The Regulation of Virus Research and the Prosecution for Unlawful Research ?
This is a Commentary published on 31 October 1997.
Citation: Kelman A, 'The Regulation of Virus Research and the Prosecution for Unlawful Research ?', Commentary, 1997 (3) The Journal of Information, Law and Technology JILT). <http://elj.warwick.ac.uk/jilt/compcrim/97_3kelm/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_3/kelman1/>
As a staunch defender of Free Speech and the rights of young people to experiment with their lives in recent months I have had to face up to some unpalatable facts - virus writing is evil and cannot be justified in any circumstances. It follows that prosecution of virus writers is something which should be universally accepted as appropriate action. Virus writing needs to be recognised as a criminal act by international conventions and virus writers should always be subject to extradition. Just like murderers and terrorists, virus writers should find no escape across national boundaries. And the investigation of computer viruses needs to be a regulated activity with failure to apply for regulation being a criminal offence.
Getting to this position has not been easy for me. I started from the basis that virus research was essentially neutral - any task in which students learnt about computer programming could have some beneficial consequences. There had to be 'good' viruses as well as bad ones. Skills learnt by a virus author had to be transferable to beneficial activities. But my research showed me that this was naïve liberal hogwash.
Dr Vesselin Bonchev of Frisk Software International has written extensively on viruses and has done useful research at the Virus Test Centre of the University of Hamburg. In 'Are 'Good' Computer Viruses Still a Bad Idea?' he produced a clear analysis of the issues and attempts to set out the circumstances where a 'good' computer virus could be developed and deployed.
Bonchev cited a useful definition by Brian Seborg:
`We define a computer 'virus' as a self-replicating program that can 'infect' other programs by modifying them or their environment such that a call to an 'infected' program implies a call to a possibly evolved, and in most cases, functionally similar copy of the 'virus'.'
Bonchev then went into the technical, ethical, legal and psychological reasons why beneficial viruses cannot easily exist. The technical reasons are lack of control, recognition difficulty (telling a good virus from a bad one), resource wasting (use of disk space, CPU time and memory resources), bug containment (unforeseen actions of a virus), compatibility problems (interaction of virus with other programs) and effectiveness (any task which could be performed by a 'beneficial' virus could also be performed by a non-replicating program). The ethical and legal reasons cited are unauthorised data modification and copyright problems arising from unauthorised modification of programs and data as well as the possibility that an attacker could use a 'good' virus as a means of transportation to penetrate a system. Psychological reasons include `responsibility' (the creation of an excuse to the crowd of irresponsible virus writers to condone their activities and give support to the spurious claim that they are actually doing some kind of 'research', trust problems ( users wish to remain in control of their computers and not give this control over to a 'good' virus) and the negative common meaning to the term 'computer virus'.
Having defined the problems Bonchev listed four basic pre-requisites of a 'good' virus. The good virus:
o Waits for active invitation before installing itself on a system;
o Uses cryptographically strong means to authenticate itself to the system;
o Is self-contained and does not modify other programs (i.e., is a worm);
o Is not called a 'virus'.
He then went on to analyse how it was possible to build a 'good' virus. Bonchev's analysis was a worthy academic attempt which came up with a set of circumstances using public key encryption and highly knowledgeable computer operations staff working in totally professional environment. In these theoretical conditions they were safely able to deploy the 'safe' and beneficial virus. However the sole purpose of this 'safe' virus was to destroy harmful viruses - no other use could be anticipated by Dr Bonchev. And if any of the highly detailed controls on the 'safe' virus were inadequately implemented then the 'safe' virus would become a dangerous virus. On a practical basis Dr Bonchev made out a very good case in proving that there can be no safe viruses.
Reading this article reminded me of the use of High Alumina Cement in building construction. Serious problems have arisen over the years with tower blocks built using High Alumina Cement suddenly collapsing. There is nothing inherently wrong with using High Alumina Cement for construction provided that proper care is taken in the mixing and curing of the cement and good safe buildings could, in theory, be constructed using High Alumina Cement . But in the real world, on building sites, errors do occur which mean that there is always a substantial risk in the use of High Alumina Cement. For this reason its use in construction is banned in the UK. And anyone who has to live in a tower block or travels over a motorway bridge should be grateful for this ban since it protects them from injury.
If Dr Bonchev has proved that there can be no safe viruses does that justify the criminalisation of virus writing. If somebody just writes a virus for their own pleasure should that be a crime ? Well let us look at the process before we get to that stage. Let us look at the mere investigation of a virus. Wallace Wang, the author of Compuserve For Dummies has written about 'Stalking a Computer Virus' where he suggests that if you like to live dangerously instead of deleting or cleaning the infected file you might like to study the computer file and dissect it. 'Such amateur virus sleuthing can be interesting but dangerous, much like trying to make pipe bombs from plans you find on the Internet. Before attempting to isolate and dissect a virus, make backups of all your important files. That way if the virus gets loose and wipes out your hard disk, you won't lose everything for good. (Better yet, practice looking for a virus on a computer that you don't care about, such as an old computer or a computer belonging to your boss or disliked co-worker. That way if a virus gets loose and wipes everything out, at least your computer data will still be safe.)'
Even before setting out the tools which are required for the task Wang has made the point that the investigation of computer viruses is a very dangerous activity and has made some very inappropriate suggestions. So why should people be allowed to do it ? We do not allow ordinary citizens the freedom to engage in recombitant DNA research in their homes - we require them to seek a licence from government authorities. The reason for this is that the escape of a homebrew plague could wipe out cities. We restrict the sale of Semtex explosives to specialist demolition contractors - it is not possible to buy Semtex at a garden centre just to demolish an unwanted tree stump.
We put these restrictions upon researchers to protect the freedoms of his neighbours. The researcher may say that not being allowed to do recombitant DNA research in his bathroom is an infringement on his freedom - and it is. But his neighbouring child also needs the freedom to play in the garden and breath the air. And the one is in conflict with the other.
The proliferation of computer viruses is a problem which is not getting any less. According to S&S International Ltd in August 1996 there were about 9,500 computer viruses in circulation. The old rule that only executable files were dangerous has had to be discarded with the arrival of the 'macro virus'. These are not confined to Microsoft Word for Windows. In January 1996, the first macro virus to infect Lotus AmiPro files [APM.GreenStripe] appeared. And XM.Laroux, which appeared in July 1996, was the first working macro virus to infect Microsoft Excel for Windows spreadsheets. Since the macro viruses are written in Word Basic they can be truly portable. Windows 3.x, Windows 95, Windows NT and Macintosh operating systems are all susceptible to macro viruses.
Bruce Sterling, author of The Hacker Crackdown, is not noted for being redneck supporter of the Establishment. But in the January edition of IBM Anti Virus Online he wrote about his 'deep and visceral dislike of computer viruses...I'm a civil-lib, freeware, hack-sympathizer. I confess it. But I draw the line at virus people.'
Sterling points out that the proliferation of viruses play strongly in the interests of 'large, structured, uptight organisations that employ full-time busybody computer security staff' while the 'classic virus victim is a carefree, free-thinking individual. He's some good hearted, naive, birkenstock-wearing soul who is cheerfully swappin' floppies with his pals and downloading freeware. He just scratches his shaggy head when odd pop-up boxes appear on his screen. When his programs crash without warning, he figures maybe the cat ate 'em. A virus is a malignant itch to the silk-suit guys at Three Initial Corporation. But the poor dweeb at the small or home-office will keep plugging away at his failing clone-box until his hard disk and his backups are totally corrupted. Very likely he'll never even guess what hit him. Viruses work against individuals. Especially the trusting, the generous, and the innocent.'
It is the ordinary citizen that needs protection from virus authors and amateur virus investigators. In 1995 Judge Jeremy Griggs who sentenced the shocked Chris Pile to eighteen months imprisonment for spreading and inciting others to distribute the SMEG computer viruses, which were programs of his design, got it precisely right when he said 'Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment.' But it is time to go further.
In an earlier paper from April 1994 'Future Trends in Virus Writing' Dr Bontchev pointed out a disturbing trend: the proliferation of computer viruses which had to be countered by anti-virus research and development meant that anti-virus research was no longer a business which could be undertaken by a small start-up. Since then many companies have pulled out of anti-virus production leaving the field to large companies like McAfee Associates and IBM. In the same way that pharmaceutical companies need to be 'large, structured, uptight organisations' to adequately address the safety and product liabilities issues in the production of anti-viral medicines, computer anti-virus vendors and researchers must be large regulated corporates. There is no longer a place for the interested amateur.
One hundred years ago Parliament took aim at the charlatan sellers of medical nostrums who leached off the gullibility of the public for cures. In doing so it created the beginnings of a consumer society - a society in which citizens have rights and can rely upon product labelling. But in doing so Parliament took away the freedom of the citizen to investigate, manufacture and sell his own medical cures without prior approval of a licence. This was a fair price to pay for progress. Today we need similar controls over research and development of self-replicating programs that can 'infect' other programs by modifying them or their environment.
Defined in such limited terms this would not be a block on freedom of speech or on the genuine rights of young people to experiment and learn. It would merely create a framework which could protect society from serious harm arising though carelessness, ignorance or malicious conduct.
Bontchev, Vesselin 'Are 'Good' Computer Viruses Still a Bad Idea?', <http://www.drsolomon.com/ftp/papers/goodvir.txt>
Bontchev Vesselin 'Future Trends in Virus Writing' , <http://www.drsolomon.com/ftp/papers/trends.txt>
Emm, David (1996), 'The Future Impact of Viruses', <http://www.drsolomon.com/ftp/papers/future.txt>
Sterling, Bruce (1997) 'Sterling v Virus Writers', Anti-Virus Online Vol 2 Issue 1<http://www.av.ibm.com/2-1/CoverStory/>
Wang, Wallace, 'Stalking a Computer Virus', <http://www.boardwatch.com/mag/96/NOV/bwm19.htm>