Home / Blogs

Should We Make the Possession of Malware a Crime?

In the U.S., it is a federal crime to use malware to intentionally cause "damage without authorization" to a computer that is used in a manner that affects interstate or foreign commerce. 18 U.S. Code §§ 1030(a)(5)(A) & 1030(e)(2). Most, if not all, U.S. states outlaw the use of malware to cause damage, as do many countries.

The Council of Europe's Convention on Cybercrime, which the United States ratified a few years ago, has a provision concerning the possession of malware. Article 6(1)(b) of the Convention requires parties to the treaty to criminalize the possession of malware "with intent that it be used for the purpose of committing" a crime involving damage to a computer or data. Article 6(1)(b) notes that a country can require "that a number of such items be possessed before criminal liability attaches."

I was talking to someone recently about malware and the Convention, and the issue of making malware possession a crime came up. I honestly hadn't thought much about it, since as far as I know U.S. law focuses on using malware, not on possessing it. I knew the U.S. had ratified the Convention, and I knew that nothing in federal law makes it a crime merely to possess malware; I suspected, and did a little research to confirm, that only one U.S. state makes it a crime to possess malware (as I noted in an earlier post).

That raised the first question: How can the U.S. be a party to the Convention if it doesn't criminalize the possession of malware, as required by Article 6(1)(b)? The answer was what I suspected: Article 6 of the Convention lets parties to the treaty reserve the right not to apply Article 6(1) "provided that the reservation does not concern the sale, distribution or otherwise making available" of "a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed". So as long as the U.S. criminalizes that, it can reserve the right not to apply the rest of Article 6(1).

That is kind of what the U.S. did: In a reservation submitted on September 29, 2006, the U.S. reserved the right not to apply Article 6(1)(b), as well as one provision of Article 6(1)(a) "with respect to devices designed or adapted primarily for the purpose of committing the offenses established in Article 4 (`Data interference') and Article 5 (`System interference')". Article 4 encompasses the transmission of viruses and other programs that can threaten the integrity or use of computers and computer data; Article 5 encompasses the use of denial of service attacks and the use of malware to impair the functioning of computer systems.

So the U.S. chose not to implement the Convention's requirement of criminalizing the act of possessing certain types of malware that can be used in these offenses (damaging, deleting, altering or suppressing data and seriously "hindering . . . the functioning of a computer system by" inputting, deleting, altering or suppressing computer data). It retained the right to apply Article 1(b) to gaining illegal access to computer systems (Convention Article 2) and illegally intercepting non-public transmissions of computer data (Article 3).

(The U.S. also submitted another reservation which states that "the offense set forth in paragraph (1) (b) of Article 6 . . . includes a requirement that a minimum number of items be possessed. The minimum number shall be the same as that provided for by . . . United States federal law." That reservation is intended to preserve the offense created by 18 U.S. Code § 1029(a)(3), which makes it a federal crime knowingly and with intent to defraud possess "fifteen or more devices which are counterfeit or unauthorized access devices". Section 1029(e)(1) defines an access device as "any card, plate, code, account number, electronic serial number, . . .identification number, . . . or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used. . . to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds".)

I don't know why the U.S. chose not to implement the portion of the Convention that requires parties to criminalize the possession of malware that can be used to attack data and/or computer systems . . . unless it might have been the product of uncertainty as to whether such a prohibition would fly under U.S. law or whether it would be advisable even if it were to be valid under U.S. law.

As to the first issue, someone could argue that malware (computer code) is speech, and speech is protected by the First Amendment as long as it does not become a crime in itself (a credible threat to harm someone, say) or an instrument that facilitates the use of a crime (aiding and abetting a bank robbery, say, by providing the combination to the sage). Clearly, using malware to cause damage would not be protected by the First Amendment, but simply creating and possessing it might be.

The second issue goes, of course, to the fact that antivirus companies and other researchers possess malware for very legitimate reasons. Article 6(1)(a) addresses that concern by requiring that the malware being criminalized is intended to be used to commit any of the crimes created pursuant to Articles 2-5 of the Convention. But maybe the U.S. was still concerned that criminalizing possession could lead to problems for legitimate researchers, notwithstanding this qualification.

Should we make the possession of malware a crime? I did a post about that general issue last year in which I quoted a Pennsylvania statute that makes it a crime to possess malware. In that post, I analyzed whether we can legitimately analogize malware to the burglar's tools that are the focus of criminal possession statutes in all the U.S. states; the statutes, as I explained in that earlier post, make possessing burglar's tools a crime in itself, a kind of attempt offense. As I noted in that post, I see a major difference between burglar's tools and software; burglar's tools (when described with precision in a statute) are not as ambiguous as software.

Like software, the individual items that constitute burglar's tools can have innocent uses; the premise behind criminalizing the possession of burglar's tools is that when you assemble certain tools, we can reliably infer from your possessing those tools that you mean to use them to commit burglary. By making possession of the tools a crime in itself, we can arrest you and interrupt you before you can actually commit burglary. I can see the argument for applying this rationale to software, but I also see good reasons (e.g., First Amendment, legitimate research, greater ambiguity of the item itself) for not doing so. I assume the Department of Justice had similar concerns, which is why the U.S. submitted the reservation concerning the scope of our implementation of Article 6(1)(b).

By Susan Brenner, Professor of Law and Technology

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Mens rea is a familiar concept I hope? By Suresh Ramasubramanian  –  Feb 07, 2009 8:01 am PST

Burglar tools may be used solely by burglars - and may even be significantly different from locksmith tools, say.  Malware possession on the other hand is best accompanied by a mens rea requirement as the CoE convention suggests.

> the U.S. reserved the right not to apply

The US has certainly prosecuted people for abusive use (which includes possession and dissemination) of malware and botnets. It reserves the right not to apply - at its discretion, but I cant see in this wording where it has explicitly disclaimed it.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global

Brand Protection

Sponsored byAppdetex