Monday, 28 May 2012

Legal Liabilities on the Creator of Trojan Horse Virus and Malware

Nowawadays, we live in a world that depends on the Internet 100%, thus there can be always people that take advantages on such dependence on the internet,this is because criminals now are able to commit more high-technology crimes too and its becoming more and more complex as they never ceases finding ways to bypasses different computer security system. Terrorists are using the net to plan attacks against the United States and with the aid of encryption, these messages are likely to be transmitted without being able to be tracked. This makes it more difficult for law enforcement officials as the Internet allows for instant and anonymous communications. Cyber crime can take many forms including the release of a virus which may cause the destruction of a computer system.

We have seen the ability of terrorists' attacks in the September 11 episode that led to mass killings of innocent civilians in a developed country. We have seen how the creation of the 'I Love You Bug', 'Melissa Virus' and the 'Bugbear' caused the destruction of data and loss of protected information across the world and in various industries with the facilitation of the Internet. We have seen and heard of the dangers of information being stolen by company employees that led to the downfall of giant multinationals across the globe resulting in damages totalling billions of dollars. Consider these different aspects of technology related crime and we can see that they all have an element in common which is for the compromise or destruction of computer data.(Ravin Vello, 2006) This is the list 10 top among more of dangerous and popular viruses that once had spread world-wide. (10_deadly_computer_viruses_that_shook_the_world)

Do take note that Viruses on Microcomputers such as Trojan Horses, bugs and worms are merely a method or technique in which hackers are using to gain an unauthorized access on other people's computer system and crackers would then made malicious modifications on the data secured by them through such viruses and worms. Thus, this post would discuss on the legal liabilities on the hackers involved behind viruses of Trojan Horses and malware on two perspectives based on Computer Crimes Act 1997 which is unauthorized access and modifications.

An advocate & solicitor, Sulaiman Azmil on CRIMES ON THE ELECTRONIC FRONTIER -- SOME THOUGHTS ON THE COMPUTER CRIMES ACT 1997 ([1997] 3 MLJ lix), mentions about unauthorized access offence or "hacking" with distinction of "cracking" where based on SE Miller which the author cited, distinguish between the two terms based on the intention of the hackers. It was believed that hackers are more noble than crackers as hackers may not necessarily have a malicious intention on other people computer system or informations and those with such intentions are actually the "crackers".  Competitions are also formally and widely made in universities and schools throughout the world based on "Hacking" ability as they are recognized to identify and also helps in improving computer system. This was emphasized by Mr Lim Kit Siang MP that argues of amendments on the Computer Crimes act to insert a clause of distinction between the two but was disagreed by AG's Chambers as an act of unauthorized access whether by a hacker or a cracker, is still an act to be the same as 'entering someone's house without permission'. ((raised by Mr Lim Kit Siang during a cyberlaw briefing organized by the Parliamentary Inter-Party Committee for Information Technology on 25 April 1997. In proposing the lowering of the fines to be imposed on hackers convicted of the offences under the Bill (as it then was), Mr Lim noted that the very high penalties (in the Bill) would stifle creativity of computer experts -- creativity which was important to boost IT development in Malaysia. Computer experts, it was argued, broke into systems to experiment, learn or demonstrate the low security of different systems: New Straits Times, 26 April 1997))

Thus, unauthorized access offence is set out in s 3(1) of Computer Crimes Act 1997. The provision states that a person shall be guilty of an offence if:

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorized; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

The intent a person has to have to commit an offence under this section need not be directed at any particular program or data, a program or data of any particular kind or a program or data held in any particular computer.

Under s 2(2), a person is said to secure access to any program or data held in a computer if, by causing a computer to perform any function, he:

(a) alters or erases the program or data;

(b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;

(c) uses it; or

(d) causes it to be output from the computer in which it is held whether by having it displayed or in any other manner, and references to access to a program or data and to an intent to secure such access shall be construed accordingly.

For the purposes of the Act, access of any kind by any person to any program or data held in a computer is unauthorized if:

(a) he is not himself entitled to control access of the kind in question to the program or data; and

(b) he does not have consent or exceeds any right or consent to access by him of the kind in question to the program or data from any person who is so entitled.

Thus, based on (Sulaiman Azmil, 1997) ,he explains based on two divided criminal elements. actus reus of unauthorized access he said that it must be when the accused specifically "Causes a computer to perform any action". Thus any action on reality such as the reading of computer printout, the reading of data
displayed on the CRT monitor and 'computer eavesdropping' are out of the said section.

However, on the mens rea, it consists of two limbs,

1) there must be intent on the part of the defendant to secure access to any program or data held in any computer.

2) the defendant must know at the time when he causes the computer to perform the function that the access which he intends to secure is unauthorized.

Which both are neither specifically explained in the Computer Crime Act or the Penal Code. Intentions are observed as important by the author as reckless or negligent conduct in accessing any program or data cannot be charged under this act. Knowledge however are said to be difficut to prove as claiming someone to access an unsecured site may not necessarily be known by him that it was not authorized.

Thus, the prosecution may have to figure out the answers for the questions that need to be asked:

1) whether the access is authorized;

2) whether the party obtaining or seeking to obtain access to any programs or data had knowledge that this was not authorized; and

3) whether there was intention to commit the offence

Besides that, another issue to be looked at was on the phrase of 'any program or data held in any computer' in para (a) of s 3(1) which is explained in s 2(6) to include a reference to any program or data held in any removable storage medium that was inside the computer. It seems that the commission of offence under this act may only occur when the medium ( e.g disc, diskette, pen-drive, etc) was inside the computer. Thus, any other means of destruction or editing of the removable storage medium that was done to it outside the computer does not apply to this act.

In a UK case that we can consider is on the case of Attorney-General's Reference (No 1 of 1991) [1994] 1 QB 547, the defendant was an employee of a wholesale locksmith. After he finished his duty for the day, he returned to the premise wanting to purchase an item of equipment. Details of the sales transaction were entered into a computer terminal. The defendant, previously a sales assistant in the organization, had knowledge with the use of the system and, taking advantage of a moment when the terminal was left unattended, entered a code into the system. This resulted in the computer giving a 70% discount on the sale. The invoice which was subsequently generated hence charged the sum of £204.76 instead of the normal price of £710.96. The defendant was charged with an offence under the UK Computer Misuse Act 1990. At trial, the judge dismissed the charge, holding that the phrase in s 1(1)(a)63 referring to obtaining access to 'any program or data held in any computer' required that one computer should be used to obtain access to a program or data held on another computer.

Therefore, either techniques of hacking by writing trojan horse virus and malware, this two ways among many more can be viewed as techniques on gaining unauthorized access to other people computer system as they does not ask for the permission of the computer users first , to jeorpadized the computer system with the trojan horse virus or spied on the informations and datas inside any computer from the malware placed.

The second issue in which are vital to the topic is on the unauthorized modification offence which is an activity involved in damaging computers that ranges from unauthorized deletion of data to to denial of access (DoS) to authorized users. These activity are based on creating viruses, worms, logic bombs, malware and any other disabling programs. The very first famous viral infections was on 1988 which was called Brain.a. This virus which was written into software spreads to computer networks around the world and in the united states alone, it infected over 100,000 MS-DOS computers and disks.

Section 5(1) provides that a person shall be guilty of an offence if he does any act which he know will cause unauthorized modifications on the content of any computer.

For the purposes of the Act, a modification of the contents of any computer takes place if, by the operation of any function of the computer concerned or any other computer:

(a) any program or data held in the computer concerned is altered or erased;

(b) any program or data is introduced or added to its contents; or

(c) any event occurs which impairs the normal operation of any computer, and any act that contributes towards causing such a modification shall be regarded as causing it.

Under s 2(8), any modification referred to in sub-s (7) is unauthorized if:

(a) the person whose act causes it is not himself entitled to determine whether the modification should be made; and

(b) he does not have consent to the modification from any person who is so entitled.

At the simplest level, any deletion or addition of data can amount to modification. As previously noted, for the purposes of constituting the offence, there must be knowledge on the part of the perpetrator that the act performed will cause unauthorized modification of the contents of any computer.

Under s 5(4), a person guilty of an offence under this section shall, on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding seven years or to both; or be liable to a fine not exceeding RM150,000 or to imprisonment for a term not exceeding ten years or to both, if the act is done with the intention of causing injury as defined under the Penal Code.

Therefore, whenever modifications made by a trojan horse virus which it was programmed to do so, the cracker behind such virus should be tracked down to held them responsible for the damages brought by such modifications made by their trojan horse viruses.

No comments:

Post a Comment