve
substantial recovery.

Typically a civil suit might be contemplated only if "deep pockets"
associated with the hacker can be identified.  For example, if the
hacker were a student at a well-endowed educational institution and
made use of institutional computing resources to develop, distribute,
or publicize the virus, the institution might be named as co-defendant
in a suit by injured corporations to recover damages.

If (as postulated) the actual damages were a foreseeable consequence
of the virus infection, it might not be necessary for the plaintiffs
to name or even identify the parties who exploited the infections for
personal gain.  If they can be identified, of course, it would be a
mixed blessing at best for the individual hacker's defense.

It is important to recognize that the standard of proof in civil cases
is much lower than in criminal cases.  Usually a plaintiff only needs
"a preponderance of the evidence" regarding fault in order to prevail
in a case involving (as here) admitted damages.

regards, mathtalk

Good thoughts, mathtalk.

There is no obvious cause of action against an educational institution
that simply provides the facilities, computers, and Internet access
that a programmer uses to create or distribute a new virus. It would
likely be necessary to demonstrate some degree of knowledge or
complicity by an agent of the educational institution, in order to
justify such a lawsuit.

The "deep pocket" in almost any lawsuit is an insurance company.
Ordinarily, insurance companies will not provide coverage for the
intentional or criminal acts of the insured. While a plaintiff might
argue that the programmer did not intend the harm caused by the
release of the virus, courts typically will no longer entertain that
type of hair splitting - it would typically be enough that the
programmer intended to release the virus. This makes it even less
likely that civil litigation would be commenced against the
programmer, unless he was independently wealthy - the idea of being
able to garnish a small percentage of a small paycheck bears little
appeal to a typical corporation. Further, the programmer would
ultimately likely seek relief in a bankruptcy court.

Further, assuming a criminal conviction, the programmer would be
required to pay some level of restitution to the "victims" of his
action. Any amount recovered in restitution would be deducted from any
eventual (theoretical) civil recovery.