LEGAL LIABILITY OF DAMAGES CAUSED BY COMPUTER VIRUS

 

1. COMPUTER VIRUS

 

There are about 14 000-15 000 known types of computer viruses.[1] In Finland there has been found about 300 viruses of which 50 has been written about. The amount of virus types is not the same as the appearances of viruses, which are many times over the amount of them. The first viruses were found in Finland in 1988 and they began to increase in 1990.[2]

 

1.1.  The concept computer virus

 

The terminology on computer virus is not established on an international level. The concept is used in a broad and narrow sense.[3]

 

In a broad sense is by computer virus meant such kind of a) computer program or b) range of program orders, which is produced as to cause damages to 1)the handling of data or to the functioning of data-or telecommunication systems, or 2) the data or the programs that the systems are comprised of. In English literature the wordings “malware” or “malicious core” are used. These concepts have no similarities in the Fininsh language, although the terms malicious program (tuholaisohjelma), malprogram (tuho-ohjelma) or deleterious programs (haitalliset ohjelmat) have been used.[4] 

 

 Computer viruses in narrow sense are a subtype of deleterious programs. Characteristic for a computer virus in a narrow sense is that they can not function independently while they need another program as a host.[5] Some other virus types may spread within a computer from one computer program to another and through the computer network from one computer to another. Besides computer viruses in a narrow sense are there 1) Trojan horses, 2) logic bombs and 3) worms. These are all named computer viruses in Finland.

 

So called Trojan horses differ from viruses because of their manner of propagation. A Trojan horse does not disseminate copies of itself while it disseminates only with the help of a user. The user has to copy a program that is infected with a Trojan horse. A Trojan horse can cause damages as other viruses, e.g. by destroying files. Some Trojan horses have collected data from the system and sent the data to the creator of the Trojan horses. Logic bombs are Trojan horses that are activated when the logic demand of the programmer is fulfilled, e.g. on a certain date. Worms are autonomously functioning programs. They may copy themselves to other computers through the network. Worms cause damages when the copies of them fill up memory space, i.e. they burden the computers and obstruct network connections.[6]

 

1.2.  Types of viruses

 

Most of the known types of viruses are made to function in a DOS-environment. The most common type of viruses was earlier the file virus and then the activation virus but nowadays most observations are got from macro viruses.[7]

 

Activation viruses infect the activation mechanisms of the disks or the hard ware by replacing the original activation mechanism with a code of their own. When the computer is set on, the system activates the virus. The virus may copy itself to any unprotected disk used in the computer, the hard ware or other memory space, as the central memory. The risk is always prevailing when an infected disk is in the disk station when the computer is set on.[8]

 

File viruses are quantitatively seen the most common virus type. They infect program files. A file virus search for a suitable program and adds its own code in the program file. An activated virus can do what so ever, as e.g. disseminate or destroy data or programs. These viruses did earlier disseminate solely with program files. During the latest years have the macro viruses become more common. They disseminate mainly through text files. The macro viruses are written with the macro language of some application. They typically spread when an infected document is opened or saved. It is more simple to write macro viruses than traditional viruses. It is estimated that writing viruses may partly change from an activity of experts of IT to an activity of normal users due to the macro viruses and that macro viruses will become the most common virus type.[9] 

 

In addition to these viruses are there so called more developed viruses. The name is due to the techniques they use. Hiding viruses counterfeit the data that some program read from the computer hard ware. It is a question of a hiding technique that the virus uses. Mutant viruses or polymorphic viruses alter their own virus code and way of functioning. Various generations of the same virus have varying ways of functioning. The most common mutant technique is to keep the code secret. The mutant virus may change its code to secret with some simple secret algorithm. Multi party viruses may infect several different objects, like files and activation mechanisms. They are combinations of other viruses. Retroviruses choose intentionally a virus resistance program as their objects, for instance as to destroy it or change it.[10]

 

1.3.  Ways of dissemination of viruses

 

A problem with the risks of viruses is that the processor[11] can not estimate the content of the computer program order when it interprets the program order. As a result the processor copies and disseminates also damaging ranges of orders.[12]

 

The computer viruses disseminate mostly through a) disks or b) through networks. A disk, CD-ROM, magnetic tape, ZIP-station or other recording tool that has been in an infected computer infects all the computers where it is used. In exceptional cases a virus may already exist in a new formatted disk, in a newly bought program or in the hard ware of a new computer.[13] 

 

Programs free of charge that may be copied from public post boxes or billboards have in many cases extensively acted as disseminators of viruses. A computer network, especially Internet, may be a worldwide channel of disseminating viruses. The documents and files on the www-servers occur as significant sources of viruses. E-mail is becoming the most common way of disseminating viruses. Worms may use the Internet-network as such when disseminating.[14]

 

1.4.  Damages caused by viruses

 

All computer viruses cause economic damage or detriment. The viruses are often categorized on the basis of the extent of damage they cause in the following groups: 1) viruses that disseminate but do not intentionally cause other damage and 2) viruses that are programmed to cause damage to some extent, e.g. by destroying something.

 

Most viruses do only disseminate. Causing damage is not included in their characteristics. But they may still fill up memory space, as disk space, delay computer functions, cause problems of co-existence and result in considerable outlays for cleaning and controlling. To clean up a large computer system from being infected of a virus may take weeks or months of time.[15]

 

Direct economic damages is caused when an activated virus a) destroy or b) alter a file or data or information in the file. In these situations the consequences may be unforeseen and economic considerable. Destroying of data always cause economic damage, although the destroyed data could be replaced by security copies. The crime object has to spend considerable work expenses to make clear which data are destroyed and which are not.

 

On the basis of the data that the computer virus has altered the public authorities or firms may make decisions that are wrong and that may lead to considerable damages. In an environment based on IT the activities of viruses may have unforeseen consequences. For instance if a virus alter data in the air traffic control system or in the files of health care could the consequences on both an individual and public level be dramatic.[16]

 

Solely the predictive resistance of viruses leads to considerable amount of expenses for individuals, firms and authorities. The most considerable costs are due to the procurement of virus resistance programs and keeping these programs up to date.

 

The digital transmission of data and the form of storage of information technological recordings[17] are based on a binary system. A change in one number of the two-digit system (a bit, either 0 or 1) for instance a change in a simple control sum or in a more developed secrecy operation ( so called certification of authenticity), cause a change that may result in that the system does not identify operations in a correct way. This change is also a physical change. To certify the authenticity of electronic documents in jurisprudence (legal relevance) should be based on compatible signs of identification as for instance certifications of authenticity from files.[18] The certifications are also part of the operations of electronic signature. For example if these certifications, as a range of signs in the control of a sender, do not fit in with a range of signs in the receiver´s computer, the documents are not to their content identical.[19]

 

These matters of information technology help to understand how significant practical and legal importance the integrity of data and information has in storage and transmission of data. Computer viruses may cause in the future considerable legal insecurity and obstruct electronic administration and commerce by destroying the basis for the credibility of electronic documents.

 

Computer viruses may be used in the future as a form of electronic warfare (information war).[20]

 

1.5.  Data security

 

A situation where data security prevails is a situation to strive for. In such a situation data, systems and services get factual protection in normal circumstances as well as in states of emergency from legislation and other actions against the threats and damages from 1) incorrect materials or programs, 2) natural disasters or 3) intentional or unintentional human acts directed towards confidentiality, integrity and operability.[21]

 

The object of protection against information technology crimes is often described with the wording “information technology peace” (Pax Computationis). The same matter is explained by the three basic concepts:

1)      Confidentiality

2)      Integrity and

3)      Availability[22]

in the handbook on information technology crimes of UN and in the decisions on information technology crimes of OECD, European Council and Finnish Government.

 

The computer viruses infringe the bases of information technology and data communication peace.

 

Concerning data security and information technology crimes is the matter mostly an issue about integrity, i.e. the correctness and authenticity and the storage of the characteristics of data and information.[23]

 

Processing of information and transmission of data and their non-disturbance is utmost important both nationally and internationally in the prevailing information society.

2. Criminal legal liability of viruses

 

One of the significances with criminal law legislation in these matters is that it states the legislator´s opinion of the dangers and damages of dissemination of computer viruses.

 

In connection with the legislative and preparatory work with the total reform of the Finnish criminal law there was an intention to statute a specific section in the law stating the dissemination of computer viruses as a criminal act.[24] Such a proposal was not included in the Recommendations No. R. (89) 9) on criminalization by the Committee on computer crimes of the European Council, which were accepted by the Committee of ministers of the European Council in the autumn of 1989.

 

Intentional dissemination of computer viruses and the damages this causes were then already paid regard to in the Criminal Law. A computer virus may be disseminated through a disk, e-mail or some other way by Internet. Such an operation may fill the criteria of 1) damage, 2) destruction, 3) unlawful use, 4) data infringement or 5) disturbance of data communication.[25] In practice the first three types of crimes are of most importance.[26]

 

Now does the criminal law Chapter 34 Section 9a comprise a special criminalization whose crime delict is “causing of danger to the processing of information” (14.10.1999/951). This section in criminal law criminalizes for instance creation and dissemination of computer viruses.

 

As to describe the historical development I will in the following first elaborate the criteria of damage, destruction, data infringement and unlawful use that were changed during the reform of the criminal law and that were then seen as giving enough criminal law protection against computer viruses. Then I will clarify the new Section in Criminal Law on “causing damage to information processing”.

 

 

2.1. Damage

 

Before the first phase of the reform of criminal law came into force was it seen as a matter of interpretation whether the section on damage could be applied for instance when the damage is caused by damaging magnetically stored data without that the entity of data storage is caused damage to physically.[27] This was due to the restrictive interpretation of the criteria “causing of damages to personal (estate) property”. By “property” was meant concrete (physical) property entities.  “Causing of damages” was thus solely a matter of property damages but not only so called pure property damages. This tradition of interpretation is still valid concerning damage in Criminal Law Chapter 35 Section 1 paragraph 1 (property damage).[28]

 

Due to this fact has damage directed towards information a specific Section. With this Section the intention is to protect principally all kinds of entities of data storage against damage not directed towards the physical data entity.

 

In the second phase of the reform of Criminal Law the opinion was that the dissemination of computer viruses could be seen as a crime when data stored in the information system or the capability of the information system is caused damage to.[29] The opinion changed in 1997 to a more moderate one. In the law proposal on the criminalization of dissemination of viruses it was an issue of interpretation, whether the sections on damage are suitable as such for comprising dissemination of a virus. The damage that the dissemination of viruses causes is namely only indirect and is not a consequence of destroying or destructing stored data.[30]

 

 

 

2.1.1. Damage to data

 

In the Criminal Law Chapter 35 Section 1 paragraph 2 is included a regulation on causing damage to data. Following the regulation may a person be condemned for causing damage if he unlawfully as to cause damage to another part 1) destroys, 2) destructs, 3) hide or 4) keeps secret stored data in the computer or on a storage entity.

 

When analyzing the criteria one can distinguish four different groups of criteria:

a)      intention to cause damage,

b)      prerequisite of wrongfulness,

c)      criteria of mode of action and

d)      object of the crime.

 

Causing of damage to data is a criminal action only when the perpetrator has had an intention to cause damage to another part. The data storage entity does not have to belong to another part. The property relations do not have a decisive role. The criminality of the action is fulfilled if there is an intention to cause damage to another part. The data that is caused damage to or the other content stored has to be of some value to its owner or holder. In other cases the criteria of intention to cause damage are not filled.[31]

 

Causing of damage to data should be done unlawfully, i.e. without a lawful right. The unlawfulness of the action may be removed if there is 1) a consent of the owner of the data, 2) state of self-defence or 3) state of emergency.[32] Concerning damage of viruses consent may in the first hand be of importance.

 

The criteria consist of four alternative modes of action:

1)      destroying

2)      destructing

3)      hiding

4)      keeping secret.

 

In the motives to the Government proposal is there no clear clarification what is described with these terms on modes of action. It may be concluded that by “destroying” is meant a) destroying everything and b) taking the object to be of no reach to its owner. By “destructing” is meant at least altering of the stored data and other content. In accordance with the criteria is also such action like causing typing and other errors that have the consequences that the stored data can not be used as originally intended without making corrections, and also making the stored data in other senses useless.[33] There is no clear guideline in the preparatory work. In situations of interpretation the criteria has to be given significance with traditional modes of interpretation. By “hiding” can be meant hiding of data or the storage entity of data in such a memory place where it is hard to find, when the storage place is hidden.[34] Such an action may also be made by a computer virus.

 

By disseminating a damaging virus can the criteria of destroying or destructing data or other stored data be filled. But it is questionable whether disseminating a virus that do not cause damage to files and data in them can be seen as an action that fills the criteria of causing damage.[35]

 

The object of the crime may be a) information or data stored on a storage entity or b) other storage entity.

 

“Data entities” mentioned in the criteria may be a) various electro-magnetic tapes and b) different kinds of memory disks suitable for automatic information processing. By “storage entity” can be meant principally all kinds of data, prescriptions or other content stored on the entity. It is of no relevance how the storage is technically done. In causing of damage to data it is mostly a matter of causing damage to data stored electronically, magnetically or optically. By “the stored data” or “other content stored” is meant 1) the content of the information or the storage entity and 2) the signs that the data and the storage entity consist of.[36]

 

The virus causing damage does mostly destroy or destruct stored data or other content stored. A virus that only disseminates by reproducing itself does not cause this kind of damage. Such a virus may fill up all memory spaces, but its mode of action does not fill the criteria of causing damage to data. In this case will it be evaluated whether such an action can be seen as “causing damage to the property of another part” in Criminal Law Chapter 35 Section 1 paragraph 1.

 

In the motives to the Government proposal was it stated that by “causing damage” is meant 1) destroying, 2) destructing or 3) sully an article or other property. As a caused damage were e.g. cleaning costs seen.[37] The terminology of the criteria does not hinder such an interpretation that as “causing damage to property” can be seen dissemination of a virus that fills up memory spaces, which will result in clarification and cleaning expenses.[38]

 

2.1.2. Qualified and privileged mode of action

 

For causing of damage is also statuted

1)      a qualified mode of action, i.e. causing of serious damage (CL 35: 2) and

2)      privileged mode of action, i.e. causing of slight damage (CL 35: 3).

 

The perpetrator can be condemned of causing of slight damage (CL 35: 3) when the causing of damage is slight as a whole. In this case regard has to be paid to 1) the slightness of the damage and 2) other matters of the crime. When evaluating the slightness of the crime important issues are a) the quality and quantity of the damage and b) the way the damage affects the victim.[39] Fine is the penalty for causing of slight damage.

 

According to Criminal Law Chapter 35 Section 2 the perpetrator can be condemned of causing of serious damage if the damage leads to 1) considerable economic damage, 2) for the victim considerable damage, taken his situation into account or 3) considerable damage to property of high historical or cultural value. Thereto shall the causing of damage as a whole be serious (severe?).

 

On the basis of the criminal regulations on causing of damage can the perpetrator be condemned to fine or maximum 4 years of prison. The penalty selection can be conceived as rather severe i.e. in normal cases also sufficient for virus damages from the threat of penalty point of view.

 

In the CL Chapter 35 Section 5 is included a limiting regulation, according to which the sections of chapter 35 CL are only applicable when there is no as severe or more severe penalty for the crime statuted in the law.

 

2.1.3. Right of prosecution and waive of action

 

a) Causing of damage and b) causing of slight damage are plaintiff crimes when the object of crime has only consisted of private property. A public prosecutor can then not prosecute if the plaintiff does not notify the crime to prosecution.

In the CL Chapter 35 Section 7 is included a regulation on the waiving of action

concerning causing of damage and causing of slight damage, which can be applicable when a) the perpetrator has compensated the damages and b) the compensation of damages is seen as a sufficient sanction.

 

 

2.2. Crimes causing public danger

 

In the law package of the second phase of the reform of criminal law that came into force on 1.9.1995 are there such new regulations that in some cases will make the threats of penalty considerably more severe for an intentional and culpable dissemination of computer viruses. It is a matter of the criminal regulations on sabotage and causing of public danger.

 

2.2.1. Sabotage

 

The basic form of crimes causing public danger is the regulation on sabotage (CL 34: 1). Sabotage does not prerequisite that the damage is realized. It is sufficient that a state of public danger occurs in order to fill the criteria. Sabotage is an endangering crime and not an effect crime.

 

By disseminating computer viruses all the modes of action of the criteria for sabotage can not be filled. At issue comes particularly the section in CL Chapter 34 Section 1 paragraph 2. The mode of action of the crime is expressed on a general level but the way it is directed and the ways it is manifested are defined more specifically. The objects that are endangered are important activities for the society.

 

On the basis of CL 34: 1, 2 can a person who by unlawfully infringing the a) production b) distribution or c) information system seriously endangers the 1) energy supply, 2) public health care, 3) national defence, 4) judicial system or 5) other of societal importance comparable activity.

 

The “information system” expressed in the Section may be based on automatic processing of information. The production system can be e.g. a system of automatic production. The criterion “by infringing” is rather open. It does not give a clear guideline about the criminal modes of action. In the criteria are included various modes of causing damage. Following the Government proposal the information or other system has not evidently be caused damage to. It is sufficient with causing disruptions to the system e.g. causing an interruption.[40] The criteria do thus extensively cover damages and endangering situations caused by a computer virus.

 

In the criteria by “serious danger” is meant concrete danger, i.e. the probability that the damage is going to occur ought to be high. The serious danger does also have to be of significance. According to the motives in the law proposal does the word “serious” refer both to the probability of the danger and to its extent.[41] Many computer viruses cause “serious danger” when they are disseminated in an information system, as the regulation prerequisites.

 

In the criteria the explicitly mentioned societal activities worth protection (energy supply, health care, national defence and judicial system) are legitimate objects of protection. Thereto does the regulation include “other activities that are of societal importance” which leaves it open for the interpreter of the law to consider what is to be conceived as such. In the motives of the Government proposal as an example was mentioned causing of such a disruption of the national economy that would lead to substantial insecurity in the income and physical conditions of the people.[42] The expression is rather “vague”,[43] while examples on a more concrete level can be the protection of the computer system of the police or the protecting visiting foreign leaders. From the point of view of virus danger can the national data system of Kela and the taxation authority also be seen as comparable to the other societal important activities. Thereto the national data systems of the banks can be included in this group.

 

In the Government proposal it was seen that the damage to communication mentioned in the CL Chapter 34 Section 2 does not comprise data communication while it is statuted in CL Chapter 38 on data (information) crimes.[44] Concerning damage caused by computer viruses can the disturbance of data communication in CL Chapter 38

Section 5 be at issue.

 

For sabotage is also statuted a qualified mode of action. The penalty of serious sabotage (CL 34: 3) is condemned when the sabotage causes threatening danger from the point of view of the duration and extent of the danger to some societal important activity or particularly serious danger of some other cause. In addition to this motive of qualification the crime has to be also serious as a whole. A virus that has come in a national data system may cause serious danger and the cleaning actions and recovering works of the damaged data may lead to durable damage.

The criminal scales of sabotage stretch from 4 months to 10 years in prison. Sabotage and serious sabotage are criminal actions. After the reform of the regulations on sabotage it is difficult to proportionally increase the severity of the threat of penalty

for intentional dissemination of computer viruses.

 

2.2.2. Causing of public danger

 

Sabotage is criminal only as intentional. In the Government proposal was seen that culpable public dangerous crimes can not be left without criminalization due to their condemnity.[45] Consequently the law includes a section on causing of public danger (CL 34: 7). 

 

In order that the criteria is to be filled it is required that the perpetrator does a) intentionally or b) carelessly an action of e.g. 1) sabotage in CL 34: 1 or 2) serious sabotage in CL 34: 2 which culpably causes a danger mentioned in the Sections. Causing of danger does thus happen by carelessness or by not being cautious enough. The mode of action as such, i.e. the first part of the action may be intentional. For instance a virus is infecting a PC, from which the virus (e.g. a worm) reaches the data network and disseminates to other data systems.     

 

 In CL Chapter 34 Section 7 paragraph 3 is included a regulation on waiving of action, which renders it possible for the perpetrator to avoid a penalty. It is a bait to avert the consequences of the crime. A person causing a public danger may benefit from this if he by his own activity removes the danger before considerable damage occurs. Under these circumstances the prosecutor may choose not to prosecute or the court not to penalize.

 

A regulation on qualified mode of action concerning causing of serious public danger is included in CL Chapter 34 Section 8. The motive for qualification is filled when serious mortal or injurious danger is caused to a large amount of people. Thereto it is required that the crime as a whole is serious. When judging the degree of culpability is of relevance. The motive for qualification has been seen as emphasizing the effect of the crime while the decisive is the danger caused and not the degree of culpability.[46]

 

In CL Chapter 34 Section 9 is by way of exception included a criminalization of the preparation of a crime of public danger. A person who has dangerous equipments or materials as to commit a crime according to CL 34: 1-5 is guilty of such a crime.

 

In the preparatory work of the law attention was not paid to the matter whether this criminalization of the preparation could be applied on holding a computer virus with the intention to cause sabotage.[47]

 

The question is here whether computer virus can be seen as dangerous equipment or material. The terminology of the section renders a positive answer possible. A computer virus can be seen as dangerous equipment or material as mentioned in the criteria.[48]

 

The problems in this matter are related to the prevailing tradition of interpretation. As a classical example the question whether “electricity” in the section on theft is an article or personal (estate), can be mentioned.[49] The matter was seen as so problematic even after the first phase of the reform of the CL that the regulation on definition in CL Chapter 28 Section 12 did not include a regulation on electricity. According to this section that what is statuted in the sections on theft on personal (estate) property is also applied on electricity. Fundamentally the question was about ignorance of physics. That is, it was ignored that electricity consists of electrons, which are material. To the same tradition of “materialized” interpretation belongs the judgment of the Supreme Court KKO 1985 II 60, were it was seen that a file stored electronically, magnetically or in some other way to an invisible form into the memory of the computer was not a “document”. The use of the expression “invisible form” is a sign of deficient knowledge about information technology.[50]

 

If such material that is not visible and touchable is accepted in the meaning of “materia” in the law then the regulation in CL 34: 9 can also be applied on holding a computer virus with the intention to cause sabotage. A program stored on a disk can be an example in this case. The outer layer of the disk does mostly consist of magnetic material in which the program at issue is stored. The program is stored in accordance with the binary system in 0 – and 1 bits.  The direction of the magnetization reveals which of the bits it is.[51]

 

2.3. Unlawful use and data burglary

 

Before the first phase of the reform of CL came into force it was seen in legal practice that the Section in CL 38: 6, 1 on unlawful use of other´s property could not be applied on use of computer on distance through telephone wires and modems.[52] There was a clear loophole in the law.

 

Due to cases on hackers the section in CL on unlawful use was changed in the way that the use is to be criminal irrespective of whether the property is when taken in use 1) in the holding of the perpetrator or 2) in the holding of someone else. The criminality of the act does not prerequisite anymore a physical holding of the computer. It is thus a matter of an intentional expand of the criminality of the act. When statuing the law the intention was that the section covers unlawful use on distance (hacker) i.e  encroachment in some other data system and unlawful use of its equipments through a) modems or telephone wires or b) data communication networks.[53]

2.3.1. Unlawful use

 

Following CL 28: 7 a person who unlawfully uses the 1) personal (estate) property or 2) fixed machine or equipment of another person is guilty of unlawful use.

 

 The object of the crime can be what ever estate article. Concerning a fixed machine or equipment does it not matter whether the machine or equipment in question are from civil law point of view a) personal (estate) property or b) belong to fixed property as a part. A computer can be an object of unlawful use irrespective of whether it is situated on a table or permanently fasten in the floor of the building. The use can be unlawful irrespective of whether the property of another person is used a) in accordance with its purpose or b) in some other way.[54] The intention of the perpetrator to benefit from the use does not belong to the prerequisites of the criminality of unlawful use. The unlawful user does not have to strive for benefit and it is not required that the use should benefit him.

 

The criteria of unlawful use are purposely statuted widely. The criteria are filled in an early stage in e.g. use by distance. To encroach in another data system requires passing of the identification control either by using a user name of some other person or by breaking the security system. Some program , of which orders required for its functioning occur in the processor of the computer, handles the identification control. Solely to pass the identification requires use of the processor of the computer, i.e. use of other´s personal property or machine or equipment. It is an unlawful use of the computer of another person even if the encroachment through the identification control into the data system in the computer would not succeed. When trying to pass the identification control orders are given that the processor of the computer executes.

 

The section on unlawful use can be applied on dissemination of computer viruses for instance when the disseminator unlawfully uses the computer of another person or the data system in order to infect it with a virus e.g. by storing a virus program into the memory space of the computer. The point of departure can be that it is criminal to use a computer in order to cause a virus infection. Following common sense one can not presume that the owner or the holder of a computer or data system would give his consent to a virus infection. The disseminator of the virus is guilty of unlawful use if he can not prove that he has had the owner´s or holder´s consent in advance to execute virus tests in the computer.[55] The penalty for unlawful use is fine or prison up to 1 year.

 

Attempt of unlawful use is also criminalized. It is a matter of widening the criminalization field.[56]  In the law literature the conception has been that the criteria of unlawful use are filled when the use of the property has begun. It is an issue of a criminalized attempt in that stage when the encroachment of the protection that hinders unlawful use has begun.[57]

 

In CL Chapter 28 Section 8 is included a section on serious unlawful use. The motives of qualification for this section are filled when a) by unlawful use is 1) striven for considerable economic benefit or 2) cause the victim of the crime considerable damage or detriment taken his conditions into account and b) the unlawful use is serious as a whole. The considerable damage mentioned in the motives for qualification may be caused by unlawful use of a computer.[58] For serious unlawful use the penalty can be prison up to 2 years.

 

A section in CL on slight unlawful use is included in CL 28: 9. It can be applied when the unlawful use is slight as a whole. According to the law the motive for privilege is that the unlawful use does not cause considerable damage or detriment. In the judgment also other matters relating to the crime, like that the unlawful user has had just before the criminal action right to use the property, are paid regard to.[59]

 

Fine is the only penalty for slight unlawful use. The attempt of this privileged mode of action is not criminal.[60]

 

 

2.3.2. Data burglary

 

The criminalizing of data burglary is an attempt to protect data systems against encroachments from outside i.e. to secure “computer peace”.

 

From the viewpoint of dissemination of computer virus is only the criterion in CL 38: 8, 1 of relevance that concerns encroachment in a data system. In this section a person can be guilty of encroachment in a data system when he a) uses user names not belonging to him or b) by unlawfully breaking the security control encroaches into 1) the data system where data is electronically or in some other corresponding way processed, stored or transmitted, or 2) a specifically protected part of such a system.

 

In the criteria two modes of “encroachment” are mentioned:

1)      by using user names not belonging to him  and

2)      by breaking the security control .

The common element of these modes of action is that the user control or security control is passed in an unlawful manner. That is, a manner that the holder of the data system does not approve of. Likewise it is with the criterion “unlawfully”.

 

Programmers often have left a so called back door to the program which can be used in emergency situations to pass the security system. It is questionable whether the criterion “break” covers unlawful use of such a “back door”.

 

In the motives for the Government proposal it is stated that encroachment per se is not unlawful when it occurs with the consent of the original holder of the user name.[61] This conception can be criticized. By criminalizing data burglary the data systems are protected and not only the holder of the user name. Many holders of data systems demand in their user requirements that the user name and the pass word may not be given to someone else. It is a matter of security arrangements, while the handing over of these is a security risk comparable to the handing over of normal keys. To use the pass word of another person is “unlawful”, when the holder of the data system has forbidden it.

 

The concept of data system has been conceived of in a broad sense in data burglaries. By it is meant both automatic data processing and data communication (like data transmission).

 

Data burglary is criminal only when intentional. The encroacher has to be aware of that he is encroaching into a data system or into a part of it unlawfully. In order that the action is criminal it is not required that the encroachment into the data system is done with some particular intention.[62]

 

The criteria of data burglary is filled immediately when an unlawful pass of the identification control has been done or when an unlawful use of the pass word of another person has given entrance into the system. In order that the crime is fulfilled it is required of the many- phased security system that also the last phase is passed. Before that phase it is a matter of attempt of data burglary. The fulfillment of the criterion does not require that the encroacher uses data or programs in the data system in some way or other.

 

The penalty for data burglary is fine or up to 1 year in prison. Also an attempt to data burglary is a criminal action. Data burglary is also a plaintiff crime.[63]

 

 

 

 

 

 

2.3.3. The concurrence between unlawful use and data burglary

 

Dissemination of viruses occurs by unlawful encroachment into a data system, which does require unlawful use of the system. The criteria of both data burglary (CL 38: 8) and unlawful use (CL 28: 7) are thus filled. An attempt of both crimes starts when the encroacher has begun to break the security arrangements or use the pass word of some other person.

 

According to CL Chapter 38 Section 8 paragraph 4 the regulation  on data burglary is only applied when there are no more severe or as severe penalty statuted in the law.

 

Due to this subsidiary clause the regulation on unlawful use (CL 28: 7) does mostly set aside the regulation on data burglary (CL 38: 8) while the penalties for these crimes are as severe. The attempt of unlawful use is not criminal and in such circumstances the criteria on data burglary are not set aside. Likewise it is in a situation where the unlawful use is conceived as slight. Concerning dissemination of data viruses the unlawful use is generally not to be seen as slight due to the danger and damage that can be caused.[64] The field of application for data burglary is rather narrow due to the broad criminality of unlawful use.[65]

 

The problems of interpretation concerning the relation between unlawful use and data burglary are due to that it is unclear what is meant by “use” in CL 28: 7. Mainly the problems are due to that there has been a requirement on beneficial use concerning unlawful use, despite there being no requirements on getting benefit or intention to benefit in the criteria. The basic elements of unlawful use do not comprise that the perpetrator ought to benefit from the use.[66]

 

The motives for the Government proposal state on data burglary that by “use” in CL 28: 7 is meant a) use of data in data systems and b) a general use of data systems in some manner characteristic for it.  Despite this it was seen in the motives that a) encroachment in a data system and b) starting up the user system would not be seen as “use”.[67]

 

These statements can be criticized. They do not give a clear answer to what is to be seen as “use” of a computer or a data system.  In order to get a distinction line in the matter an analysis is needed.[68]

 

In simplicity the use of a computer and its data is displaying of data from files on the screen, e.g. by using the DIR – order. This is use of the DOS – user system. In other words the user gives an order with the key board and the processor conducts it. The result is seen on the screen

 

This action can be compared to encroachment into a data system and to what occurs in such a situation.

 

It is a matter of encroachment when there is an identification control of the user in the system. To pass the identification control by e.g. unlawfully using the pass word of another requires first that the user name and then that the pass word are written with the key board and then sent to be checked by the identification system by using the Enter – key or by clicking OK. The orders required for the identification program are conducted by the processor of the computer. The encroacher has to use the data system in a manner characteristic for it. He uses both the key board of the computer and due to the order he gives also the processor and the screen. Thus that what the encroacher “uses” is “personal (estate) property” or “equipment” in the sense meant in CL 28: 7. To pass the identification control is a more complicated operation than to display the file lists on the screen. From an information technological point of view it is not motivated that passing of the identification control would not be seen as “use” of the computer.[69]

 

What is common for the two operations discussed? In both operations the user gives an order by using the keyboard to the processor which ten conducts the measures required. The results are displayed on the screen. In both situations the computer is used in a manner that is characteristic for it. From an information technological point of view it is not motivated to set the operations in different positions concerning “use”.

 

The matter should also be seen from the point of view of use by distance where the user does not use the key board of the distant machine.

 

Computers can only be in connection with each other with such a data communication program that functions according to the same protocol.[70] In other words encroachment into another data system is not possible without that the computer that upholds the distance system is utilized, i.e. the data communication program in the distance computer, whose orders required for operation are conducted in the processor of the distance computer. To encroach in the data system requires use of the distant computer, i.e. use of the service computer of the data communication system or its data communication program and use of its user system and the processor that conducts the orders. In other cases an “encroachment” would not be possible. The processor of the distant computer is a personal (estate) property or a fixed machine or a part of a machine in the meaning stated in CL 28: 7.

 

Use by distance is not only a matter of using data communication programs if there is an identification control of the users in the distant system. In order to pass such a control the pass words have to be written and given to be conducted by the identification program. The orders required for this program are conducted by the processor of the distant computer.

 

The criteria of unlawful use are filled already in the stage when orders for connection are given from the users own computer to the distant computer, to which the user has no user right. The distant computer is used unlawfully even if the encroachment through the identification control to the data system would not succeed. In the attempt to break the identification control orders are given which are conducted by the processor of the distant computer.

Encroachment means passing of the identification control either by using the pass word of another or by breaking the security arrangements in some other way. The identification control is handled by some program whose orders required for its functioning are conducted by the processor. Thus solely the passing of the identification control requires use of a personal (estate) property, machine or equipment belonging to another person. When encroaching into such a data system the criteria for both unlawful use and data burglary are filled. Due to the subsidiary clause the regulation on unlawful use is to be applied.

 

When statuing the regulation on unlawful use (CL 28: 7) there were no such limitations set for the field of application of the criteria that it would only concern so called beneficial use. In the first phase of the reform of CL the criteria for unlawful use was intentionally statued broadly in order that it would cover the operations of hackers.   Due to this the criteria of unlawful use are filled in an early stage in e.g. use by distance. The conceptions mentioned about “beneficial use” in connection with data burglary are so called statuing with motives in order to form an independent field of application to the criteria of data burglary. Such conceptions are difficult to understand from an information technology point of view.[71]

 

Earlier where such situations problematic where a computer virus was disseminated into another data system with the desk or e-mail of the user, while the criteria for neither unlawful use nor data burglary were filled. These situations were thus unsatisfying from the point of view of the covering of the criminal legal threat of penalty in case the virus was found and destroyed before having caused damage. Even the criteria for causing damage were then not filled. In other words if the object of the crime used his virus resistance program properly, he would at the same had hindered the criminality of the action of the virus disseminator, in case it was not a matter of sabotage.[72]

 

 

 

 

2.4. Causing of danger to data processing

 

During the latest years there has been an intense discussion on an international level on the criminalization of the creation and dissemination of computer viruses. In media there has occurred lots of information about the damages and the dangers that computer viruses cause. The information that media has delivered has in some cases resulted in a form of hysteria when e.g. told about viruses that are activated on a specific day. Such kind of information has increased the demands on criminalization.

 

 

2.4.1. Demands on criminalization

 

In the criminal political discussion has it been put forward that the creation and dissemination of computer viruses should be specifically criminalized. To criminalize the creation would mean that the creation of the dissemination of computer viruses causing damage would be criminalized. To criminalize the creation of a crime is unusual. There are practical problems of application connected to the criminalization of the creation. Due to this the criminalization has been opposed. It may be objectively hard to distinguish between a perpetrator that creates computer viruses in order to disseminate them and a person who only for the sake of virus resistance examines viruses or who is unaware that his computer or data equipment has been infected with a virus. Due to these problems there are specific regulations or law proposals on creation in very few countries.[73]

 

In Finland there were large reforms of parts of the criminal law in the 1990´s. The total reform of the criminal law comes into force phase by phase.[74] In the second phase of the reform standpoints were taken on the criminalization of creation and dissemination of computer viruses. It was not seen as necessary to specifically state that dissemination of computer viruses is a criminal mode of action.[75] This opinion was due to that sections statuted were seen as covering well the dissemination of computer viruses. The opinion was also influenced by the fact that no such proposal was included in the recommendations on criminalization  (No R (89) 9) by the computer crime committee of the European Council. The recommendations had been approved of in the committee of ministers of the European Council in the autumn 1989. According to the opinion of the law committee of the Parliament data processing should first be protected by technical means and other solutions that fosters the data security. Following the law committee the criminalization of creation and dissemination of computer viruses should be reconsidered if the methods used are insufficient.[76]

 

In the Finnish Ministry of Justice and in the Parliament the opinion was negative towards a specific criminalization of the creation and dissemination of computer viruses in 1994.  The opinion changed in three years. The first government proposal on criminalization was given to Parliament in 1997.[77] The Parliament did not manage to discuss the proposal during its term. A proposal with a similar content was given again on 7.5.1999.[78] The Parliament prepared the matter promptly. The law proposal was approved of in Parliament 28.9.1999 as unchanged.[79] In the report of the law committee the law proposal was criticized in a severe way.[80]

 

 

2.4.2. New criminalizations in Finland

 

In the CL 34: 9a is included a new section (951/999, where a) the creation and dissemination of computer viruses and b) the making available of and dissemination of directives on creation of computer viruses are criminalized. The name of the new criteria is causing of danger to data processing.

 

2.4.2.1. Basic concepts and systematization

 

In the reform of the CL the intention was to define such concepts that were conceived as giving room for interpretation. This mode of action was not conducted in the specific criminalization of computer virus. There is no specific definition of computer virus in the law. This standpoint was taken despite that the concept computer virus has been used in other cases than in English literature in Finland.[81]

 

In the motives of the law proposal the definition of computer virus is though presented. Following the law proposal by computer virus is meant such a) computer program or b) range of program orders that is planned to 1) cause damage to the processing of data or to the operations of data or tele-systems or 2) damage data or programs in such a system.[82] This definition of computer virus is also included in CL 34: 9a.

 

In the new criteria the basic information technological concepts are used like: processing of data, data system and tele system. These are not defined in the law but in the motives they are specified. Processing of data is used in a broad sense and meant all processing and transmission of data with information technology.[83] Concerning the concepts of data and tele systems it is referred to the motives for the second phase of the reform of CL. By data system is meant such a system where data is processed, stored or transmitted electronically or in some technically corresponding way. By data system is meant both a network of information processing and transmitting equipments, as Internet, and system within an individual computer.[84] The concept tele system is used as a synonym to tele-network. The matter is of the network that transmits the data processed in the data system. Tele-network is defined as an entity consisting of cables, wires and other tele-equipments, where messages can be transmitted with electro-magnetic waves. A tele-network can consist of both a network of telephones and data communication within an organization and of international networks.[85]

 

The criteria are divided in two parts: the first part concerns the creation and dissemination of computer viruses. The second part concerns directives for creating a computer virus. The prerequisite for both of the crimes is that the crimes are done with the intention to cause damage.

 

 

2.4.2.2. Creation and dissemination of computer viruses

 

 According to the first clause of the criteria the one who 1) creates, 2) makes available or 3) disseminates such a computer program or range of program orders, that is planned to a) cause danger to data processing or operations of data- and tele-systems or b) damage data or programs in such a system guilty of charge.

 

In the criteria three modes of action are mentioned: 1) creation, 2) making available and 3) dissemination. The terms describing these modes of action are rather open i.e. they are normative concepts. Due to this, the motives of the law proposal explain what is to be meant by them. By creation is meant the writing of a new program or the changing of an existing program to a virus program. By making available is meant making a virus program available to be copied by the public in a data network. An example of a typical mode of dissemination is a use of an infected disk in a computer.[86]

 

In order that the criteria is to be filled it is required that the virus program (program or range of program orders) is planned to cause danger or damage. To create, make available and disseminate such a program is a criminal action. The criminality of the action does not prerequisite that a) the action factually has caused concrete damage to data processing or the operations of the system or b) that the data or programs of the system have been damaged. In practice doest this mean that the creator of a computer virus can be seen as liable if there is found a virus created by him in his computer. The virus does not have to be disseminated but planned to cause danger or damage to the targets mentioned. Likewise the virus creator or disseminator may be penalized if there is found a computer virus disseminated to another data system that has not yet been activated and caused danger or damage.

 

By the criteria “planned to cause danger” to the processing of data or operations of the system is meant e.g. that an activated virus could a) shut off the operations of the system totally or partly or b) alter the operations of the system. To alter the operations of the system could be that the system would produce other kind of information than what it is intended to. To cause danger to the system could also be that a virus infected on the hardware of the computer takes up disk space and slows down the operations of the computer. By causing damage to data or programs in the system is meant that the computer virus affects the integrity of the data processing if e.g. it affects the credibility of the stored data. To the same category belongs destroying of data or programs.

 

 

2.4.2.3. Creation advices

 

In the motives to the law proposal it was seen that the making available of or the dissemination of advices how to create a computer virus are comparable to the making available or dissemination of an existing virus. Due to this also the making available of and dissemination of advices how to create a computer virus were criminalized. The creation of and advice was not criminalized while the creation of an advice does not cause same kind of danger as the creation of a computer virus. This difference is motivated by that an advice can not disseminate by itself in the same manner as a completed/ready program.[87]

 

Following the second clause of the criteria the one is penalized who a) makes available or b) disseminates a virus program, i.e. advices how to create a computer program or range of program orders mentioned in the first clause of the criteria.

By an advice is meant such a precise advice that a person that only has small knowledge in data processing on the basis of it may create a virus. Dissemination may occur by technological means as well as e.g. by typing.

 

 

2.4.2.4. Intention to cause damage

 

The action described in the criteria is criminalized only when the perpetrator has acted as to cause damage to the processing of data or to the operations of data-or tele-systems, i.e. with an intention to cause damage. It is a question of a subjective criterion. The criterion includes a requirement on intentionality. The intention to cause damage is also included in the criteria “a computer program that is planned to cause danger or damage”.

 

The most important with the including of the intention to cause damage is that by including it some situations are excluded from the criminality. For instance a person who is good at information technology and wants to test his programming skills by creating a virus program without an intention to disseminate the virus beyond his own computer. Another example could be a case where a dangerous and damaging element in the meaning of the criteria emerges in a program without the creator being aware of it.

 

It is criminal to create a virus program only when the creator has originally planned the virus to cause damage to processing of data or to data systems. The virus program has to be created precisely for that purpose and the creator has to be aware of it. The requirement on intentionality does not evidently prerequisite intention to disseminate. In cases of dissemination of virus programs the creator has to be aware of the existence of the virus and understand that the dissemination of the virus is a consequence of his action.

 

By damage is meant causing of danger and damage, mentioned in the criteria.  By damage in the law proposal is meant 1) direct damage, e.g. destroying or altering of files, and 2) all kind of action that affects the operations of the data-or tele-system in such a way that it infringes the right of the holder or the user of the system to use the system (so called data/information processing peace). An example of such a damage could be a) that the operation of the system slows down due to the virus or b) that the disk space that the virus has taken can not be utilized by the one who has the right to use the system.[88]

 

 

2.4.2.5. The criminal section and subsidiarity

 

The penalty for causing of danger to the processing of data is fine or up to two years in prison

 

The criminal section in CL 34: 9a can be applied only when there is no more severe or as severe penalty in the law.

 

This section on subsidiarity means that the section on causing of danger to the processing of data is set aside by the following sections, when the criteria are filled:

 

1)      the causing of serious damage in CL 35: 2 which may concern e.g. destroying or destructing of stored data. Both the section on causing of danger to the processing of data and the section on data damage will though be applied when the damage caused by the disseminator is not seen as serious.[89] Both of the crimes will then be penalized with a common penalty according to CL Chapter 7.

2)      Sabotage in CL 34: 1, 2, that belongs to  crimes causing public danger, may come at issue when the question is about unlawful encroachment in the operations of a data system that would result in serious danger to some societal important activity, as e.g. energy supply.

3)      Deception of data processing in CL 36: 1, 2, that is a deception crime.

4)      Disturbance of data communication in CL 38: 5 and[90]

5)      Serious unlawful use in CL 28: 8 if the dissemination of the virus occurs by encroaching in a data system and using it unlawfully.[91]

2.4.2.6. Conclusions

 

There was a total reform of the Criminal Law in Finland in the 1990´s. The reform to place phase by phase i.e. by large reforms of parts of the law. The first phase came into force 1.1.1991. In this connection the most important sections on computer crimes were reformed. These sections did primarily relate to property. The second phase came into force 1.9.1995. This reform included other computer crimes of central importance, like the data and communication crimes in CL Chapter 38. The preparatory work was fundamentally done. Regard was paid to international recommendations on criminalization. In connection with these reforms the Criminal Law was completed in order that the criteria would cover as good as possible the computer crimes known. But the preparatory work for these reforms was primarily done in the 1980´s. Due to this the reforms do not take regard to the problems that Internet brings about in a way that could be expected. The commercial use of Internet started in 1994. In the second part of the 1990´s the legislators have had to phase criminal problems that Internet cause. The dissemination of computer viruses through Internet has forced the legislators to reconsider a completion of the criminal law.

 

The criminalization of the creation of viruses is not simple from a criminal political view. The legal political problems particularly relate to the legal security of the suspect. The criteria have to be precise enough as to guarantee legal security. The criminalization of the creation, the making available of and the dissemination of a computer virus has been criticized for that the concepts used in the criteria did not fill the requirement on specificity in a sufficient way. This special reform was though driven through too quickly and on the basis of a preparatory work that was not evidently completed. The motives of the law proposal included tendentious characteristics. In the motives of the law proposal it was stated that the amount of known viruses is about 12 000 in 1997. In the proposal of 1999 had the amount increased to 40 000.[92] This increase was larger than the international enterprises that produce virus resistance programs could tell.

 

In the motives of the law proposal it was stated that criminalisations of the creation and dissemination of computer viruses existed in five states: The Netherlands, Italy, Switzerland, Russia and Great Britain. Following the law proposal criminalisations had been prepared in two states: Sweden and Germany.[93] Future case law will show how well Finland has succeeded.