Swedish Court of Appeal re-evaluates the law on email worms

10 May 2010

Johan Bohm

The Swedish Court of Appeal has upheld in part the criminal conviction of the creator of an e-mail worm.  The Court found that the changes to the computer resulting from the virus infection amounted to illegal misuse of computer information.  The virus also sent out e-mails to addresses that it found on the computer.  Although this was held to be within the scope of criminal arbitrary conduct, on the facts of the case there was found to be insufficient proof of criminal intent.

Ganda was a malicious email worm, which ravaged the internet seven years ago.  It was, at the time, in the top ten list of the most common computer viruses. The creator of the worm was successfully prosecuted for illegal misuse of computer information and arbitrary conduct. Ångermanland District Court delivered its verdict in 2007, four years after the creation of the worm.  The Swedish Court of Appeal has now reviewed the District Court’s verdict.

The email containing the worm invited the recipient to open a program, which claimed to be a screen saver. However, when opened, the program infected the computer and searched for any email addresses stored on it, then sending itself to all addresses it had found. To be able to do so the worm turned off installed anti-virus software and firewalls. It also made changes to the computer’s boot procedure, specifically by replacing certain data files, which allowed the worm to run itself each time an infected computer was turned on. This led the District Court to conclude that the two necessary conditions for illegal misuse of computer information had been fulfilled. Firstly, the creator had unlawfully changed systems for automatic data processing by making changes to computers’ boot procedures and turning off protection software. Secondly, the creator had unlawfully introduced a program into the registers for automatic data processing by installing the program on the receiving computer. 

Each time a computer was infected the worm also sent a specific email to fourteen specific email addresses, containing a message in which the creator claimed he had been mistreated by Swedish society. The creator additionally named the worm ‘WORM.SWEDENSUX’. Some of the fourteen email addresses belonged to the nationwide newspaper, Aftonbladet, a local newspaper, Tidningen Ångermanland, and the nationwide television broadcasting company, SVT. Due to the wide spread of the worm these email addresses received a huge number of messages, which led to their email servers crashing. The emails sent to those fourteen email addresses did not, however, contain the worm itself.

The District Court stated that this type of conduct, popularly referred to as ‘mailbombing’, was not fully covered by the scope of the penal provision concerning illegal misuse of computer information. The provision had recently been revised in order to meet the requirements of the Council Framework Decision 2005/222/JHA on attacks against information systems. The Court noted that the revisions had extended the scope of the provision. However, the relevant preparatory works stated that it was unclear whether the sending of large amounts of emails to an email address and in doing so blocking the receiver’s mail system (mailbombing) was completely covered by the provision’s scope. The preparatory works did however discuss the possibility that such conduct could be unlawful according to other penal provisions and mention arbitrary conduct as an example. The discussion went on to point out that the legal situation is unclear and that there is lack of guiding court practice.

The District Court stated that the three companies were unable to use the exposed email addresses and servers due to the conduct of the creator, and concluded, despite the legal uncertainty, that the creator’s actions constituted conduct which was criminalised by the arbitrary conduct provision.

The creator claimed in his defence that he did not have any criminal intent in relation to the effect caused by the worm. He argued that he simply had not expected the worm to spread so rapidly and so widely; instead his intention was merely to make the owners of the fourteen email addresses aware of his situation. The District Court did not accept his defence and stated that a creator of an email worm that resends itself must be aware of the fact that it would infect multiple computers and thus generate a significant number of emails. Its purpose is to spread itself and this must have been clear to the creator. Notifying the fourteen addressees about his situation could have been done without ‘mailbombing’ them. The creator was consequently found to have criminal intent and was convicted under both counts.

The prosecutor claimed that the criminal actions lasted from 14 March 2003, when the worm was released, until 10 February 2006, when the prosecution was initiated. The creator argued in his defence that there had been a successor to Ganda, in the form of Ganda B, which had been created by someone else, and that it was this worm, rather than the original Ganda which, after some time, infected computers. The District Court held that the evidence presented by the prosecutor could not support the claim that Ganda had been infecting computers for three years. Instead the Court found that it had only been proven that actions lasted until the end of July 2003.  

The District Court’s ruling was appealed and in a recently delivered verdict the Appeals Court has partially overturned the Districts Court’s verdict.

Regarding the first count of illegal misuse of computer information, the Court of Appeal found that it was proven that the worm was programmed to search for email addresses stored on the infected computer and to send itself to all the addresses it had found. The Court additionally found that the worm made changes to the infected computer’s boot procedure and turned off any protection software, and that a specific email was sent to fourteen specific email addresses each time a computer was infected. The Court’s findings were mainly based on the the evidence given by two IT security experts, who had also been heard in the District Court. Consequently, the Court held that the worm changed systems for automatic data processing and also introduced an unwanted program in registers for automatic data processing.

As a result of the investigation it was possible to trace the worm back to the creator’s computer. The investigation also indicated that it was the creator who took the necessary actions for the worm to spread itself. In the Court of Appeal’s renewed hearing with the creator, he however denied that he had made the part of the code necessary for the worm to resend itself to other computers. He claimed that a foreign code was introduced into the program by someone else, and without his knowledge. According to the creator, this could have been done when the program was on public display at a forum several weeks before the worm began to spread itself on the internet. As this statement was introduced for the first time in the hearing conducted in the Court of Appeal, the Court had to assess this new information. No technical information regarding the possibility of manipulating the program in the way described by the creator was adduced in the hearings. The Court therefore assumed that it was in theory possible to manipulate the program in such a way, but concluded that the possible scenario laid out by the creator was highly unlikely.

This conclusion was also supported by the police interrogations, in which the creator stated that he had created the worm and given it its ‘mass-posting’ functions. The Court of Appeal considered that his statements must be interpreted with discretion, as the creator had not been accompanied by a public defence counsel during the interrogations. However, they found that the information was too detailed to be considered as made up. Thus, the statements given by the creator during the interrogations outweighed his alternative scenario.

The program codes which were found on seized material (hard drive and CDs) at the creator’s house also lessened the credibility of his alternative explanation. One of the IT security experts stated that the codes contained parts which were typical for viruses, and their functions showed similarities to the functions of the Ganda worm,  thus indicating, but not with full certainty, that the harmful aspects of the virus had been programmed by the creator himself. It should however be noted that the seized material did not contain any evidence that clearly showed that the program had ‘mass-posting’ functions.

The Court of Appeal also took into account that the creator had written the word ‘Worm’ in his calendar on the 14 March 2003, the same day as he started the program. This suggested that the creator knew that the program he executed had malicious functions and was in fact a worm.

The Court of Appeal concluded that the information obtained from the seized materials, the expert hearings and the interrogations with the creator himself made it clear beyond doubt that the creator was aware of the harmful functions of the program, which he executed on 14 March 2003. This information rendered his alternative explanation highly unlikely. He was thus found to have criminal intent to illegally misuse computer information.         

The Court of Appeal came to a different conclusion concerning the extent and duration of the illegal misuse, mainly based on the hearing with one of the IT security experts. The creator claimed that Ganda in fact was replaced by a successor, Ganda B, and that this new worm, created by someone else, was responsible for infecting computers after a certain date. The expert’s conclusions concerning the Ganda B claim were that the original Ganda  code  was damaged at some point and that this damaged code probably was then seen as another version of Ganda. The Court found no reason to doubt the expert’s explanation, which was based on extensive research. Thus, the existence of a second version of the worm was ruled out and the Court extended the duration of the crime, from the date adopted by the District Court, at the end of July 2003, to 10 February 2006.  

The second count concerning arbitrary conduct was dismissed, based on lack of criminal intent regarding the effect of his conduct. The Appeals Court stated that the conduct of the creator had led to blocking of the above-mentioned companies’ email servers and that such conduct probably would fall within the scope of arbitrary conduct, thus agreeing with the District Court. The Court did however not share the District Court’s view concerning the criminal intent. The creator expressed, both in the Court hearing and in the police interrogations that he had not understood nor expected that the worm would lead to the blocking of several email servers. This view is also reinforced by two letters which were found on his computer during the police search of the creator’s home. In the unsent letters the creator expressed his regret for the situation caused by the worm. As there was a lack of proof to the contrary the Court found that the creator lacked criminal intent with regard to the effects of the worm.