What the Law Says about Distributing a Virus or Malware

Tuesday, September 20, 2011

Craig S Wright

8b5e0b54dfecaa052afa016cd32b9837

The Internet allows an individual to either inadvertently or purposely disseminate malware (such as a virus) to other systems globally. The potential impact could encompass the “infection” or compromise of millions of hosts. This has occurred.

A “harmless experiment” by Cornell University student Robert Morris involved the release onto the Internet of a type of malware called a “worm” that compromised over 6,000 computers and required millions of dollars worth of time to eradicate.

As several “non-public computers” run by the US Government were damaged [1], Morris was prosecuted under the US Computer Fraud and Abuse Act (CFAA). He was convicted notwithstanding his declaration that he had no malicious objective to cause damage.

It is probable a service provider or content hosting entity will face a degree of liability dependent on intention. If malware is intentionally posted such as in the Morris’ case, no uncertainty as to whether the conception and insertion of the malware was deliberate exists.

Morris stated he did not intend harm, but the fact remained that he intentionally created and released the worm. In the United States both Federal and State legislation has been introduced to deal with the intentional formation and release of malware.

In the UK, the introduction of malware is covered by section 3 of the Computer Misuse Act [2]. The Act states that a crime is committed if a person “does any act which causes an unauthorized modification of the contents of any computer” and the perpetrator intends to “cause a modification of the contents of any computer” which may “impair the operation of any computer”, “prevent or hinder access to any program or data held in any computer” or “impair the operation of any such program or the reliability of any such data”.

The deliberate introduction of any malware will meet any of these requirements by taking memory and processing from the system and feasibly damaging the system.

It is also necessary for a successful prosecution to demonstrate a “requisite knowledge”. This is knowledge that any modification he intends to cause is unauthorized”. With the volume of press coverage concerning the damage that can be caused by malware and the requirements for authorization, it is highly unlikely an accused party would be able to successfully argue ignorance as to authorization.

Malware is generally distributed unintentionally subsequent to its initial creation. Thus an ICP or an ISP would not be found criminally liable under either the Computer Fraud and Abuse Act or the Computer Misuse Act for most cases of dissemination. For the majority of content providers on the Internet, there exists no contractual agreement with users browsing the majority of sites without any prospect of consideration.

The consequence being that the only civil action that could succeed for the majority of Internet users would be a claim brought on negligence. Such a claim would have to overcome a number of difficulties even against the primary party who posted the malware let alone going after the ISP.

It would be necessary to demonstrate the ISP is under a duty of care. The level of care that the provider would be expected to adhere to would be dependent on a number of factors and a matter for the courts to decide and could vary on the commerciality of the provider and the services provided.

The standard of due care could lie between a superficial inspection through to a requirement that all software is validated using up-to-date anti-virus software on regular intervals with the court deciding dependant on the facts of the initial case that comes before the courts.

The duty of care is likely to be most stringently held in cases where there is a requirement for the site to maintain a minimum standard of care, such as in the case of a payment provider that processes credit cards. Such a provider is contractually required to adhere to the PCI-DSS as maintained by the major credit card companies [3] and would consequently have a greater hurdle in demonstrating that they were not negligent in not maintaining an active anti-virus program.

Loss of an entirely economic nature cannot be recovered through an action for negligence under UK law. There is a requirement that some kind of “physical” damage has occurred. The CIH or Chernobyl virus was known to overwrite hard-drive sectors or BIOS. This could in some cases render the motherboard of the host corrupt and unusable.

In this instance the resultant damage is clearly physical; however, as in the majority of Internet worms [4], most impact is economic in effect. Further, it remains undecided as to whether damage to software or records and even the subsequent recovery would be deemed as a purely economic loss by the courts.

It may be possible to initiate a claim using the Consumer Protection Act[5] in the UK and the directives enforced within the EU [6]. The advantage to this approach is the act does not base liability on fault. It relies on causation instead of negligence in determining the principal measure of liability. The act rather imposes liability on the “producer” of a “product”.

A “producer” under the act includes the classification of importer, but this definition would only be likely to extend to the person responsible for the contaminated software such as the producer or programmer. It also remains arguable as to whether software transmitted electronically forms a “product” as defined under the act.

References:

[1] Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030; There is an obligation for prosecution under the CFAA that a non-public computer is damaged where the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information.

[2] Computer Misuse Act 1990 (c. 18), 1990 CHAPTER 18

[3] The PCI-DSS at section 5 requires that “Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.”

[4] Scandariato, R.; Knight, J.C. (2004) “The design and evaluation of a defence system for Internet worms” Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004. Volume, Issue, 18-20 Oct. 2004 Page(s): 164 - 173

[5] The Consumer Protection Act 1987 (Product Liability) (Modification) Order 2000 (Statutory Instrument 2000 No. 2771)

[6] See also, Electronic Commerce (EC Directive) Regulations 2002, SI 2000/2013 and the provisions of the Product Liability Directive (85/374/EEC)

About the Author:

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Sturt University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

Possibly Related Articles:
9115
Viruses & Malware
General Legal
Legal virus Compliance malware Regulation Liability CFAA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.