A Swedish court has recently delivered the first judgment in Sweden on criminal liability for the spreading of viruses and denial of service attacks.
In the spring of 2003, a number of organisations, including two newspapers, the public service television station and the Swedish National Agency for Education, began receiving a large number of copies from various senders of an email containing a manifesto on injustices in the school system from an apparently disgruntled student.
The volume of these emails received by the affected addresses effectively prevented the continued use of the targeted accounts and temporarily blocked use of the organisations’ email servers. Computer security companies were hired to research this denial of service attack and found that the email problems were caused by a mass-emailing worm, named “Ganda”, derived from the word propaganda in the email’s subject field.
The worm had spread through an email encouraging the recipient to click an attached file to receive a hilarious screen saver. Doing this executed the worm, which then infected the user’s computer, deactivated any virus protection and searched the computer for email addresses, to which it forwarded itself. Every time a new computer was infected it also sent an email to 14 predetermined addresses, therefore making them the targets of the denial of service attack. The worm was on the top-ten list of computer infections in Sweden for almost a year after its first outbreak.
The virus attack led to a police investigation as a result of which the public prosecutor charged the alleged inventor of the worm with breach of data secrecy and unlawful dispossession. Breach of data secrecy involves deliberately and unlawfully altering data recordings in a register and unlawful dispossession involves deliberately disturbing someone’s possession of their property. It should be noted that, following an amendment to the Swedish Penal Code, breach of data secrecy would now apply to all the actions concerned. Following the trial, the Ångermanland District Court passed judgment on 5 November 2007.
The defendant admitted creating and sending the worm, but denied liability, on the grounds that the disruptive effect it had was not deliberate, and all he had wanted was to send a message to the 14 pre-programmed addresses. Therefore, he argued, he did not meet the criteria necessary for criminal liability.
The court held that the defendant had created and spread the worm and that the function of the worm was to disable virus protections, alter the start menu of infected computers and send itself to other email addresses, as well as repeatedly sending a certain message to the pre-programmed addresses. By disabling virus protections and making alterations to the start menus as well as by installing the worm on the receiving computers, the court found that the objective criteria for breach of data secrecy were fulfilled.
At the time the offence was committed, the crime of breach of data secrecy did not cover denial of service attacks. However, the court consulted the preparatory work on revisions to the Swedish Penal Code, and considered that other legal provisions might apply to such attacks. There was no relevant precedent concerning denial of service attacks and it was not clear if unlawful dispossession could be applied to such attacks, but the court found that as a result of the large volumes of email sent to the affected addresses, the recipients’ email servers had been blocked and the owners had been prevented from using or accessing the servers and email addresses. This, combined with the scale of the disturbance and the fact that the attacks were aimed at functions of vital interest to society, meant, in the opinion of the court, that the attacks must be regarded as such as to constitute unlawful dispossession under the Swedish Penal Code.
Regarding the subjective requirement of both offences that the actions be deliberate, the court stated that the defendant was fully aware of the possible effects of the worm and intended for it to have such effects. The court found that there was no other plausible explanation for the defendant’s actions than to ensure that the pre-programmed recipients were bombarded with emails. The defendant’s claim that he only wanted to send a message to the pre-programmed addresses was disregarded as, to fulfil that purpose, it would have been enough to simply have sent one ordinary email. Therefore the defendant was found guilty of both charges and sentenced to a conditional sentence in combination with a fine, and the injured parties were awarded damages. At the time of writing, neither party has yet appealed the judgment.
It is not immediately clear how the court can justify its finding that the effect of the defendant’s actions would constitute unlawful dispossession, since possession under Swedish law requires tangible property and on the face of it an email account is an intangible asset. Therefore it is not clear whether the section of the Swedish Penal Code referred to in this case was correctly applied in relation to the email accounts, although a stronger case can be made for its application in relation to the servers.
However, since the events concerned in the judgment took place, the application of unlawful dispossession to denial of service attacks has become obsolete as a result of the amendment of the Swedish Penal Code. The section on breach of data secrecy was amended on 1 June 2007 in accordance with an EU framework decision on attacks on information systems and the section now states that breach of data secrecy also applies to actions which seriously disturb or impede the use of data for automated processing. According to the preparatory works, this amendment is applicable to denial of service attacks and, in the future, the spreading of viruses and performing denial of service attacks will likely be exclusively regulated through the section on breach of data secrecy.