2015-04-30
Abstract
In November 1995, self-confessed virus writer Christopher Pile - author of the viruses Pathogen and Queeg and the encryption engine known as SMEG (Simulated Metamorphic Encryption Generator) - became the first person in the UK to be given a custodial sentence for writing and distributing computer viruses when he was jailed for 18 months. Ian Whalley wondered whether the punishment fitted the crime.
Copyright © 2015 Virus Bulletin
(This article was first published in Virus Bulletin in January 1996.)
Last month, legal history was made here in the UK when Christopher Pile, self-confessed author of the viruses Pathogen and Queeg and the encryption engine known as SMEG (Simulated Metamorphic Encryption Generator), was jailed for 18 months. This event received wide coverage even outside specialist journals, putting in appearances on national TV, radio and in the newspapers. However one looks at it, this was an event of no small importance – the first person in the UK to be given a custodial sentence for writing and distributing computer viruses.
It is undoubtedly the case that Pile is guilty of the crimes for which he was prosecuted – in addition to the array of damning evidence against him, he pleaded guilty. However, when I heard the sentence, my immediate reaction was that it was over-harsh, perhaps even inappropriate. This has also been the reaction of a number of people to whom I have spoken over the last few weeks, so it seems that the time is right to have a closer look.
In his summing up, Judge Griggs, presiding, made the point that the five year maximum penalty the law allowed should be reserved for those who commit the crimes for some form of monetary or material gain. This seems an eminently reasonable viewpoint – certainly, had Pile (as an extreme example) written SMEG in an attempt to cripple the security systems of the Bank of England in order to facilitate grand theft, a more serious penalty would have been in order. This was, of course, not the case.
An important issue in any case of this type is the question of the damage caused – it has always been difficult to assign a cost, in simple monetary terms, to the results of computer crime. The case of the E911 document stolen from BellSouth by the hacker, Prophet, in 1988 is a classic example. Whilst the specific issues in that instance were somewhat different from those under consideration here, the way in which such costs can be exaggerated is clearly shown. The three estimates of damage in the Pile case range from two at £1,000 to a third at £250,000. Much has been factored into this final figure, including the estimated loss of profits due to the delayed release of a new product.
However, in the case of a virus, there is an added difficulty when calculating the cost. To use a phrase which cropped up in court a number of times, once Pandora’s box has been opened, it can never truly be shut again. The software Pile wrote is freely available from a number of sources on the Internet and from BBSs around the world. It cannot be taken back from the underground.
There was also a clear intent to distribute the virus – the deliberate infection and subsequent uploading of utilities to BBS systems in such a way as to encourage their download by unsuspecting users can be in little doubt. In spite of this, the viruses are not prevalent in the real world today – Pathogen and Queeg survive on the WildList by the narrowest of margins, and the engine has not become as widely used as its author would perhaps, at least when he wrote it, have liked it to. It seems likely that minimal damage will result, although Pathogen’s generation counter is forever ticking forward…
Given these facts, Pile clearly deserved to be punished in some way. But did he deserve to go to prison for eighteen months? This is a difficult question. The sentence may be out of proportion to those imposed for other, seemingly more serious, offences – however, it is all too easy to fall into the trap of drawing parallels between the punishments for crimes which are completely different. Such comparisons are hard to make; each type of crime must stand alone, for it would never be simple to assign relative ‘levels of severity’ to individual types of crime.
Quite apart from punishing the individual, sending Pile to prison will set an example upon which other virus authors in the UK may ponder – this game they play is suddenly more complicated; now it’s a game which you go to prison for playing! And, despite my initial reaction to the contrary, I now believe that it was the right magnitude of sentence… perhaps it is just as well that Jeremy Griggs is a judge, and I am an editor.
