As the conduct you describe occurred in New York, it is most likely
that any criminal charges would be filed within New York, either in
the state or federal courts. Given the facts you assert, the
programmer would have significant difficulty defending against the
I. Federal Charges
Should the programmer be charged federally, he would face prosecution
under Title 18 of the United States Code, Section 1030 (18 USC 1030).
This statute can be reviewed on Cornell Law School's Legal Information
Given the facts you describe, the charges would most easily be brought
under subsection (a)5. To achieve a conviction, the prosecutor would
have to establish:
1. The programmer knowingly caused the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally caused damage without authorization, (18 USC
2. The conduct caused (a) loss to 1 or more persons during any 1-year
period aggregating at least $5,000 in value; or (b) a threat to public
health or safety; or (c) damage affecting a computer system used by
or for a government entity in furtherance of the administration of
justice, national defense, or national security, (18 USC 1030(a)5(B));
3. A protected computer was involved - that is, exclusively for the
use of a financial institution or the United States Government, or, in
the case of a computer not exclusively for such use, used by or for a
financial institution or the United States Government and the conduct
constituting the offense affects that use by or for the financial
institution or the Government; or which is used in interstate or
foreign commerce or communication, including a computer located
outside the United States that is used in a manner that affects
interstate or foreign commerce or communication of the United States.
(18 USC 1030(a)(5)(A)(1); 1030(e)(2)).
The following acts you describe would satisfy those elements:
1. The programmer knowingly released the virus (transmitting a
program) which exploits a security hole in both UNIX and Windows
NT/XP servers, exposing the administrator passwords to a knowledgeable
hacker, without any authorization from the owners of the infected
2. A significant number of corporate and governmental computers were
affected, resulting in significant expense, possibly resulting in
threat to public health or safety (e.g., if a Center for Disease
Control or Food and Drug Administration computer were affected), and
possibly also affecting computer systems of agencies devoted to law
enforcement including the Justice Department, Federal Courts, or
Department of Defense.
3. Computers used by government agencies and most corporations are
used in the furtherance of interstate and foreign commerce.
The programmer may try to defend against these elements:
1. It would be difficult to dispute the first element following
confession, but if you were to change your facts such that the
programmer did not confess to authoring and releasing the virus, he
could force the government to prove that he was the author and that it
was he who released it.
2. The programmer may try to argue that the damage caused by his acts
through the release of the virus caused relatively light economic
harm. This defense would be difficult, as a single large corporation
or government agency is likely to claim damages in excess of the
$5,000 threshold, in association with simply checking computers for
the virus and cleaning the virus from their systems.
Whether or not the programmer would be able to avoid conviction for
creating a threat to public health or safety would depend upon which
computer systems were actually infected. However, please note that if
the virus reached computer systems relating to public health and
safety, the prosecution would only have to prove that a threat of harm
to the public was created not that any actual harm was suffered.
For the programmer to be culpable under the provision regarding
conduct affecting a computer system associated with the administration
of justice, national defense, or national security, the facts of which
systems were infected would again be important. However, to achieve
conviction, the prosecution would not have to demonstrate any
financial harm to the affected agencies it would simply have to
document that the virus effected unauthorized change to the agencies'
computers -- that of itself is a form of "damage".
3. Given the infection of corporate and government computers, it would
be essentially impossible to defend against the element that the
computers were used in the furtherance of interstate or foreign
commerce. The term "interstate commerce" is broadly interpreted, and
even acts which occur exclusively within a state may be held to affect
II. State Charges
The programmer might also face charges in state court. New York's
statutes are not as refined as the federal statutes when it comes to
computer crime. Article 156 of New York's penal code statute,
governing offenses involving computers, can be reviewed online through
the New York State Assembly website:
The programmer would likely face initial misdemeanor charges under
Article 156.20, "Computer Tampering in the Fourth Degree". To achieve
a conviction, the prosecution would have to establish that the
programmer used or caused to be used a computer or computer service
and having no right to do so intentionally altered in any
manner or destroyed computer data or a computer program of another
The term "Computer Service" is broadly defined as "any and all
services provided by or through
the facilities of any computer communication system allowing the
input, output, examination, or transfer, of computer data or
computer programs from one computer to another." That would include
The virus by its very nature would alter computer data or at least one
computer program on computers belonging to other people.
The prosecutor may then try to escalate the charge to a "class E"
felony, pursuant to Article 156.25, "Computer Tampering in the Third
Degree". To establish this felony charge, the prosecutor would have to
additionally prove that the programmer released the virus with an
intent to commit or attempt to commit or further the commission of any
felony, that he had a prior conviction for computer crime or "theft of
services", that he intentionally altered in any manner or destroyed
computer material, or that he intentionally altered in any manner or
destroyed computer data or a computer program so as to cause damages
in an aggregate amount exceeding one thousand dollars. (Recall that
only one of these four prongs needs to be proved in order to achieve
The prosecutor would attempt to establish the first prong
circumstantially, by arguing that the only reasonable inference that
can be drawn from the programmer's conduct is that he intended to
exploit the security hole for personal gain through the commission of
a felony, or in the alternate that he was in league with others who
exploited the security hole for personal gain through the commission
The programmer's prior criminal history would dictate whether or not
the prosecutor could establish the second prong.
The third prong depends upon whether the virus altered or destroyed
"computer material" as defined in the relatively complex statutory
definition found at 156.00(5), which focuses on certain patient
records, public records, and trade secrets. Given that you have
described the virus as being of itself non-harmful to computer data,
it seems unlikely that the prosecutor would focus on this prong of the
The fourth prong can easily be satisfied through documentation of the
expense and manpower involved in cleaning the virus from infected
systems. It is likely that any business or government agency would
claim to have suffered virus-related losses in excess of the $1,000
The prosecutor may then try to escalate the charge to a "class D"
felony, pursuant to Article 156.26, "Computer Tampering in the Second
Degree". This can be achieved by further demonstrating that the
economic harm suffered by those with infected computers had an
aggregate value in excess of $3,000.
Finally, the prosecutor may attempt to escalate the charge to a "class
C" felony, pursuant to Article 156.27, "Computer Tampering in the
First Degree", by further establishing that the economic harm suffered
by those with infected computers had an aggregate value of in excess
It would be very difficult for the programmer to defend against the
underlying misdemeanor charge, as the facts he has confessed establish
that he released a virus through a computer network, and the virus
infected a significant number of systems. The prosecutor would present
representatives of the owners of certain systems, who would testify
that this was done without their permission.
His remaining defense, in this regard, is statutorily defined in
Article 156.50(2): It "shall be a defense that the defendant had
reasonable grounds to believe that he had the right to alter in
any manner or destroy the computer data or the computer program". I do
not see facts in your scenario which would support this defense, but
absent the confession it might nonetheless be possible to attempt a
defense on the basis that the programmer meant to test only certain
systems which he was testing with permission, and the virus was
released only by accident.
In terms of avoiding the "Class E" felony charge, the programmer would
have to rebut the prosecutor's inference that no one would release
such a virus absent an additional criminal motive - the intention to
directly, or through accomplices, exploit the security hole. While the
prosecutor does have the burden of proof, that burden can be met
circumstantially, and most juries will be skeptical of the purity of
the programmer's motives.
Beyond motive, to avoid a felony conviction, the programmer would have
to present a coherent argument that the economic harm caused by his
virus was slight. Unfortunately for the programmer, courts routinely
accept reports that viral infections cause damages in the four and
five figure range for even a single business which has to check and
disinfect its computer systems.
III. Case Study
An interesting case study is outlined in " The worm that turned: A new
approach to hacker hunting", from the January 29, 2003 daily briefing
That case involves a scenario similar to what you describe - a
programmer released a virus (well, technically an Internet worm, but
few in law enforcement would appreciate the distinction) which created
a significant security hole in a significant number of computer
systems, but the programmer did not appear to be exploiting the hole.
As a result of the discovery of the virus, a federal task force took
up the job of tracking down the programmer. The programmer was
ultimately arrested, prosecuted, and convicted in his home country,
The article is particularly hyperbolic in its tone, and the claimed
amount of damage (billions of dollars) attributed to the "Code Red"
virus may give you an indication of the type of claim that might be
made against your hypothetical programmer.
As a basis for my research, I have been involved in the defense of
people charged with computer crimes. Also, I obtained an "inside view"
of the prosecution of a relatively minor intrusion into a local
computer system, and what I considered to be outlandish claim for
damages made by one of their users which was accepted without question
by the prosecuting attorney's office.
Google Search - New York Statutes
Review of computer-crime related federal statutes through the Cornell
Law School's Legal Information Institute website:
Review of New York State statutes, through the New York State Assembly
A friend of mine who works for the federal government sent me the
GovExec.com article several months ago. Your scenario brought it to
I hope you find this helpful,