Ecyrd pointed out that the Finnish Parliment has ratified an amendment making viruses illegal. It's actually not just illegal to use them - distributing them is illegal as well. The most interesting part of the legislation is that apparently isn't just using them - writing them is also a crime.
  • 1) Yes, distributing a virus to unknowing recipients should be illegal. But shouldn't this already be covered under civil suits, electronic sabotage, etc.? I don't know the Finnish law, but it seems as though this sort of legislation should be redundant. It certainly would be here - we didn't need a new federal law to lock up Mr. Melissa. 2) Banning the _writing_ of a virus? Come on now. I bet you that the average Finnish legislator probably couldn't give you an adequate definition of what is and what is not a virus. I wrote many MS-DOS viruses in my high school days - gave a few to a VX BBS (which I regret now - I explicitly labeled them as viruses, and naively thought they would only be in the hands of the "responsible"), but most of them were just personal creations I made for the fun of it, and never distributed to anyone. Banning the writing of any computer program is simply absurd. Of course, all (or most) of us know this. But how can we communicate it to a legislature, and to the general public which elects them?
    Ed Cummings (Bernie S.) has been in prison since the spring of 1995 and is the first person to have been imprisoned without bail for something as harmless as possession of a modified Radio Shack tone dialer. He is also being charged with possession of a computer (no joke) and software which could be used to modify a cellular phone. This case is significant in that if successful in prosecuting him, the government would be able to prosecute almost any one of us because the tones and the information in his possession are very easy to get ahold of.
    This is 2600's interpretation. Text from the indictment:
    VIOLATIONS: 18 U.S.C. S1029(a)(5) (Possession of modified telecommunication instruments - 2 counts) 18 U.S.C. S1029(a)(6) (Possession of hardware and software used for altering telecommunications instruments - 1 count)


    On or about March 15, 1995, at Villanova, in the Eastern District of Pennsylvania, defendant EDWARD E. CUMMINGS, knowingly and with intent to defraud did possess and have custody and control of hardware and software, that is an IBM "Think Pad" laptop computer and computer disks, used for altering and modifying telecommunications instruments to obtain unauthorized access to telecommunications service. In violation of Title 18, United States Code, Section 1029(a)(6).

    What software that was isn't clear:
    The government had found data on a commercial diskette in Bernie S.'s possession which they say was related to cellular fraud in California. While Bernie says he has no idea what it is they're referring to, the odds of a jury being able to understand how someone could have a diskette and not be held accountable for every bit of data on it seemed uncomfortably slim.

  • Microsoft has declared that BackOrifice 2000 (BO2K) [] is a virus and I guess most anti virus programs have updated their definitions accordingly.

    The authors of BO2K on the other hand have clearly stated their intention to provide a system management tool. They even point out the potential danger when not properly handled and when combined with the security hole provided by the MS-Word macro language.

    The question is who decides. Maybe now big companies like Microsoft have one more weapon to crush small competitors writing power tools.

    The Government's proposal is available on the Parliament's [] WWW site: click here []. The URL is monstrous, and I'm afraid it may not be valid forever. However, if you speak Finnish, you should be able to find it by the code "HE 4/1999", or simply by searching for the text "virus".

    Since Finnish is not yet one of the major languages of the world, here's my translation of the relevant section of the new law. I'm not a lawyer or a professional translator, and I'm especially ignorant of English legalese--my apologies for the inevitable errors here. Also, this is only the version proposed by the Government, and the law that was actually approved may be different.

    Endangering data processing

    Who, with intent to harm data processing or the functioning of a data or telecommunications system,

    1) produces or makes available a computer program or a series of program commands designed to endanger data processing or the functioning of a data or telecommunications system or to damage the data or programs included in such a system, or distributes such a computer program or series of program commands, or

    2) makes available instructions to produce a computer program or a series of program commands that paragraph 1 applies to, or distributes such instructions,

    must be sentenced, unless the act is punishable more or equally severely by other law, of endangering data processing to a fine or at most two years of imprisonment.

    Malicious intent is the most important point; the program can be anything harmful, not just a virus in the technical sense. Also, a guide to writing viruses will qualify.
  • Depending on how they defined virus this law comes awfully close to saying that certain ideas are illegal. Remember that a source for an encryption program was ruled protected speech here in the US, so this law would fall under prior restraint here.

    Once again, legislators try to prohibit ideas and information, instead of making their irresponsible or malicious use illegal.

    This assumes that no beneficial use for viruses will ever be found -- e.g. security patches that automatically spread and install themselves, or techniques similar to vaccinations where benign viruses are spread to train computer immune systems to attack damaging ones. Not a real issue today, but do we want to assume that it will *never* be an issue?
  • What they are saying is that whether you knowingly or unknowingly distribute a file with a virus you are liable for the damage that it causes.

    Through college I worked my way out of the MIS department of a large company (and into research with another). Most of the people there were computer capable, but not literate. They didn't understand scanning drives, they didn't understand what infected files were and ultimately, they didn't care - until it affected them. It took us almost a year in one case to clean the entire system (child companies in the SW and overseas provided additional problems). We would clean the Servers, and then boom, once again the same files would appear as infected as before. We had to go to over 400 PCs at our location 600 about a 30 miles away, and create simplistic documentation for several other plants, offices and hundreds of field reps to follow. Old virus software detected the problem, informed people of the potential hazzards, but because these things were deemed "mission critical," people stupidly continued to distribute them, download them, work with them, etc...

    Blatantly ignoring a problem nearly crippled our company. Even though the people were uneducated about viruses, they made no effort to report problems, viewing this problem as one that would just "go away," like a cold or the flu...

    It is vitally important (especially the way the internet is expanding) that people make an effort to take responsibility in cleaning their files, machines and so on.
    Wow! I hope they mean INTENTIONALLY transmitting them is illegal...

    Otherwise, over 50% of my company will be arrested...! (not me, of course...)
  • AC said: And I'm interested in nitro-glycerin and fertilizer bombs. Does that mean I shoudl be able to play with them?

    Yes, it does. If everybody who wants to play with explosives, weapons, and other dangerous things do, then they won't live to reproduce and spread their idiocy through the gene pool. That's why I'm against gun control, but don't wish to own a gun.

  • by Ray Dassen ( 3291 ) on Thursday September 23, 1999 @04:22AM (#1664921) Homepage
    Isn't this something for YRO? While I despise virus writers as much as the next guy, I find the idea of being forbidden to code something in the privacy of your own system very chilling, in the order of surpressing knowledge/censorship/dystopia.
  • How will they enforce this law? How will they track down the virus writer?
    Some questions for thought.
  • I agree...enforcing many aspects of this law will be very difficult. However, tracking down the virus writer has already proven to be possile, and exciting for the media ... remember the Melissa virus? That guy was tracked down like a dog.

  • How can people be allowed to make laws regarding something they know nothing about. Are politicians being advised by professional programmers or sys admins or anyone else who might understand what's going on? It seems like politicians are not tech heads.
  • "The decisive second reading of the Bill cites the offence as a catch-all "Causing danger to data processing systems". Under the terms of the new law this will be punishable by fines or by prison terms of up to two years. It is hoped to get the amendment into law as quickly as possible."

    Maybe Linus moved to the U.S. because he peered into the future and knew this was coming.. Or, ah, maybe not.. Soo! Is it just me, or could just about any program "cause danger to data processing systems"? Does this thing have a provision for whether or not it was even intentional!? I mean, what if what you have is a program with a bug in it? Even if you didn't mean for the program to have a bug, before you even get it through the debugger you've committed a crime! At least, that's how it appears from that article. If I were Finnish, I'd be moving out of the country or giving up the idea of becoming a programmer. Ha!

  • In Germany writing virii is illegal for YEARS now. Any activity damaging a computer or data medium is punishable with up to 5 years of jail time.
  • So, is playing core wars [] now illegal? Sometimes writing malignant programs attempting evolution on one's computer (or network!) is a great way to learn about logic, memory protection, and security. If one cannot experiment in their own room on their computer legally, there will be either secrecy or a bunch of mouse pushers come next decade.
  • First, I think that has already been said, but is worthy of mention again, it will make hurt anti-virus companies trying to get copies of the latest virii.

    Second, many people just write virii for fun to to test their programming skills. This would be hurtful to the Programming community.

    Third, I know the first amendment dosen't apply outside of the US, but, this is still a violation of freedom of speech.

    Fourth, how about the source code to a virus? It in and of itself isn't harmful, you have to compile it and execute it for t to do anything. I guess they actually outlawed the compilation of virii, not writing them.

    Fifth, define `Data Processing Systems'?

    That's my 1/50 of $1.00 US
  • It's not really a long article, folks. Check out this excerpt, and note specifically the last line:

    The law stretches a net to catch those writing, making available, or spreading computer viruses. This effectively means for example that anyone who keeps a virus program on their website that is available for downloading by visitors would become liable under the law. Liability for punishment is not limited to cases in which actual harm or hindrance is caused to data systems, or where the data or files of the infected system are corrupted or destroyed in the process. The intention to harm becomes the primary criteria for bringing charges,

    The AV community WILL NOT BE HARMED by this. They may be put out of business, but even that seems unlikely. "The intention to bring harm is the primary criteria[sic] for bringing charges". Please folks, what Finland is doing isn't really bad for anyone except those Finns who want to do bad bad things with virii!

    This needent go under YRO, since it is just another way to help slow "cyber crime" in Finland. Note also that downloadable code is just as bad, so don't put links to files. As long as you're an innocent, you're fine. Pleeeaaase read the clears everything up.

  • by Lucius Lucanius ( 61758 ) on Thursday September 23, 1999 @05:20AM (#1664937)
    HELSINKI (Reuters).

    In a surprise move, an arrest warrant was issued by the Finnish police to capture Linus Torvalds under the nation's new "anti virus" law.

    "The law states that any program that causes danger to data processing systems and is freely available for download by visitors is a virus," said Lt. Hakk Daeta. "The linux kernel poses a danger to Windows, which is a widely used data processing system. Many legal scholars have testified to this. And after Torvalds blatantly put out this virus, millions of PCs have been affected. He must be stopped."

    Meanwhile, rumors persisted that Torvalds was seen on the Jerry Springer show, on an episode titled "My PC is too sexy". A man who appeared on the show wearing a paper bag over his head made the suspicious statement that "I am innocent. I just showed how it must be pronounced. It is lin-nucks, not line-ux."

    Police are still searching.
  • What is wrong with computer virii? They are completely valid, and even subjects for scientific study. They are a learning mechanism also. They are intriguing and pose interesting questions. Will they outlaw genetic algorithms next? Maybe they'll outlaw sex because it is used in porn.
  • This new law raises intersting topic for debate. Here, we see that the government has banned the production and distribution of "something" that has, traditionally, been used for malicious and/or damaging purposes. Fairly straightforward.

    However, upon closer inspection, we find an inherant flaw - what constitues the now "illegal" viral code? A somewhat sesible definition of a virus, can be found at " []". The key point in any defintition seems to be : "A virus is a piece of programming code inserted into other programming to cause some unexpected and, for the victim, usually undesirable event.". Again, decent enough.

    However, what about "software patches" ? Upgrade packs, the (in)famous Microsoft "Service Packs []", and the like? Generally speaking, the user doesn't really have any clue how, or what, these are doing - beyond "fixing broken things". These patches insert their code into the parent program, usually modify the behaviour of the program in some way, and sometimes result unexpected results (option removed, feature added, etc..). That's all the criteria of a virus, right there. Should these be illegal also?

    Back the the first point - we see the government trying to protect its people by banning "something" - specifically, in this case, viral code. Why this, and not many of the other "things" that are (primarly) harmful? The obvious selection - firearms. Why not ban guns? Or biological weapons facilities (most industrialized "1st world" companies have them, in some capacity)?

    If we'd like to get a little paranoid/"Evil Future Governement" about it, we could go as far as to speculate that the government can (and will) start to ban all manner of things it considers "bad for you". Meat? Cow Milk? Free Speech? Ah, the wonders of Totalitarian government.

    By now, many of you might be thinking "man, this isn't the x-files, our government won't go THAT far". Yes, you're probably right.. of course, you don't code viruses...
    The direct result is that if I download/keep intrusion/exploits on my computer in order to develop security fixes for them or test if my machine is vulnerable I am a criminal.

    False. The proposed law I read (I didn't go looking for the passed law, but I'm assuming it didn't change for worse) specifically and strongly emphasizes malicious intent. Writing and distributing exploit software is allowed as long as you haven't got malicious intent. Even writing and distributing viruses could be considered legal, if the prosecution cannot prove that you had malicious intent (or IRL: if you cannot prove that you didn't have malicious intent when spreading that virus you are considered a criminal you probably are).

    So, let me summarize: you are allowed to do pretty much everything you were allowed to do before this law passed (even write viruses to find out if you can), but as soon as you distribute something that is clearly a virus or malicious program or instructions to write those things, you can pretty much bet on it that unless you can clearly state to the investigating police or the court that you didn't have malicious intent when doing so, you are a criminal as far as the Finnish justice system goes. This may sound harsh, but the truth is that the police won't investigate a thing until something bad happens, so you don't have to worry about the police even if you develop and distribute software that searches for vulnerabilities, as long as you clearly state that the software is for enhancing security, not for compromising it.

    I believe that to find out how this law works in practice, we need a case or two going all the way up to the supreme court. I trust that if/when that happens that Slashdot will be there to tell you stupid Americans how we handle things here in Finland (we handle things the right way, Slashdot just reports them the wrong way (I'm serious)).

    Oh, just to let you know, I think that the passed law is A Good Thing, even though it doesn't allow us to sue a certain William Henry G. for distributing software that obviously is harmful to computers, unless we can prove that he had malicious intent.

    - HoppQ - Now where's that Babelfish for legalese?

    PS. I don't think that all Americans are stupid. Neither are all Finns. Those Americans who name their kids William Henry even though they know for certain that he will end up called Bill are idiots. Bill isn't even a proper name if you ask my opinion (so better not ask).
  • IANAL but unless I am way off, you would have nothing to worry about. The law is directed against the intent to do damage by way of virus, trojan, etc. rather than the mechanism itself. Trojanning to get around a balky OS seems completely acceptable IMHO.
    This summer I was approached by my project leader and told that in order to do the neat little things on our embedded system that we need to do, we have to write a virus (really more like a trojan horse, the details of which I can't discuss, sorry [NDA]). Now, we're the makers of the embedded hardware and the software that runs it. Acording to this article, I would have been arrested just for doing my job! This also means that Finland cannot purchase any new versions of our product because it intentionally contains a non-destructive trojan horse! How rediculous is that? Somebody needs to get slap happy with the clue stick. I'm getting tired of beaurocrats making decissions based on a common wealth of ignorance. Just because some program is masqueraiding as another program does NOT mean that it is malicious in nature. In this case, the trojan horse approach is a saving grace! There would have been no feasable way of doing the same process without tricking the embedded OS into thinking that our program (trojan-horse) was something that it was not. The OS just wasn't designed that way.
  • produces or makes available a computer program or a series of program commands designed to endanger data processing

    Hmm. Could that be a loophole? What about a virus intended merely to spread, not actually to mangle everyone's data - a payload-free virus. Which would generally tend to spread more easily than a malicious one.

    (Of course, many viruses can cause damage without intending to do so, generally because the writer is a bit crap at it.)

    makes available instructions to produce a computer program

    This is, of course, a lot more worrying, as it affects not only the writing of viruses but the writing of anti-virus software. But then, sometimes the AV companies behave at least as dodgily as virus writers. ;-)


  • by arivanov ( 12034 ) on Thursday September 23, 1999 @07:19AM (#1664976) Homepage
    The cite does not post the full document. From what is posted it is actually much more reactionary than you expect.

    It looks like the subject is any program that endangers data systems. Ergo this also covers exploits and intrusion software.

    The direct result is that if I download/keep intrusion/exploits on my computer in order to develop security fixes for them or test if my machine is vulnerable I am a criminal.

    This also renders rootshell, and bugtraq illegal for hosting and potentially reading (don't you love netscrape and IE for saving cached copies on your machine ;-) in finland.

    Overall the information is rather scarce but this seems to be even worse then the recent AU censorship showdown.
    That said, I agree about the intent of the law but must respectfully disagree on its likely effect. "Intent to do harm" is one of the crucial deciding factors. I expect the lawmakers are not entirely clueless and intend to apply this to the person/entity (potentially) being prosecuted, and not just to the virus itself. Even so, the Finnish AV community will have to jump through unaccustomed hoops in order to avoid prosecution.

    How will an Finnish AV researcher make a new virus, or information about a new virus technique, available to other AV researchers and reasonably expect the information will not also be used for harm by anyone at any time? Claiming ignorance may be a good defense for the casual computer user, but how could an AV researcher claim to be ignorant of the potential harm or potential misuse?

    This is very poorly thought out.

    I think all governments would do better to strike laws that regulate non-harmful behavior than to make up laws against behavior that is potentially harmful. Intent is difficult to judge at times. Damage is pretty clear.

    That said, my remaining question is: Was it actually legal there to cause harm not _danger_ to data processing systems. Why did they feel the need to pass this law?
  • I must say that, being a Finn, and having read the original article as well as the legislation proposal in Finnish, you are exactly correct in your interpretation. Seems to me like some 90% or so of the articles for this topic are written based on false assumptions or misunderstanding of what the proposed change to law is about, or actually says.

    I did not read the entire proposal in Finish, but it has a quite long discussion about viruses and worms and the current state. There is also a mention that the Netherlands, Italy, Switzerland and Russia have existing legislation about viruses or which can be applied to viruses used for malicious purposes.
  • The concept is admirable, but as with so many worthy concepts when the parliamentarians get a hold of things, the end result isn't normally worth a jot.

    The phrase quoted in the article, "Causing danger to data processing systems" - is that too vague to be meaningful or too ill-defined to be useful?

    The trouble with clauses like that is that they have to be very loosely defined otherwise loopholes will appear all over the shop, but by defining things loosely you'll make charges tough to stick. QED.

    When is a virus not a virus? As has been pointed out, anti-virus software might be a little tricky to write. More though, obviously there's an element of intent to this, but we've all written silly mistakes which have had unfortunate repercussions - do they count?

    I'm on (like many other /.ers I imagine) the BUGTRAQ mailing list, while it doesn't distribute virii it does tell you how to replicate potentially damaging security flaws, does having those mails on my system count?

    Nice idea, though, we shouldn't necessarily chastise them too much for trying!
