Is Virus Spreading Criminal?

Ghost-in-the-shell writes "I just read this article on CNN stating that spreading a virus in the state of Pennsylvania is now illegal. The bill signed in to Law on May 26th, by Governor Tom Ridge states that the spreading of a virus can land you 7 years in jail, a $15,000 fine, and possible restitution to the person(s) damaged by the virus. My only question is what happens in the cases of a virus like the famed "Melissa" who automatically passes it's self around? "

Poster's question

[gad_zuki!]

People who intentionally spread a computer virus face a seven-year prison sentence and a $15,000 fine

It does say intentionally.

Not all intentional viruses are *amateur*

[orpheus]

The RADIATE (formerly Aureate) monitoring programs that are packaged with over 400 freeware, shareware and demo programs is a perfect example of a deliberately spread virus (in Win9x)

1) you are not informed that a *separate* program will be installed, in addition to the program you intend to install. This program can monitor your activity even when the program it came with is not in use.

2) the monitor program is not removed when you uninstall the 'carrier' free/shareware program or purchase the paid version of a demo. In fact, there is no way to completely remove it except through an external program like OptOut from Steve Gibson (freeware)

Sounds like a classic, deliberate, and very malicious 'virus'. I'm sure there's something in the license allowing the installation, but nothing about it persisting forever (even after you remove the program the license applies to). True, you could prosecute under the 'unauthorized computer use' felony, but I think the virus law gives a better tool, since the virus+vector model is a familiar one (putting an unannounced virus inside a desired executable doesn't make it less of a virus)

What if you got authorization?

[Jeff+Bell]

I'm surprized that none of the viruses have tried this yet, but what would happen if the virus first popped up a dialog box with a lot of legalese at the beginning, but a dozen screenfulls down includes as terms:

...

19. I understand that this software may send copies of itself to everyone in my address book.

20. The authors of this software shall not be held responsible for any data that may be lost.

Certainly a very large portion of the population would click on the [ACCEPT] button as a matter of reflex. It wouldn't even make it out of the brain stem.

Would the author of this virus be subject to prosecution?

Would they be safer in states that have passed UCITA?

-Jeff Bell

Pay attention to the bottom of the article:

[wrenling]

The article states:
"Accessing and damaging a computer or system is a felony of the third degree, facing a seven-year sentence and $15,000 fine. Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine. "

What scares me is the part where they refer to 'other confidential information.' That is such an amazingly grey area. And what constitutes giving out a password? Once again, the focus should be on 'illegally obtaining passwords.' This is a section where the victim (piegon in a scam) could be prosecuted for their unwitting part in a crime. (Remember the IQ of the average user).

Just a few rambling thoughts from yours truly.

Welcome to Pennsylvania

[IGnatius+T+Foobar]

If you recall, Pennsylvania cut a deal with Microsoft a year or two ago, to use Windows products exclusively in the Pennsylvania state government. That, combined with the Love Bug and other such niceties, has probably made computer life very difficult in the PA state government offices lately. That considered, it's not surprising that they're the first to adopt legislation like this. The states which are still running on mainframes and Unix boxen like they should, can sit back and laugh at PA.
--

VIRUS Definition

[PopeAlien]

Interfering with a computer, system, or network or giving out a password or other confidential information about a system is a misdemeanor of the first degree, with a maximum penalty of five years and $10,000 fine.

OK. So we all know about "bad" viruses -Mellisa, etc, and "trojans" -but what I want to know is how this legislation can be used to keep Large Corporations from digging around in my HardDrive..

When RealNetworks or Aureate/Radiate add "special features" to their software to profile my music listening habits, or track my web access from within, rather than from accessed pages- does that count as "Interfering, or giving out confidential information".
-

Couldn't it be argued however that....

[Randy+Rathbun]

everyone and his brother should know by now NOT to launch attachments?

I got to deal with the ILOVEYOU virus. It was not the secretary that launched it. It was not the big boss that launched it. It was one of the other programmers that launched it. Trust me, after humiliating him I don't think he would be stupid enough to do something like this again, but one never knows.

Also, a friend of mine works for a large company. IS sent around a message saying "Do not under any circumstances launch this app." 15 minutes later someone did because they "wanted to see what it would do." This also happened at one of the local hospitals.

Couldn't one argue that in all three of the cases I mentioned that it WAS intentional in every case? Just because you are stupid does not under any circumstance give you the right to do stupid things.

Burden of Connecting

[rjamestaylor]

I realize the law says "intentionally" but what if a more proactive stance was adopted? For example, when I receive a counterfeit $20 I may be unaware. But when I deposit that counterfeit $20 at my bank (and it is discovered) I lose $20 and may be investigated. It doesn't matter that I *thought* it was real -- I still lose. It is upon me to make sure bills I pass are legitimate. If they are not, I lose.

Let me apply this "burden" to the 'net: if you connect to the Internet and pass a virus (even unaware) your privileges to stay connected may be revoked or suspended. What?!? Well, you take on a lot of responsibility to connect to the rest of us. If you cannot take basic precautions to protect others from your transmissions then you are subject to loosing your right to be on the 'net. The onus is on you.

What does this mean? It means you must be able to prove that you took reasonable precautions to prevent your system from harming others. This may include using an updated anti-viral package on Windows and Mac systems. Properly adhering CERT advisories on UNIX systems. Avoiding easily-exploitable software packages (Outlook, for example). Using basic security protocols.

Offenders (those who fail to protect others from attacks via their systems) may be forced to disconnect until they

• complete a proper system security class
• install proper security software
• establish and follow basic security guidelines
• disable easily-exploitable software

I realize this is radical.

Perhaps a better model (than the counterfeit bill passing) is the transportation regulations we have today. We require people who drive on our highways to take basic precautions to avoid harming others (no drinking when driving, obey traffic laws, maintain car at reasonable operational standards). Heck, we don't let you drive unless you obtain and maintain a proper license! How about a license to connect to the Information Super Highway? And what about liability insurance? If your system has an exploitable hole that damages someone else's system, you may be liable.

The Internet is a part of our lives. We can't allow stupidity and laziness ruin it for the rest of us.