The Justice Ministers of the 15 Member States of the European Union have decided to modify their country laws, with the aim of including prison sentences for the authors of computer crime. This decision may have more implications than it may seem: there are many different types of computer crimes, and all of them can be seen from different perspectives.
For example, the attacks ‘against the integrity of information systems and databases carried out with the intent of hindering or interrupting the system’ will be a principal target of new legislation. That is, when a system is accessed and modified to affect its operation.
However desirable it may be that these attackers end up in jail, without being a legal expert, this will be difficult if the author of the attack can not be identified.
When a hacker wants to access a computer and steal information, he does not identify himself. If he did, it would be as if a thief went into a bank and said: ‘Hi, it’s me, I’m Jane Bloggs, I want to steal your money’. For that reason, a hacker will try to hide his actions in many different ways: from the most simple one, like using a computer in a Cybercafe, to the most sophisticated ones, like the usage of Trojans or logins in ill-protected computers.
It is very difficult to identify the computer from which the attack is being carried out, even more if we take into account that there are many counties which do not have adequate controls over ISPs or telephone service operators. What’s more, there are free Internet connections with anonymous users, in many countries, that allow people to hide the number from which the telephone call is made. Summing up, a person could make a phone call to connect to the Internet without anybody knowing who or where he is.
It is even easier to search for an unprotected computer (without a personal firewall and antivirus) on the Internet. Once the hacker finds it, he just needs to find an open port and log in. From that moment on, the attacks would seem to have been carried out from that computer. Of course this is a good reason for not forgetting to have your personal firewall enabled while connected to the Internet.
Another crime that the legislation aims to deal with is the spreading of viruses, which is even more surprising than the case above. Every user is a potential virus distributor since, once a computer becomes infected, the malicious code will automatically spread itself to other users.
Obviously, the European Union wants to punish the person that first sends the virus out, who intentionally causes the first infections. But it is all to easy to do this by using a computer in a Cybercafe, a free website, or even a USENET newsgroups.
It must be taken into account that this first distributor could be a 14 year boy. This leads us to the conclusion that the real guilty party is the virus writer. He is the one to be punished. The problem is that this person has a series of resources to protect himself from the current legislation. As an example: if I am Chilean and I create a virus and leave it in a web page with a ‘.TV’ domain –which is located in a Japanese server- and a European kid uses it to carry out an infection, who is to be blamed? What does the Chilean legislation say about it? And Tuvalu’s one, which is the legislation to which the domain belongs? And does the Japanese government provide for this problem? Is the European Union the one who finally will put one of its citizens in jail?
In the best of the cases (when the process is carried out in the European Union), if the virus writer has included the message ‘I do not accept responsibility for the wrong usage of this code, which I have left here for investigation purposes’ the writer will not be culpable.
Whatever the law does to punish criminals, they will continue to exist, and they will be many! For that reason, the best thing to do is to protect your computer with a good antivirus and a personal firewall, and go on enjoying the Internet!.