The issue of the writing of computer viruses is a complex one. Most people see viruses in a purely malicious context. Viruses are almost always written with the intent of doing damage either to the systems that they infect or to other systems that they attack from infected hosts. But there are lessons to be learned from viruses as well with the most important lessons being related to understanding, anticipating and preventing viruses from spreading “in the wild.” Many educators and researchers believe that the best way to learn about viruses and their kin, such as spyware and worms, is to write real world viruses under controlled laboratory situations. By writing viruses students and researchers can learn valuable techniques and gain insight and understanding into how viruses work and how they spread. Some research institutions such as the University of Calgary offer classes on this subject and expect students to create their own viruses or spyware during the course as a learning exercise just as other Computer Science disciplines expect students to create working code in order to learn more thoroughly how software works internally. Writing working software is quite different than reading about and studying other’s work. [1]
Today many in the populace as well as those in government are attempting to create broad-stroke legislation to outlaw the writing of viruses and related programs. This is often caused by a deep misunderstanding of the vocabulary, a misunderstanding of the technology or just plain fear. We cannot solve the problems caused by viruses and other malware simply by making anyone who writes them a criminal. Like any broad legislation of this nature we risk criminalizing many who do not have malicious intent while doing little to dissuade those who are creating these technologies in order to commit crimes. [2]
We face many issues if we decide to follow a path of illegalizing viruses. The most obvious challenge is providing a clear definition of what constitutes “creating a virus”. We must be able to clearly identify one piece of software from another as being a virus, which is possible in some cases and could prove to be very difficult in others. Many things previously thought to fall outside of the reach of this term, such as over-aggressive copy protection mechanisms, could be considered illegal even to write without distributing. This means that software could not be written for research or for testing. Software that behaved in a viral manner accidentally could be illegal even though it is simply otherwise legal software with badly behaving methods. Security managers and researchers could not test defensive systems without first being attacked by actual viruses. Virus types known about from research but as yet unseen in the wild could not be tested as it would be illegal to be proactive in this manner. This would work against current initiatives to prevent “zero day” attacks. We also face the challenge of separating virus writing from other forms of speech which are covered by the freedom of speech in the United States. Traditionally all software is covered under freedom of speech and can only be illegal through its use and not through its creation. [3]
I agree with advocates of criminalizing the writing of viral software that viruses and their malware kin are significant threats to people and businesses but I do not agree that preventing legitimate research and education or that limiting free speech are appropriate or effective methods of preventing malicious viral outbreaks in the real world. In fact, I believe that these steps appear to be counter-intuitive to the desire to protect ourselves from those seeking to do us harm. Disarming our allies is hardly a recipe for a good defensive posture. I also believe that increasing legal pressure on non-malicious virus writing activities may not have the desired results even in a more direct manner. In a study done by IBM’s Thomas Watson Research Center it was seen that previous research indicated that litigious action taken against virus writers was largely ineffective doing little or nothing to perceptively alter the rate of creation and dissemination of computer viruses. It was also concluded that there was a real possibility of backlash in the United States where legal action that violates free speech can easily spark a revolutionary spirit and can be an encouragement to underground virus writing. [4]
I believe that those who use viruses maliciously should be prosecuted. But I feel that it is neither ethical nor practicable nor in the interest of the public good to make illegal the act of writing viral software for research, education, prevention or as a personal pursuit.
[1] Aycock, John, Teaching Spam and Spyware at the University of C@1g4ry retrieved April 29, 2007 from:
http://www.ceas.cc/2006/23.pdf
[2] Klang, Mathias (2003), A Critical Look at the Regulation of Computer Viruses from the Oxford Journals’ International Journal of Law and Information Technology retrieved April 29, 2007 from:
http://ijlit.oxfordjournals.org/cgi/content/abstract/11/2/162
[3] Filiol, Eric (2005), Computer Viruses: From Theory to Applications, Springer
[4] Gordon, Sarah, Virus Writers: The End of The Innocence? From IBM Thomas J. Watson Research Center retrieved April 29, 2007 from:
http://www.research.ibm.com/antivirus/SciPapers/VB2000SG.htm