California closing legal loopholes with virus law

As it often does in topical areas of legislation, the state of California last week led where others will undoubtedly follow, …

As it often does in topical areas of legislation, the state of California last week led where others will undoubtedly follow, creating a law that specifically deals with computer viruses and addressing the problem of identity theft.

Most US states and international countries do not have targeted laws to counter the growing problem of computer viruses and other digital age crimes. Instead, they rely on the applicability of broader areas of criminal law laid down before computers and other digital devices became as ubiquitous as they now are. Usually, judges accept the argument that these laws can fold in digital crime.

But the release of the "iloveyou" virus earlier this year, with all the resulting havoc and millions of pounds in damage caused worldwide, changed attitudes.

Legally, viruses had been treated as a kind of adolescent prank that caused headaches and bother but not real, grown-up damage. A succession of powerful, destructive viruses in the last two or three years, capped by the arrival of the rapidly-moving "iloveyou" virus, altered perceptions.

READ SOME MORE

Not only did the scale of the devastation underpin the call for tougher laws, but the added affront of watching the alleged perpetrator(s) get off without even being prosecuted made legal bodies around the world take notice. The Filipino prime suspect in the case could not be held because a judge determined that the Philippines lacked a law under which the person and some presumed accomplices could be prosecuted.

Predictably, given the size of the technology industry and resultant high level of computer awareness in the state, California moved aggressively to change its laws. A Bill was introduced, sped through the state's two legislative houses, and was signed into law by Governor Gray Davis last week.

Up to this point in California, the release of a computer virus was treated as a simple infraction with a maximum fine of a paltry $250. Now, a first conviction carries a fine of up to $5,000. If the virus causes more than $10,000 in damage, the perpetrator could spend up to three years in a state prison.

Also last week, California passed a law to deal with another phenomenon of the advent of the Internet: identity theft. Because of the accessibility of a wide range of information online, criminals can sometimes collect enough information about an individual to impersonate them over the Net and run up high credit card bills or commit other fraudulent activity, such as gaining access to an individual's bank account.

The second Act lets victims clear their names by registering with a state-run database. They can do this once they receive a court order stating that they aren't the individual associated with the bad debts. It's a good beginning to a tough problem.

Irish law also needs to be changed to more precisely address digital-era crime. The issue of computer viruses has already been raised during the debate this summer on the Government's e-commerce and electronic signature legislation. Some existing legislation does cover illegally using someone's computer or accessing a computer network without permission, such as the Criminal Damage Act of 1991, and there is a body of law dealing with fraud.

Yet obviously, this is an outdated Act when it comes to current possibilities for using computers fraudulently or with malicious intent. The Act was also passed before the World Wide Web came into being, and thus doesn't begin to consider the range of activities that goes on in that realm.

A spokesman for the Department of Enterprise, Trade and Employment noted that the Government was actively looking at all these areas. Legislation regarding fraud is being reconsidered and updated. At the European level, the Department of Justice is also involved in helping to create a draft Council of Europe Convention on Cyber Crime.

The need to push such efforts along was underlined by the problems caused when Eircom's Internet site was hacked in August, causing days of hassle for Eircom.net subscribers, even if no accounts were actually compromised. How is such damage quantified? And will existing laws enable a convicted suspect to be given more than a slap-on-the-wrist fine?

In the case of computer viruses, the applicable existing laws actually cover "operating a computer without lawful excuse", "causing damage to computer data", and "loss due to deception or forgery". Sure, a virus could fit into all those areas, but none of those areas actually address computer viruses.

The difference, as we've seen in the case of the Philippines, could be hugely significant.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology