In the U.S., it is a federal crime to use malware to intentionally cause “damage without authorization” to a computer that is used in a manner that affects interstate or foreign commerce. 18 U.S. Code §§ 1030(a)(5)(A) & 1030(e)(2). Most, if not all, U.S. states outlaw the use of malware to cause damage, as do many countries.

The Council of Europe’s Convention on Cybercrime, which the United States ratified a few years ago, has a provision concerning the possession of malware. Article 6(1)(b) of the Convention requires parties to the treaty to criminalize the possession of malware “with intent that it be used for the purpose of committing” a crime involving damage to a computer or data. Article 6(1)(b) notes that a country can require “that a number of such items be possessed before criminal liability attaches.”

I was talking to someone recently about malware and the Convention, and the issue of making malware possession a crime came up. I honestly hadn’t thought much about it, since as far as I know U.S. law focuses on using malware, not on possessing it. I knew the U.S. had ratified the Convention, and I knew that nothing in federal law makes it a crime merely to possess malware; I suspected, and did a little research to confirm, that only one U.S. state makes it a crime to possess malware (as I noted in an earlier post).

That raised the first question: How can the U.S. be a party to the Convention if it doesn’t criminalize the possession of malware, as required by Article 6(1)(b)? The answer was what I suspected: Article 6 of the Convention lets parties to the treaty reserve the right not to apply Article 6(1) “provided that the reservation does not concern the sale, distribution or otherwise making available” of “a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed”. So as long as the U.S. criminalizes that, it can reserve the right not to apply the rest of Article 6(1).

That is kind of what the U.S. did: In a reservation submitted on September 29, 2006, the U.S. reserved the right not to apply Article 6(1)(b), as well as one provision of Article 6(1)(a) “with respect to devices designed or adapted primarily for the purpose of committing the offenses established in Article 4 (`Data interference’) and Article 5 (`System interference’)”. Article 4 encompasses the transmission of viruses and other programs that can threaten the integrity or use of computers and computer data; Article 5 encompasses the use of denial of service attacks and the use of malware to impair the functioning of computer systems.

So the U.S. chose not to implement the Convention’s requirement of criminalizing the act of possessing certain types of malware that can be used in these offenses (damaging, deleting, altering or suppressing data and seriously “hindering . . . the functioning of a computer system by” inputting, deleting, altering or suppressing computer data). It retained the right to apply Article 1(b) to gaining illegal access to computer systems (Convention Article 2) and illegally intercepting non-public transmissions of computer data (Article 3).

(The U.S. also submitted another reservation which states that “the offense set forth in paragraph (1) (b) of Article 6 . . . includes a requirement that a minimum number of items be possessed. The minimum number shall be the same as that provided for by . . . United States federal law.” That reservation is intended to preserve the offense created by 18 U.S. Code § 1029(a)(3), which makes it a federal crime knowingly and with intent to defraud possess “fifteen or more devices which are counterfeit or unauthorized access devices”. Section 1029(e)(1) defines an access device as “any card, plate, code, account number, electronic serial number, . . .identification number, . . . or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used. . . to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds”.)

I don’t know why the U.S. chose not to implement the portion of the Convention that requires parties to criminalize the possession of malware that can be used to attack data and/or computer systems . . . unless it might have been the product of uncertainty as to whether such a prohibition would fly under U.S. law or whether it would be advisable even if it were to be valid under U.S. law.

As to the first issue, someone could argue that malware (computer code) is speech, and speech is protected by the First Amendment as long as it does not become a crime in itself (a credible threat to harm someone, say) or an instrument that facilitates the use of a crime (aiding and abetting a bank robbery, say, by providing the combination to the sage). Clearly, using malware to cause damage would not be protected by the First Amendment, but simply creating and possessing it might be.

The second issue goes, of course, to the fact that antivirus companies and other researchers possess malware for very legitimate reasons. Article 6(1)(a) addresses that concern by requiring that the malware being criminalized is intended to be used to commit any of the crimes created pursuant to Articles 2-5 of the Convention. But maybe the U.S. was still concerned that criminalizing possession could lead to problems for legitimate researchers, notwithstanding this qualification.

Should we make the possession of malware a crime? I did a post about that general issue last year in which I quoted a Pennsylvania statute that makes it a crime to possess malware. In that post, I analyzed whether we can legitimately analogize malware to the burglar’s tools that are the focus of criminal possession statutes in all the U.S. states; the statutes, as I explained in that earlier post, make possessing burglar’s tools a crime in itself, a kind of attempt offense. As I noted in that post, I see a major difference between burglar’s tools and software; burglar’s tools (when described with precision in a statute) are not as ambiguous as software.

Like software, the individual items that constitute burglar’s tools can have innocent uses; the premise behind criminalizing the possession of burglar’s tools is that when you assemble certain tools, we can reliably infer from your possessing those tools that you mean to use them to commit burglary. By making possession of the tools a crime in itself, we can arrest you and interrupt you before you can actually commit burglary. I can see the argument for applying this rationale to software, but I also see good reasons (e.g., First Amendment, legitimate research, greater ambiguity of the item itself) for not doing so. I assume the Department of Justice had similar concerns, which is why the U.S. submitted the reservation concerning the scope of our implementation of Article 6(1)(b).