New California Law Finally Makes Ransomware Illegal

← Back to Stories (view on slashdot.org)

New California Law Finally Makes Ransomware Illegal

Posted by msmash on Wednesday January 4, 2017 @06:02AM from the enough-already dept.

Reader Trailrunner7 writes: It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.

128 comments

Min score:

Reason:

Sort:

I still don't get it. by gfxguy · 2017-01-04 06:04 · Score: 4, Insightful

How was it NOT extortion before the law?

--
Stupid sexy Flanders.
1. Re:I still don't get it. by Anonymous Coward · 2017-01-04 06:08 · Score: 1
  
  It was... you missed the country of origin.
2. Re:I still don't get it. by fbobraga · 2017-01-04 06:27 · Score: 1
  
  extortion is lawful/legal in Canada?!
3. Re:I still don't get it. by fbobraga · 2017-01-04 06:29 · Score: 1
  
  Canada
  * California (fixing my own post)
4. Re: I still don't get it. by Anonymous Coward · 2017-01-04 06:30 · Score: 0
  
  California? As good as a separate country I suppose. Fat lot of good this is going to do at any rate. Does it enable enhanced prosecution in the countries these scum operate from??? No? Then it's less than useless, as there are already a hundred and one laws on the books which have this covered. Extortion. Racketeering. Fraud. Unauthorized access. Yadda Yadda. Etc etc.
  Just because something has to do with computers and the interbutts we need a whole new law? Foolishness.
5. Re:I still don't get it. by bobdehnhardt · 2017-01-04 06:51 · Score: 1
  
  IANAL, but yeah. Installing software on my PC without permission should already be trespass or vandalism; encrypting my files and demanding money for the key should already meet the definition of extortion or blackmail. I guess the fact that these assumptions are apparently false just shows how non-intuitive the law is.
6. Re:I still don't get it. by CaptainDork · 2017-01-04 06:51 · Score: 1
  
  How was it NOT extortion before the law?
  Moot.
  We're eliminating extortion, money laundering, loss of income for righting the ship ...
  To paraphrase TFS and TFA, "It's illegal to load ransomware on a computer."
  The mere existence of the ransomware is evidence of a crime, in and of itself, and extortion, money laundering, loss of income for righting the ship are collateral issues.
  
  --
  It little behooves the best of us to comment on the rest of us.
7. Re:I still don't get it. by gnasher719 · 2017-01-04 06:52 · Score: 1
  
  How was it NOT extortion before the law?
  See for example this definition of extortion: http://legal-dictionary.thefre...
  
  If you read the definition carefully, you will find that ransomware doesn't actually fall under this definition.
8. Re: I still don't get it. by CaptainDork · 2017-01-04 06:52 · Score: 0
  
  Extortion. Racketeering. Fraud. Unauthorized access. Yadda Yadda. Etc etc.
  Notice you didn't list, "ransomware."
  
  --
  It little behooves the best of us to comment on the rest of us.
9. Re: I still don't get it. by Anonymous Coward · 2017-01-04 06:53 · Score: 0
  
  Also unauthorized use of computers, and data destruction are illegal federally. Maybe California wants the law to get jurisdiction so they can be the prosecuting court system.
10. Re: I still don't get it. by Wulf2k · 2017-01-04 06:55 · Score: 2
  
  He also didn't list "Ransomware programmed on a Tuesday by a man named Dave that lives in a van under a bridge."
  We obviously need a new law to cover this gap.
11. Re:I still don't get it. by Wulf2k · 2017-01-04 06:58 · Score: 1
  
  Is it illegal to load ransomware on my own computer?
  Is this more illegal than installing something that will encrypt all the files without offering to decrypt them for money?
12. Re: I still don't get it. by Anonymous Coward · 2017-01-04 06:59 · Score: 0
  
  You honestly typed all that out, thinking it was a valid retort. Okay.
13. Re:I still don't get it. by sexconker · 2017-01-04 07:03 · Score: 1
  
  It's all already covered under the ridiculous CFAA.
14. Re: I still don't get it. by bondsbw · 2017-01-04 07:12 · Score: 3, Insightful
  
  Isn't it? If "ransomware" is a superset of "ransomware programmed on a Tuesday yada yada", then surely "extortion" includes "extortion via ransomware" .
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
15. Re: I still don't get it. by Anonymous Coward · 2017-01-04 07:18 · Score: 1
  
  Extortion. Racketeering. Fraud. Unauthorized access. Yadda Yadda. Etc etc.
  Notice you didn't list, "ransomware."
  Ransomware is a buzzword. There are a variety of laws on the books which already make it illegal to write it, illegal to distribute it, illegal to fuck with someone's data using it, illegal to demand money to unlock the data, etc.
  The REAL reason California is passing this redundant law is not to make it "more" illegal or even specifically illegal. They're doing it because if California has a law against an activity, it gives them a certain level of Jurisdiction at a State level which they may not have had previously.
16. Re:I still don't get it. by mikael · 2017-01-04 07:20 · Score: 2
  
  Because the other categories (money laundering, extortion) only applied when the files had been encrypted and a demand made. If the ransomware is loaded onto a computer system, but not activated, there's no crime committed using these categories.
  Just the act of loading software onto a PC is now enough evidence for a crime to be considered committed.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
17. Re:I still don't get it. by g01d4 · 2017-01-04 07:23 · Score: 1
  
  you will find that ransomware doesn't actually fall under this definition
  
  Only under strict-common law. If you read further down:
  
  Most jurisdictions have statutes governing extortion that broaden the common-law definition. Under such statutes, any person who takes money or property from another by means of illegal compulsion may be guilty of the offense. When used in this sense, extortion is synonymous with blackmail, which is extortion by a private person.
18. Re:I still don't get it. by Anonymous Coward · 2017-01-04 07:26 · Score: 0
  
  It's all already covered under the ridiculous CFAA.
  CFAA is a Federal law. CA passed this law to give themselves more Judicial Authority, and maybe score some PR points among the general population.
19. Re:I still don't get it. by Anonymous Coward · 2017-01-04 07:34 · Score: 0
  
  Which has been a crime under the CFAA since, I dunno, sometime in the 80s
20. Re:I still don't get it. by CanadianRealist · 2017-01-04 07:34 · Score: 1
  
  The obtaining of property from another induced by wrongful use of actual or threatened force, violence, **or fear,** or under color of official right.
  (Emphasis mine.)
  Seems to fit nicely under fear. I'm afraid that if I don't pay you then I'll never get my files back.
21. Re: I still don't get it. by Anonymous Coward · 2017-01-04 07:51 · Score: 0
  
  fucking lulzkopterofflyaolmillenial! where'd californ-eye-ay get the huge bump in resources to investigate/prosecute/punish these 'new crimes" they want jurisdiction over? hahahahahaha
22. Re:I still don't get it. by Sloppy · 2017-01-04 09:05 · Score: 1
  
  How was it NOT extortion before the law?
  I haven't found the text of the law to read, but I can guess.
  I used to work for a place where, in the late 1980s and early 1990s we would occasionally sell ransomware to clients who had iffy credit. Pay your bill every month, and we'd send you an update to our software. Stop paying or don't install your update, and a time bomb would go off: it fails to start. The software's data wasn't encrypted or anything, but it was in a proprietary undocumented form, so it was effectively unusable. (Unless you set back your machine's clock, which would have some annoying consequences for data entry speed.)
  I think what we were doing would probably be considered ransomware to most people.
  The reason I wouldn't call that extortion, is that the client would agree to it beforehand (and without any coercion or duress) and they would get something of value (our software) in exchange that they previously didn't have. Don't wanna do it? Don't sign the license agreement. (Yes, back in those days, a license was actually a real contract, and customers would sign it and we'd put it in a filing cabinet. No after-the-fact "surprise! you didn't really buy this in spite of having thought so at the time you parted with your money!")
  I think what we were doing would probably not be considered extortion to most people. (But I'm still glad I don't do that anymore.)
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
23. Re: I still don't get it. by Anonymous Coward · 2017-01-04 09:06 · Score: 0
  
  That's idiotic, imagine if you applied the same logic to pretty much any other illegal activity. Need to murder someone? Hey there's no specific law against killing with an sledge hammer made out of sawdust reinforced ice (pykrete) so it must be legal! Laws should (and most often do) cover the activity (murder, theft), not the method (knife, hand).
24. Re: I still don't get it. by NormalVisual · 2017-01-04 09:45 · Score: 1
  
  Notice you didn't list, "ransomware."
  
  Probably because ransomware is a form of extortion.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
25. Re:I still don't get it. by Voyager529 · 2017-01-04 10:03 · Score: 4, Funny
  
  How was it NOT extortion before the law?
  Because this is extortion...on the Internet.
26. Re: I still don't get it. by Anonymous Coward · 2017-01-04 10:13 · Score: 0
  
  The REAL reason California is passing this redundant law ...is to make it look like the politicians are "taking action" against this. It also gives, in the unlikely event that law enforcement stumbles across the perp of a ransomware incident, another charge to throw against the perp so the prosecutor can then plea-bargain him down from separate charges of extortion, computer abuse, and ransomware to just one or two of those.
27. Re:I still don't get it. by gfxguy · 2017-01-04 10:26 · Score: 1
  
  To quote TFS: "In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion." The topic says that the law "finally makes ransomware illegal," but the law makes it a "form of" extortion.... my question stands, how was it NOT extortion before?
  
  --
  Stupid sexy Flanders.
28. Re:I still don't get it. by lazy+genes · 2017-01-04 10:27 · Score: 0
  
  They can now set a punishment,like cutting off a finger or two or a hand if they repeat .
29. Re:I still don't get it. by Dutch+Gun · 2017-01-04 10:38 · Score: 4, Informative
  
  So, I was curious about this, and did a little digging. For reference:
  The elements of California extortion are:
  The defendant threatened to do one of the following to the alleged "victim":
  a. Unlawfully injure or use force against him/her, a third party, or his/her property,
  b. Accuse him/her or a relative or family member of a crime, OR
  c. Expose a secret involving him/her or a family member, or connect any of them with some kind of crime, disgrace, or scandal;
  When making the threat or using force, the defendant intended to force the "victim" into consenting to give him/her money or property or to do an official act;
  As a result of the threat, the "victim" did consent to give the defendant money or property or do an official act; AND
  The "victim" then actually did give the defendant money or property or perform the official act.
  So the exchange of the ransom is required to meet California's legal definition of "extortion". Naturally, most professionally run IT shops or prudent individuals will have backups and may not pay the ransom, but the damage still may be substantial simply due to lost time and productivity. This new law creates a specific exception for ransomware, making the deployment of it a crime equivalant to extorsion, regardless of whether or not a ransom payment is made. From the text of the bill itself:
  
  This bill would define ransomware as... [describes ransomware]... The bill would provide that a person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable as if that money or other consideration were actually obtained by means of the ransomware...
  Given this information, it appears that unpaid ransomware attacks were NOT considered "extortion" under California law. This new law provides both a legal definition for ransomware (must have gotten some help from a competent IT person here), and closes that loophole... which, btw, seems like sort of a terrible loophole for extortion as well, but whatever.
  We see further evidence of this in the first sections of the bill, which pretty much seems designed to shut down this loophole:
  
  523. (a) Every person who, with intent to extort any money or other property from another, sends or delivers to any person any letter or other writing, whether subscribed or not, expressing or implying, or adapted to imply, any threat such as is specified in Section 519 is punishable in the same manner as if such money or property were actually obtained by means of such threat.
  (b) (1) Every person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such money or other consideration were actually obtained by means of the ransomware.
  (2) Prosecution pursuant to this subdivision does not prohibit or limit prosecution under any other law.
  TLDR version: This law was needed due to the peculiarities of California's extortion laws.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
30. Re:I still don't get it. by unixisc · 2017-01-04 12:26 · Score: 1
  
  How was it NOT extortion before the law?
  Yeah, no kidding
31. Re: I still don't get it. by Anonymous Coward · 2017-01-04 13:36 · Score: 0
  
  Don't be so sure with the law. There are reasons why many states crafted vehicular homicide laws after sufficient argument was made that intoxicated persons couldn't form the necessary mens rea. Sometimes even manslaughter wasn't an option.
32. Re: I still don't get it. by Anonymous Coward · 2017-01-04 20:09 · Score: 0
  
  So, Intertortion?
33. Re: I still don't get it. by Anonymous Coward · 2017-01-05 00:53 · Score: 0
  
  What happens in California happens to the rest of the nation. Take CA's new gun laws. Even they only apply to one state, other states will adopt them like wildfire, and ghost guns will be a non-issue come 2018.
  CA's laws on exhaust are a major player as well. Where CA goes, every company follows, because it is easier to comply than split products between 50 state legal and 49 state legal.
34. Re:I still don't get it. by Anonymous Coward · 2017-01-05 01:50 · Score: 0
  
  So in California it's legal to try to extort people as long as you don't succeed?
  Maybe that's what actually needs to be fixed.
35. Re:I still don't get it. by david_thornley · 2017-01-05 07:02 · Score: 1
  
  That definition says "who takes money or property", implying that the threat by itself is likely to not count as extortion unless it's successful. I'd rather have "give me $1000 or I break your arms" count as extortion whether I hand the money over or not. Specifically, I'd like the installation and activation of ramsomware to count as extortion.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Good by Anonymous Coward · 2017-01-04 06:05 · Score: 0

It is good that they outlawed Windows 10 and Apple APPs.
1. Re:Good by DickBreath · 2017-01-04 08:04 · Score: 3, Funny
  
  Windows 10 has been installed on this computer.
  To restore this computer to a usable state
  please send 3 bitcoin to Microsoft.
  
  --
  
  I'll see your senator, and I'll raise you two judges.
Outflanked the law? by wbr1 · 2017-01-04 06:06 · Score: 4, Insightful

I do not know california code, but I imagine installing and running software without permission is already illegal, as is unauthorized use of a system and destruction of data. Not to mention fraud.
So.. do we really need another law? For something that is largely coming from out of the country and is unlikely to result in a prosecution except MAYBE at the federal level?

--
Silence is a state of mime.
1. Re:Outflanked the law? by Archangel+Michael · 2017-01-04 06:15 · Score: 0
  
  Yes, we need another useless law that will not have anyone convicted any time soon, just so stupid legislators can say "See, we are protecting you!"
  Right up there with Assault Rifle bans because ... "SCARY LOOKING!!!!!"
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
2. Re:Outflanked the law? by Anonymous Coward · 2017-01-04 06:16 · Score: 0
  
  And extortion.
3. Re:Outflanked the law? by Anonymous Coward · 2017-01-04 06:20 · Score: 0
  
  Didn't stop Microsoft from pushing malware onto millions of Windows 7 computers last year.
4. Re:Outflanked the law? by fbobraga · 2017-01-04 06:32 · Score: 1
  
  Didn't stop Microsoft from pushing malware onto millions of Windows 7 computers last year.
  flawed laws...
5. Re:Outflanked the law? by PolygamousRanchKid+ · 2017-01-04 06:57 · Score: 1
  
  I imagine installing and running software without permission is already illegal, as is unauthorized use of a system and destruction of data. Not to mention fraud.
  Isn't that what the FBI, CIA and NSA do every day? Without warrants, or judges' approval . . . ?
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
6. Re:Outflanked the law? by CaptainDork · 2017-01-04 07:01 · Score: 4, Informative
  
  ... installing and running software without permission is already illegal ...
  
  Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.
  I'm retired from IT and I was often pulled into management's office to answer the question, "Why did our system not stop this?"
  I answered that the "system" was granted permission by the operator, who, BTW, has attended six (6) seminars this year alone that explains users aren't allowed to use computers for personal use, so why are they panic-clicking on an attachment that their "UPS package will not be delivered until you click on this link ..." AND the fucking Firm has a contract with FEDEX for that shit anyway.
  
  --
  It little behooves the best of us to comment on the rest of us.
7. Re:Outflanked the law? by wbr1 · 2017-01-04 07:36 · Score: 3, Insightful
  
  Software installed through deception is NOT installed with permission. This is computer fraud 101. Sure the operation can bypass system restrictions at any time, but actual permission lies with the user or owner, and software installed through fraudulent means such as deception, zero-days etc is still illegal should not be considered as having been granted owner/operator permission.
  
  --
  Silence is a state of mime.
8. Re:Outflanked the law? by wbr1 · 2017-01-04 07:37 · Score: 2
  
  But...but...but they're the good guys... /sarcasm
  
  --
  Silence is a state of mime.
9. Re:Outflanked the law? by Anonymous Coward · 2017-01-04 08:06 · Score: 0
  
  why are they panic-clicking on an attachment that their "UPS package will not be delivered until you click on this link ..." AND the fucking Firm has a contract with FEDEX for that shit anyway.
  Your firm might have an exclusive contract with Fedex to ship packages, but the rest of the world often uses other courier companies to send packages to your firm. It isn't uncommon to get delivery notifications when courier companies are shipping you stuff.
  That being said, you're right, people are idiots.
10. Re: Outflanked the law? by Anonymous Coward · 2017-01-04 08:53 · Score: 0
  
  You don't need a warrant or judge's permission when they are using the authority granted to them by the laws that Congress passed.
11. Re:Outflanked the law? by Anonymous Coward · 2017-01-04 09:41 · Score: 1
  
  So.. do we really need another law?
  Sometimes, if you're in the USA.
  A few months ago my wife was on jury duty, where a guy was suspected of (actually, he took the stand(!) and incriminated himself) kidnapping a junkie and making her work as a prostitute, with occasional beatings and threats.
  Those are all illegal things in my state.
  Just one problem: this was federal court. So what he was actually charged with, was some totally absurd made-up nonsense lie about "interstate commerce." The guy was not engaging in interstate commerce. The courts have redefined those words to mean almost nothing related to their actual meaning.
  Had I been on that jury instead of my wife, I might have nullifi-- no. Actually, this motherfucker needed to go down so I would have voted to illegally convict him. But I would have felt a little dirty, doing that. And had he been prosecuted per my state's laws in district court, there would have been no conflict or dilemma at all. (And as it happens, he was found guilty because my wife has a practical side to her as well.)
  We have federal laws for a lot of things, where they're pretty bad and many times their use is an error and begs right-leaning jurors to say "enough of this, fuck you, I vote Not Guilty" simply because they're angry that growing backyard marijuana plants for personal use is considered "interstate commerce." It's a good thing to have the correct governments outlaw the right things, both to comply with the constitution and to avoid the wrath of constitutionally-minded jurors. You don't want to invite a hung jury if you can easily avoid it.
  That said, I still have no fucking idea why this kidnapper/batterer pimp was in federal court instead of metro court. Everything the jury heard about, was illegal by state law. Maybe California has more money than my state does, for prosecutors. (But more likely, I think it was the feds trying to keep everyone conditioned to the idea that anything you do, can be "interstate commerce.")
12. Re:Outflanked the law? by Anonymous Coward · 2017-01-04 10:23 · Score: 0
  
  +1 insightful.
  Unfortunately I don't have mod points right now even if I were logged in.
13. Re:Outflanked the law? by CaptainDork · 2017-01-04 11:42 · Score: 1
  
  Bullshit.
  I have all kinds of shit in place that says, "DO NOT OPEN THIS ATTACHMENT and the goddam user still opens it.
  We're a law firm and the stock answer is, "Your guy overrode your own fucking system and ASKED for the payload."
  So, no ...
  
  --
  It little behooves the best of us to comment on the rest of us.
14. Re:Outflanked the law? by Obfuscant · 2017-01-04 11:43 · Score: 1
  
  Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.
  This was modded "Informative"? You are a loon.
  
  I answered that the "system" was granted permission by the operator,
  
  So if I ask you if I can borrow your lawnmower, but instead take your car out of your garage and run it into a tree, you're ok with that because you gave me permission to take something out of your garage and you really didn't care what it was? Or a user who agreed to allow a website to install "File Compressor Pro" actually agreed to let them install ransomware instead because they agreed to allow the site to install something, it doesn't matter what?
  It matters nothing at all what the permission was for, "permission" means "anything"?
  
  users aren't allowed to use computers for personal use, so why are they panic-clicking on an attachment that their "UPS package will not be delivered until you click on this link ..."
  A user who is dealing with a package delivery TO THE COMPANY is doing this as "personal use" and shouldn't be?
  
  AND the ... Firm has a contract with FEDEX for that shit anyway.
  Who you have a contract with for sending packages means nothing when it comes to how others send packages to you. If I get good rates from UPS to ship things and I use them to send something to your previous employer, FedEx does NOT get to demand that they actually get paid to deliver that package to them.
  I think you "retired" a bit too late.
15. Re:Outflanked the law? by CaptainDork · 2017-01-04 12:21 · Score: 1
  
  TL;DR
  It appears, from a distance, and with a quick scan, that you are intelligent and may one day make use of that attribute, but not today.
  
  --
  It little behooves the best of us to comment on the rest of us.
16. Re:Outflanked the law? by wbr1 · 2017-01-04 15:46 · Score: 1
  
  I try to not engage in ad hominem when I can see my self doing it, but I agree with GP. You sir are a loon.
  
  --
  Silence is a state of mime.
17. Re:Outflanked the law? by david_thornley · 2017-01-05 07:06 · Score: 1
  
  I think they wanted installing and activating ransomware to count as extortion, which it didn't.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
18. Re:Outflanked the law? by david_thornley · 2017-01-05 07:08 · Score: 1
  
  I think you may be ignoring the legal definition of permission. For example, using login credentials that the ex-employee knew should not be used to log into a company system certainly has technical permission from the system, but I believe it's been found illegal under the CFAA.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
19. Re:Outflanked the law? by CaptainDork · 2017-01-05 10:16 · Score: 1
  
  Try oranges next time.
  
  --
  It little behooves the best of us to comment on the rest of us.
Thank god by Anonymous Coward · 2017-01-04 06:07 · Score: 3, Funny

This will certainly stop them, I mean I am sure they were just waiting for a law to make it illegal then they'll stop
1. Re: Thank god by Anonymous Coward · 2017-01-04 06:55 · Score: 1
  
  It will only stop the law abiding criminals.
CFAA by Anonymous Coward · 2017-01-04 06:08 · Score: 1

I mean, we use the CFAA for damn near everything? Why not this, where it actually seems to apply?
1. Re:CFAA by fbobraga · 2017-01-04 06:34 · Score: 1
  
  I bet you are not a Californian lawyer...
2. Re:CFAA by parkinglot777 · 2017-01-04 07:03 · Score: 1
  
  I mean, we use the CFAA for damn near everything? Why not this, where it actually seems to apply?
  OK, an explanation could be found here on LA Times. You could also read below quote (from the given link) for the specific part of the answer.
  
  At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.
  That doesn"t quite fit computer crime, Hoffman said.
  "With ransomware, the threat has already been carried out," he said. "The data has already been encrypted; it has already been compromised. It"s more like data kidnapping."
  At least one other state, Wyoming, has outlawed ransomware.
3. Re:CFAA by Anonymous Coward · 2017-01-04 07:39 · Score: 0
  
  So what do California prosecutors use when someone say steals a painting and threatens to destroy it unless they are given $$$$?
4. Re:CFAA by Anonymous Coward · 2017-01-04 08:00 · Score: 0
  
  Turpentine.
5. Re:CFAA by DickBreath · 2017-01-04 08:06 · Score: 1
  
  I was going to point out the same thing.
  
  The CFAA can be used to threaten someone with 35 years for violating a TOS in a way that is not actually a crime under any other law. But it isn't good enough to cover Ransomeware?
  
  --
  
  I'll see your senator, and I'll raise you two judges.
6. Re:CFAA by Lehk228 · 2017-01-04 12:16 · Score: 1
  
  it is, but federal laws are not useful to California prosecutors.
  
  --
  Snowden and Manning are heroes.
Wonderful. Glad that won't we an issue anymore by NotARealUser · 2017-01-04 06:09 · Score: 3, Insightful

If it were only so simple... This does nothing to actually prevent ransomware.
At least the good people of California can cite a specific law instead of the broader extortion laws when they are victimized. I really think there is no point to this law. It has no means to solve the ransomware issue, it simply makes a specific case out of something that was already illegal.
1. Re:Wonderful. Glad that won't we an issue anymore by Archangel+Michael · 2017-01-04 06:17 · Score: 2
  
  It does do something ... It allows stupid legislators to say they did something. Remember the following logic is all that is needed.
  We must do something!
  This is something!
  Therefore we must do it!!!!!!!
  Implied is, "Anyone that opposes this is an evil hater who wants to kill you and eat kittens"
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
2. Re:Wonderful. Glad that won't we an issue anymore by fbobraga · 2017-01-04 06:40 · Score: 1
  
  "Anyone that opposes this is an evil hater who wants to kill you and eat kittens"
  how eat cows/pigs is better than eat kittens?
3. Re:Wonderful. Glad that won't we an issue anymore by Obfuscant · 2017-01-04 06:46 · Score: 1
  
  how eat cows/pigs is better than eat kittens?
  Pro: cow/pig bigger than kitten, therefore don't need eat two kitten for dinner, just one cow.
  Con: cow/pig less tender, need tenderizer. Kitten yummy. Like veal. Cat, ick, old and tough.
  Pro: cow/pig available at local store. Must hunt kitten. Here kitty kitty... Hello Kitty!
4. Re:Wonderful. Glad that won't we an issue anymore by CanadianRealist · 2017-01-04 07:42 · Score: 1
  
  Cows and pigs are not furry and cute. And more importantly, there are no funny cow/pig videos on YouTube. (Well, there probably are some, but nowhere near the number of kitten videos.) Have you ever seen a cow or pig say "I can has cheezburger?"
5. Re:Wonderful. Glad that won't we an issue anymore by Anonymous Coward · 2017-01-04 08:41 · Score: 0
  
  Given that this is California we're talking about, this law will be modified to define Ransomware to include "Disagreeing with someone on the internet"
6. Re:Wonderful. Glad that won't we an issue anymore by edtice1559 · 2017-01-04 09:45 · Score: 1
  
  I think people don't understand the legal system very well. In order to secure a conviction, a prosecutor has to prove all aspects of the crime. Ransomware does involve other crimes but those may have hard elements to prove. For example it wouldn't be money laundering if somebody paid taxes on the income! Others point out that deceptive installation is installing without permission, but you have to *prove* that the user was deceived. Maybe they weren't. Maybe they knew it was ransomware and were pissed off at their employer. So there are many avenues to mount a defense. Why are we against criminalizing such bad behavior directly. Isn't this better than going out looking for something to charge somebody with. Probably makes the prosecution easier and less burdensome. I'm not a lawyer. I'm not your lawyer. I don't live in California and I'm not a prosecutor. Other disclaimers as necessary.
7. Re:Wonderful. Glad that won't we an issue anymore by Obfuscant · 2017-01-04 10:29 · Score: 1
  
  For example it wouldn't be money laundering if somebody paid taxes on the income!
  And it wouldn't be ransomware without extortion.
  
  Why are we against criminalizing such bad behavior directly.
  
  Because criminalizing every variant of everything we want to prohibit leads to massive volumes of criminal law, and the expectation that something that isn't specified exactly by name isn't a crime at all. You really don't want to have to wait for the legislators to catch up with a specific law regarding "some existing crime DONE ON A COMPUTER" just because it wasn't specified that way explicitly in the current law. I point to the parallel between this and patent law where "something already patented DONE ON A COMPUTER" is worthy of another patent.
  
  Maybe they knew it was ransomware and were pissed off at their employer.
  Do you believe that the crime of extortion does not exist if someone uses someone else's demands for money to attack a third party?
8. Re:Wonderful. Glad that won't we an issue anymore by edtice1559 · 2017-01-05 03:58 · Score: 1
  
  No, I think this is a much more complicated legal case to prove. If I write a ransomware and you install it on your company's computer and the ransomware demands payment in bitcoin, one can prove that (a) I wrote the ransomware, (b) You installed in your company's computer. But I can argue that I didn't know that you were going to actually install it. And you can argue that I tricked you into installing it. So the only way to prove the case is to follow the money which may turn out to be nearly impossible. Now it's much easier. I wrote the ransomware, it's on your company's computers, I'm guilty.
Thanks California by Anonymous Coward · 2017-01-04 06:12 · Score: 2, Funny

I can finally uninstall that pesky antivirus.
Yawn by DatbeDank · 2017-01-04 06:15 · Score: 1

Do nothing bureaucrats gonna bureaucrat. Let's all pat ourselves on the back for making a law that's covered by other laws!
It was legal before? by HalAtWork · 2017-01-04 06:15 · Score: 3, Interesting

You mean up until now I could have had my own money making machine? Oh well, missed that boat...

--
Twinstiq, game news
1. Re:It was legal before? by The-Ixian · 2017-01-04 06:24 · Score: 1
  
  There are 49 other states in the US....
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:It was legal before? by Oswald+McWeany · 2017-01-04 06:42 · Score: 1
  
  Yes, but electricity hasn't been discovered yet in 25 of them.
  
  --
  "That's the way to do it" - Punch
3. Re:It was legal before? by DickBreath · 2017-01-04 08:08 · Score: 1
  
  Nevermind electricity. How about common sense.
  
  --
  
  I'll see your senator, and I'll raise you two judges.
4. Re:It was legal before? by edtice1559 · 2017-01-04 09:49 · Score: 1
  
  As others have pointed out, you would have been prosecuted under other laws. But if you were really good at Ransomware maybe you could find one area of the crime that prosecutors couldn't prove and the you could spend most of your ill-gotten gains on a legal defense. You would be no better off, a defense lawyer would make out well, your victims would be out money, and the state would have an expensive prosecution bill. Now they have a much easier case and can just arrest you right away.
5. Re:It was legal before? by Anonymous Coward · 2017-01-05 01:54 · Score: 0
  
  It wasn't legal, as it's in clear breach of the CFAA, but good luck getting the FBI to prosecute a ransomware case.
More Magical Thinking from California by SuperKendall · 2017-01-04 06:15 · Score: 1

This is one of the more absurd examples of magical thinking I have seen in a while. Why do they think this will have any impact at all?
Most of the groups that spread the malware are based overseas. Most of them use bitcoin to collect payments so there's not even a money trail. Just what is this measure supposed to do to help anyone?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:More Magical Thinking from California by Anonymous Coward · 2017-01-04 06:21 · Score: 0
  
  Just what is this measure supposed to do to help anyone?
  It makes them feel better about themselves? Because now, without any doubt, they are a victim, and are not responsible for their actions (or lack of actions)?
2. Re:More Magical Thinking from California by butchersong · 2017-01-04 06:36 · Score: 1
  
  In California laws are about intention rather than outcome.
3. Re:More Magical Thinking from California by Anonymous Coward · 2017-01-04 07:33 · Score: 0
  
  The thinking of a politician goes like this...."There is a problem, and something must be done. This inane non-solution is something, therefore we must do it."
4. Re:More Magical Thinking from California by Anonymous Coward · 2017-01-04 08:37 · Score: 0
  
  Just what is this measure supposed to do to help anyone?
  It gives me the right to know what they're doing is illegal, so I can justify sending a B-52 bomber to blow up their shit-stained camel tent.
  Seriously, what do you fucktards whining about this do about murder laws? They don't stop homicides either, but heaven forbid you learn about them, because then you'd be fucking bitching and moaning that Dylan Roof is on trial but 9 people are still dead because of him.
  Fortunately you're too busy sucking up to your human centipede of a cockfarm to read a paper, so mostly you keep your typing limited to more inane crap.
5. Re:More Magical Thinking from California by SuperKendall · 2017-01-04 08:58 · Score: 1
  
  Seriously, what do you fucktards whining about this do about murder laws? They don't stop homicides either,
  Yes, they do, because someone knows if they murder someone, then they probably will be found, and sent to jail. The "murder laws" stop a lot of very real murders.
  By contrast, the laws against ransomeware are worthless because the targets are as I said (A) not anywhere near where California law can impact them, and (B) really not trackable so you can't even find out who to sue or arrest.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
6. Re:More Magical Thinking from California by Anonymous Coward · 2017-01-04 09:04 · Score: 0
  
  Yes, they do, because someone knows if they murder someone, then they probably will be found, and sent to jail. The "murder laws" stop a lot of very real murders.
  So what you're saying is that laws do work.
  
  By contrast, the laws against ransomeware are worthless because the targets are as I said (A) not anywhere near where California law can impact them, and (B) really not trackable so you can't even find out who to sue or arrest.
  Then your problem is not with the laws, but with California not simply sending armed posses to hunt down criminals who harm their citizens.
  Sounds like a plan to me. When will you propose it? You do know California DOES allow for citizen's petitions, right?
7. Re:More Magical Thinking from California by david_thornley · 2017-01-05 07:15 · Score: 1
  
  The law may be useful for extradition. If bad guy A is working in country B, and is identified, it may be easier to file an extradition request for a charge of extortion than computer misuse.
  If I, in the US, hack into somebody else's computer using an untraceable route, should I still be considered in violation of the CFAA?
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
8. Re:More Magical Thinking from California by SuperKendall · 2017-01-05 07:26 · Score: 1
  
  So what you're saying is that laws do work.
  Of course SOME laws work.
  You appear to be saying that ALL laws work.
  Like drug laws...
  Bang up argument there, Skippy.
  Then your problem is not with the laws,
  Yes it is with laws that do not, and cannot work.
  but with California not simply sending armed posses to hunt down criminals who harm their citizens.
  That would be fine but who would they hunt? That't my point, you simply cannot track down these malware people.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
finally by Anonymous Coward · 2017-01-04 06:20 · Score: 1

That'll stop those rusky hackers!
Obvious question by Baloo+Uriza · 2017-01-04 06:21 · Score: 1, Funny

So does that mean Windows won't automatically be bundled with no way to unbundle it before purchase there now?

--
Furries make the internet go.
so, all hacking = illegal/bad? by thebryce · 2017-01-04 06:27 · Score: 1

ransomware absolutely sucks.
That being said, the statement "The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, " seems a bit loaded. I'm not sure if all hacking should automatically be assumed to be illegal. Would this even be hacking or are we to assume 'everything nefarious done via computer is hacking'.
1. Re:so, all hacking = illegal/bad? by fbobraga · 2017-01-04 06:44 · Score: 1
  
  I'm not sure if all hacking should automatically be assumed to be illegal.
  I'm sure: the answer is NO
IANAL, but... by Anonymous Coward · 2017-01-04 06:30 · Score: 0

I am no a lawyer, but how is this law at all necessary? It seems a classic case of "done on a computer so it must be new," which we rant about patents all the time. In not particular order, it seems like at least some of the following existing crimes should apply:
-Unauthorized access to a computer
-Vandalism
-Destruction of property
-Theft
-Extortion
Creative prosecutors are much better at listing out crimes as well so they can "throw the book" at people and coerce them into plea bargains.
I can only hope that the summary is misprepresentitive, and this is more a case of the law being needed to clarify whose jurisdiction and budget enforcement of these kinds of crimes would apply.
Known to ... by PPH · 2017-01-04 06:30 · Score: 1

... cause cancer in rats.

--
Have gnu, will travel.
1. Re:Known to ... by desdinova+216 · 2017-01-04 09:53 · Score: 1
  
  but what about lawyers? I think they're closer to humans biologically
Legislation over IT is generally stupid... by fbobraga · 2017-01-04 06:36 · Score: 1

... must be a reason why lawyers can't understand IT (and, I'm afraid, a medical one)
Funding for awareness drives? by kaka.mala.vachva · 2017-01-04 06:37 · Score: 1

I'm guessing here -but this might have to do with funding. Awareness drives usually cannot be funded unless there is a specific law. With this law in place, maybe there can be funding to raise awareness amongst everyday people on how to protect themselves from ransomware.
Calendar by PPH · 2017-01-04 06:38 · Score: 2

It was nice to see the calendar turn over to 2017
You were getting tired of Miss December too?

--
Have gnu, will travel.
1. Re:Calendar by Oswald+McWeany · 2017-01-04 06:44 · Score: 1
  
  ... January, you start the year of fine.
  February, you're my little valentine...
  
  --
  "That's the way to do it" - Punch
Red tape by Anonymous Coward · 2017-01-04 06:49 · Score: 0

So basically just more red tape in the system, this law is redundant
good by Anonymous Coward · 2017-01-04 06:49 · Score: 0

it means more charges can be tacked on and via stacking charges make it even more severe sentencing and make people weigh the action and the repurcutions if cought. as others said this is not going to stop it but even murder is illegal and it still happens this is no where near murder but at least the charge/s will fit the crime/s.
Oooh scary by JustAnotherOldGuy · 2017-01-04 06:59 · Score: 1

Yeah I'm sure this will scare the pants off some guy in his bedroom in Romania or Chelyabinsk.
He'll probably give up his evil ways, go straight, and get a day job at the local Burger King, AMIRITE?

--
Just cruising through this digital world at 33 1/3 rpm...
If they wanted to make a difference.... by mark-t · 2017-01-04 07:01 · Score: 1

.... wouldn't it be more logical to make it illegal to PAY said ransom, unless doing so is part of an active criminal investigation to identify the person or persons that are receiving the money? This would tend to force people who try to spread ransomware to shorten the window in which they are allowed to pay the ransom so that the victims have less time to consider whether they should go to the authorities, and would have to just quickly pay the money, regardless of the legality, just to get their files back. If, however, this window is too short, then it may not leave some people with enough time to even send the money, and with an increase in the number of people that lose their files anyways despite paying the ransom, the perceived effectiveness of paying the ransom to get one's files back is diminished. Confidence that paying anything will be beneficial in such circumstances is destroyed, and the people who would spread ransomware have reduced incentive to do so, since fewer people end up ever actually paying.

--
File under 'M' for 'Manic ranting'
1. Re:If they wanted to make a difference.... by Anonymous Coward · 2017-01-04 23:09 · Score: 0
  
  Except the police and even the FBI have recommended to pay the ransom for ransomware attacks.
2. Re:If they wanted to make a difference.... by david_thornley · 2017-01-05 07:19 · Score: 1
  
  So, what you're saying is that people who want to pay the ransom should avoid letting any law enforcement agency know they've got the ransomware? Wouldn't you rather encourage the reporting of ransomware?
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
3. Re:If they wanted to make a difference.... by mark-t · 2017-01-05 07:28 · Score: 1
  
  No... what I'm saying is that they shouldn't pay in the first place... and the only way to discourage this would be to make it illegal unless you had the cooperation of law enforcement (and even then only so that it was legal for law enforcement to use means at their disposal to trace a transaction, if it were technologically feasible). If people kept the fact that they had been infected to themselves (their only option if they intend to pay the ransom despite its illegality unless they also wish to pay whatever penalty is in place for breaking that law), there would be no widespread impression of how effective ransomware was at getting people to pay the ransom, thereby not fanning the flame that might make ransomware appear like a viable revenue stream to people who might consider it but are not yet using it, and the existing organizations that try and utilize it to extort money from people would, over time, fizzle out, and the problem will be largely solved.
  
  --
  File under 'M' for 'Manic ranting'
4. Re:If they wanted to make a difference.... by david_thornley · 2017-01-06 04:38 · Score: 1
  
  Some people want their files back, and will want to pay. If they know that they'll be criminally charged if news gets out, they will be sure not to tell anyone, and we'll never know how much is going on, and we'll miss out on data that might be useful in tracing it. Bad guys started using ransomware without knowing what the profit would be. The ones who know that it can make money will continue to do it, and new entrants into the field won't know whether or not it works. I think we're better off encouraging people to report it to the police.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
5. Re:If they wanted to make a difference.... by mark-t · 2017-01-06 05:51 · Score: 1
  
  I understand that people want their files back, but the law does not exist to compensate people for wrong actions against them, that is the job of civil court. The law is supposed to, to the best of its ability provide some disincentive to disobeying it. If it is illegal to pay the ransom without police involvement, people who consider their files to be more important than the law will do so, but the existence of that law *will* still act as some disincentive for the people who intend on following the law, since they will have otherwise done nothing wrong, while the people who distribute such ransomware are already breaking the law anyways, so adding another law to their list of infractions isn't going to change anything.
  
  --
  File under 'M' for 'Manic ranting'
I'm sure they'll get right on that by Anonymous Coward · 2017-01-04 07:06 · Score: 0

I'm sure the foreign hackers that are responsible for 99% of all malware will leave Californians along now. Phew! I'm glad there's a law for this now!
criminals by Anonymous Coward · 2017-01-04 07:45 · Score: 0

only criminals will now have guns^H^H^H^Hransomware.
WARNING by Anonymous Coward · 2017-01-04 07:52 · Score: 0

This post contains content known to the State of California to cause hurt feelings and rectal discomfort or other digestive harm.
The best part is the bounties by WillAffleckUW · 2017-01-04 08:16 · Score: 1

I mean, seriously, 10 percent of the ransom amount?
Take down a cyber ring and you can retire in Sumatra forever!

--
-- Tigger warning: This post may contain tiggers! --
"outlaws the use of ransomware" by avandesande · 2017-01-04 08:18 · Score: 2

Bad enough to have all your files encrypted, now you will be in trouble with the government too?

--
love is just extroverted narcissism
Problem solved. by fahrbot-bot · 2017-01-04 08:24 · Score: 1

Thanks CA !

--
It must have been something you assimilated. . . .
The actual solution by slashmydots · 2017-01-04 08:40 · Score: 1

Well this is idiotic but it reminds me if the ACTUAL solution, which is to make paying ransoms in ransomware illegal. That would make it disappear really quickly. It's already illegal to financially support criminal and terrorist groups and that's who runs these so make paying it illegal!
1. Re:The actual solution by Cro+Magnon · 2017-01-04 08:51 · Score: 1
  
  Or, more likely, it would guarantee that the victim, who thinks a "backup" is something their plumber fixes but can't bear to lose those cute pictures of the sister's dog, won't ever report the crime.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
2. Re:The actual solution by Anonymous Coward · 2017-01-04 09:38 · Score: 1
  
  Think it through further, making paying illegal would cause an explosion in ransomware as now all those authors will be able to successfully blackmail the payers into more criminal activities. Just like drug use and prostitution, when one party can't get help the other party successfully pushes further and further.
Laws for Outlaws by pubwvj · 2017-01-04 08:50 · Score: 1

Since when did outlaws start obeying the law?
There are already plenty of laws governing this.
No need to make a new law and clutter up the books.
Bah, hum-bug.
1. Re:Laws for Outlaws by david_thornley · 2017-01-05 07:22 · Score: 1
  
  Are you seriously arguing that laws that outlaws don't obey shouldn't be on the books?
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
2. Re:Laws for Outlaws by pubwvj · 2017-01-15 11:37 · Score: 1
  
  Try reading my whole comment next time.
Damn it! by Anonymous Coward · 2017-01-04 11:57 · Score: 0

I was doing so well. Now that it is illegal, I guess I'll have to stop. I don't want to be be called a criminal or anything. That just looks bad. I just hope that it is still legal in other states.
Jurisdiction by Zemran · 2017-01-04 12:41 · Score: 1

Californian law applies in California, most malware is from Asia or Eastern Europe. I do not see how this law will affect anything.

--
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
1. Re:Jurisdiction by Anonymous Coward · 2017-01-04 23:46 · Score: 0
  
  It's a "feel-good" law.
  When there is some issue liberals exclaim "We need to do something" while pointing their fingers at Republicans. The liberal media picks up on the message and brain-washes the public into believing the problem exists, that it's the fault of republicans and that "something needs to be done".
  Liberals believe they can get rid of problems simply by creating new laws that forbids that problem. Everyone smiles and pats each other on the back while they "feel good" that they "did something" to solve the problem and can move on to get rid of other problems. The problem continues to exist and they blame the republicans. Lather, rinse, repeat.