The Problem of Intrusive Code

The task of drafting adequate legislation is further compounded by the problem of intrusive code. The introduction of a computer virus, worm, or other destructive series of instructions might not necessarily occur through conventional access channels protected by early legislation. Thus, protection of offenses involving the introduction of intrusive code might prove difficult within legal frameworks designed to address either unauthorized access or unauthorized use, absent specialized provisions. The introduction of a computer virus does not necessarily require that the offender ever access or use a computer; instead, the computer may be accessed and infected by an unwitting user who transmits the virus from a contaminated disk.

Nor is it always effective to focus on the harm done to information, because precautions often prevent intrusive code from achieving what might have been its desired effect. Diligent anti-viral procedures put in place by potential victims should not provide an offender a way of sidestepping criminal liability. Such realizations have led some states to pass specialized criminal provisions aimed at preventing harm caused by intrusive code.

Although 49 state statutory schemes protect against computer abuses, a far smaller number attack the types of abuses arising from intrusive code, whether in the form of a virus, worm, or some similar construct. Still, in 1989 alone, the states of California, Illinois, Maine, Minnesota, and Texas enacted statues specifically aimed at computer viruses, and other states have since followed suit.

The states have adopted some novel approaches. Illinois includes within its definition of computer tampering anyone who knowingly and without authorization inserts or attempts to insert a “program” into a computer or computer program knowing or having reason to believe that it will or may damage, alter, or delete programs or data from or cause loss to users of that computer or a computer subsequently accessing or being accessed by it (Ill. Rev. Stat. Ann. ch. 38 para. 16D-3(4)). Texas makes it an offense for a person to “intentionally or knowingly and without authorization... insert or introduce a computer virus into a computer program, computer network, or computer system” (Tex. Penal Code Ann. § 33.03(a)(6)). (One astute commentator observed that the Texas statute’s definition of virus may be too restrictive to be widely effective. The statute defines computer virus as an unwanted program or set of instructions “specifically constructed with the ability to replicate itself...by attaching a copy of the unwanted program... to one or more computer programs or files.” Although technically correct, only litigation will determine whether the statute successfully prohibits the introduction of other forms of intrusive code, such as worms or Trojan horses.) Without requiring some specific intent to cause damage or harm, such a provision may prove difficult to enforce in light of the projected emergence of software agents and other forms of good viruses. (A related problem is tied to the difficulty of drafting a legal proscription capable of reaching a computer virus, but that does not consider the software vendors who release defective software as guilty. One expert has recommended that criminal laws focus on the intent of programmers.) Maine may well have foreseen and overcome such a problem with its requirement that the actor must “[i]ntentionally or knowingly introduce or allow the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has a right to do so.” (Nebraska makes it a felony for someone to access or cause to be accessed a computer without authorization, or knowingly and intentionally to exceed authorized access and then distribute “a destructive computer program with intent to damage or destroy any computer, computer system, computer network, or computer software.” Considering the preliminary access requirement, however, it is questionable whether this specialized anti-virus provision serves any more of a purpose than the more conventional access-plus-damage provisions.