Journal: Communications of the ACM June 1989 v32 n6 p666(4) * Full Text COPYRIGHT Assn. for Computing Machinery, Inc. 1989. ----------------------------------------------------------------------------- Title: Can hackers be sued for damages caused by computer viruses? (column) Author: Samuelson, Pamela. Summary: Computer viruses damage computer systems in many ways, including destroying programs and data, causing lost computing time and necessitating expensive cleanup procedures and increased security measures. If the damage caused by such a virus is extensive, it would seem appealing to sue the author for restitution. Careful consideration must be paid to the facts in the case, however, to determine whether or not a beneficial resolution is possible through legal action. Two problems stand in the way of a favorable resolution. First, there are few laws on the books which set clearly applicable precedents for the right to legal relief in virus-related cases. Second, since hackers tend to work by themselves, the cost of a lawsuit may be more than can reasonably be recovered from the defendant. The legal ramifications of the virus problem are discussed in detail. ----------------------------------------------------------------------------- Descriptors.. Topic: Computer hackers Computer viruses Computer Crimes Legal Issues. Record#: 07 331 212. ----------------------------------------------------------------------------- *Note* Only Text is presented here; see printed issues for graphics. Full Text: Can Hackers Be Sued for Damages Caused by Computer Viruses? The law can be a rather blunt instrument with which to attack a hacker whose virus has caused damage in a computer system. Among the kinds of damage that can be caused by computer viruses are the following: destroyed programs or data, lost computing time, the cost of system cleanup, and the cost of installing new security measures to guard against a recurrence of the virus, just to name a few. The more extensive and expensive the damage is, the more appealing (at least initially) will be the prospect of a lawsuit to seek compensation for the losses incurred. But even when the damage done is considerable, sometimes it may not be worthwhile to bring a lawsuit against the hacker whose virus has damaged the system. Careful thought should be given to making a realistic appraisal of the chances for a meaningful, beneficial outcome to the case before a lawsuit is filed. This appraisal must take into account the significant legal-theory and practical difficulties with bringing a lawsuit as a way of dealing with the harm caused by a hacker's virus. This column will discuss both kinds of difficulties. A brief synopsis of each type of problem may be helpful before going into detail about each. The legal theory problem is essentially this: There may not yet be a law on the books or clearly applicable legal precedents that can readily be used to establish a right to legal relief in computer virus situations. The law has lots of experience with lawsuits claiming a right to compensation for damage to persons or to tangible property. But questions may arise if someone seeks to adapt or extend legal rules to the more intangible nature of electronically stored information. The practical difficulties with using the law to get some remedy for harm caused by a hacker's virus can be even more daunting than the legal theory problems. Chief among the practical difficulties is the fact that the lawsuit alone can cost more than can ever be recovered from the hacker-defendant. To understand the nature of the legal theory problems with suing a hacker for damage caused by his or her virus, it may help to understand a few basic things about how the law works. One is that the law has often evolved to deal with new situations, and evolution of this sort is more likely when fairness seems to require it. Another is that the law generally recognizes only already established categories of legal claims, and each of the categories of legal claims has its own particular pattern to it, which must be matched in order to win a lawsuit based on it. While judges are sometimes willing to stretch the legal category a little to reach a fair result, they are rarely willing to create entirely new categories of law or stretch an existing category to the breaking point. Because of this, much of what lawyers do is pattern-matching and arguing by analogy: taking a given set of facts relevant to a client's circumstances, sorting through various possible categories of legal claims to determine which of them might apply to the facts at hand, and then developing arguments to show that this case matches the pattern of this legal category or is analogous to it. Whenever there is no specific law passed by the legislature to deal with a specific issue, such as damages caused by computer viruses, lawyers look to more general categories of legal claims to try to find one that matches a particular client's situation. "Tort" is the name used by lawyers to refer to a category of lawsuits that aim to get money damages to compensate an injured party for harm caused by another person's wrongful conduct. Some torts are intentional (libel, for example, or fraud). Some are unintentional. (Negligence is a good example of this type of lawsuit.) The harm caused by the wrongful conduct may be to the victim's person (as where someone's negligence causes the victim to break a leg) or property (as where a negligent driver smashes into another car, causing it to be "totaled"), or may be more purely economic losses (as where the victim has to incur the expense of renting another car after his or her car has been destroyed by a negligent driver). In general, tort law permits a victim to recover money damages for all three types of injuries so long as they are reasonably foreseeable by the person who causes them. (Some economic losses, however, are too remote to be recoverable.) Among the categories of traditional torts that might be worth considering as the basis of a lawsuit seeking compensation for losses caused by a computer virus is the law of trespass. Though we ordinarily think of trespass in connection with unlawful entry onto another's land, the tort of trespass applies to more situations than this. Intentional interference with someone's use of his or her property can be a trespass as well. A potential problem with the use of trespass for computer virus situations, however, might be in persuading a judge to conceive of a virus as a physical invasion of a computer system. A defendant might argue that he or she was in another state and never came anywhere near the plaintiff's computer system to show that the trespass pattern had not been established. The plaintiff would have to counter by arguing that the virus physically invaded the system, and was an extension of the defendant who was responsible for planting it. Another tort to consider would be the law of conversion. Someone who unlawfully "converts" someone else's property to his or her own use in a manner that interferes with the ability of the rightful owner to make use of it can be sued for damages by the rightful owner. (Conversion is the tort pattern that can be used to recover damages for theft; theft itself is more of a criminal law term.) As with trespass, the law of conversion is more used to dealing with interferences with use of tangible items of property, such as a car. But there would seem to be a good argument that when a virus ties up the computing resources of a firm or university, it is even more a conversion of the computing facility than if some component of the system (such as a terminal) was physically removed from the premises. Even if a claim, such as conversion, could be established to get damages for lost computer time, that wouldn't necessarily cover all of the kinds of losses that might have been caused by the virus. Suppose, for example, that a virus invaded individual accounts in a computer system and sent out libelous messages masquerading as messages from the account's owner or exposed on a computer bulletin board all of the account owner's computer mail messages. Libel would be a separate tort for a separate kind of injury. Similarly, a claim might be made for invasion of privacy and intentional misrepresentation to get damages for injuries resulting from these aspects of the virus as well. So far we have been talking mostly about intentional torts. A hacker might think that he or she could not be found liable for an intentional tort because he or she did not intend to cause the specific harm that resulted from the virus, but that is not how tort law works. All that is generally necessary to establish an intentional tort is that the person intended to do the conduct that caused the harm, and that the harm was of a sort that the person knew or should have known would be reasonably certain to happen as a consequence of his or her actions. Still, some hackers might think that if the harm from their viruses was accidental, as when an "experiment" goes awry, they might not be legally responsible for the harm. That is not so. The law of negligence allows victims of accidental injury to sue to obtain compensation for losses caused by another's negligence. Negligence might be a more difficult legal claim to win in a computer virus case because it may be unclear exactly who had what responsibilities toward whom under the circumstances. In general, someone can be sued for damages resulting from negligence when he or she has a duty to act in accordance with a standard of care appropriate to the circumstances, and fails to act in accordance with that standard of care in a particular situation. Standards of care are often not codified anywhere, but depend on an assessment of what a reasonable person would do in the same set of circumstances. A programmer, for example, would seem to have a duty to act with reasonable care in writing programs to run on a computing system and a duty not to impose unreasonable risks of harm on others by his or her programming. But the owner of the computing system would also have a duty of care to create reasonable safeguards against unauthorized access to the computing system or to some parts of the computer system because the penchant of hackers to seek unauthorized entry is well-known in the computing community. The focus in a negligence lawsuit, then, might not be just on what the hacker did, but on what the injured party did to guard against injury of this sort. Sometimes legislatures pass special laws to deal with new situations such as computer viruses. If a legislature was to consider passing a law to provide remedies for damages caused by computer viruses, there would be a number of different kinds of approaches it could take to formulate such a law. It is a tricker task than one might initially suppose to draft a law with a fine enough mesh to catch the fish one is seeking to catch without creating a mesh so fine that one catches too many other fish, including many that one doesn't want to catch. Different legislative approaches have different pros and cons. Probably the best of these approaches, from a plaintiff's standpoint, would be that which focuses on unauthorized entry or abuse of access privileges because it limits the issue of wrongful conduct by the defendant to access privileges, something that may be relatively easy to prove. Intentional disruption of normal functioning would be a somewhat more demanding standard, but would still reach a wide array of virus-related conduct. A law requiring proof of damage to data or programs would, again from a plaintiff's standpoint, be less desirable because it would have stiffer proof requirements and would not reach viruses that merely disrupted functioning without destroying data or programs. The problem of crafting the right law to cover the right problem (and only the right problem) is yet another aspect of the legal theory problems posed by computer viruses. Apart from the difficulties with fitting computer virus situations in existing legal categories or devising new legal categories to reach computer viruses, there are a set of practical difficulties that should be considered before undertaking legal pursuit of hackers whose viruses cause damage to computer systems. Perhaps the most important set of practical difficulties with suing a hacker for virus damages is that which concerns the legal remedy one can realistically get if one wins. That is, even if a lawyer is able to identify an appropriate legal claim that can be effectively maintained against a hacker, and even assuming the lawyer can surmount the considerable evidentiary problems that might be associated with winning such a lawsuit, the critically important question which must be answered before any lawsuit is begun is what will one realistically be able to recover if one wins. There are three sets of issues of concern here. One set relates to the costs of bringing and prosecuting the lawsuit. Lawsuits don't come cheap (and not all of the expenses are due to high attorney fees). Another relates to the amount of damages or other cost recoveries that can be obtained if one wins the lawsuit. It's fairly rare to be able to get an award of attorney's fees or punitive damages, for example, but a lawsuit becomes more attractive as an option if these remedies are available. Also, where the virus has spread to a number of different computer systems on a network, for example, the collective damage done by the hacker may be substantial, but the damage to any one entity within the network system may be sufficiently small that, again, it may not be economically feasible to maintain individual lawsuits and the collectivity may not have sufficiently uniform interests to support a single lawsuit on behalf of all network members. But the third and most significant concern will most often be the ability of the defendant to write a good check to pay the damages that might be awarded in a judgment. Having a judgment for one million dollars won't do you any good if it cost you $10,000 to get it and the defendant's only asset is a used computer with a market value of $500. In such an instance, you might as well have cut your losses and not brought the lawsuit in the first place. Lawyers refer to defendants of this sort as "judgment-proof." While these comments might suggest that no lawsuit should ever be brought against a young hacker unless he or she has recently come into a major inheritance, it is worth pointing out the law does allow someone who has obtained a judgment against another person to renew the judgment periodically to await "executing" on it until the hacker has gotten a well-paying job or some other major asset which can be seized to satisfy the judgment. If one has enough patience and enough confidence in the hacker's future (or a strong enough desire for revenge against the hacker), there may be a way to get some compensation eventually from the defendant. Proof problems may also plague any effort to bring a successful lawsuit for damages against a computer hacker. Few lawsuits are easy to prove, but those that involve live witnesses and paper records are likely to be easier than those involving a shadowy trail of electronic signals through a computer system, especially when an effort is made to disguise the identity of the person responsible for the virus and the guilty person has not confessed his or her responsibility. Log files, for example, are constantly truncated or overwritten, so that whatever evidence might once have existed with which to track down who was logged onto a system when the virus was planted may have ceased to exist. Causation issues too can become very murky when part of the damage is due to an unexpected way in which the virus program interacted with some other parts of the system. And even proving the extent of damages can be difficult. If the system crashes as a result of the virus, it may be possible to estimate the value of the lost computing time. If specific programs with an established market value are destroyed, the value of the program may be easy to prove. But much of the damage caused by a virus may be more elusive to establish. Can one, for example, recover damages for economic losses attributable to delayed processing, for lost accounts receivable when computerized data files are erased and no backup paper record was kept of the transactions? Or can one recover for the cost of designing new security procedures so that the system is better protected against viruses of this sort? All in all, proof issues can be especially vexing in a computer virus case. In thinking about the role of the law in dealing with computer virus situations, it is worth considering whether hackers are the sorts of people likely to be deterred from computer virus activities by fear of lawsuits for money damages. Criminal prosecution is likely to be a more powerful legal deterrent to a hacker than a civil suit is. But even criminal liability may be sufficiently remote a prospect that a hacker would be unlikely to forego an experiment involving a virus because of it. In some cases, the prospect of criminal liability may even add zest to the risk-taking that is involved in putting a virus in a system. Probably more important than new laws or criminal prosecutions in deterring hackers from virus-related conduct would be a stronger and more effective ethical code among computer professional and better internal policies at private firms, universities, and governmental institutions to regulate usage of computing resources. If hackers cannot win the admiration of their colleagues when they succeed at their clever stunts, they may be less likely to do them in the first place. And if owners of computer facilities make clear (and vigorously enforce) rules about what is acceptable and unacceptable conduct when using the system, this too may cut down on the incidence of virus experiments. Still, if these measures do not succeed in stopping all computer viruses, there is probably a way to use the law to seek some remedy for damages caused by a hacker's virus. The law may not be the most precisely sharpened instrument with which to strike back at a hacker for damages caused by computer viruses, but sometimes blunt instruments do an adequate job, and sometimes lawsuits for damages from viruses will be worth the effort of bringing them.