Monday, February 08, 2010

Kidnapping and Ransomware

This post is about an old phenomenon that’s been back in the news lately: ransomware. Wikipedia defines ransomware as “malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration.” And it says “the first known ransomware was the 1989 PC Cyborg Trojan,” which encrypted filenames.

Over the last month or so, I’ve seen a number of news stories about evolved varieties of ransomware. According to an MSNBC story, there’s been “an explosion of ransomware” over the last few months; the story attributes the explosion to “the evolution of ever-more-believable tactics” available to those who use ransomware.

This post isn’t about ransomware, as such. It’s about the nature of the crime that’s committed when someone uses ransomware.

The use of the term “ransom” inferentially indicates that the crime being committed is kidnapping. Wikipedia’s definition of ransomware makes that interpretation of the crime explicit when it says ransomware is used to “hold hostage” a computer or data until the owner pays up . . . i.e., pays a “ransom.”

The use of the term ransom and the tendency to at least implicitly equate what goes on when a computer is incapacitated until the owner pays money has always bothered me because I thought it was based on a misinterpretation – or maybe a misapplication -- of the concepts of “kidnapping” and “ransom.” I am, of course, speaking as a lawyer, and lawyers are trained to be precise in terms of the concepts and language we use. I spoke on cyberthreats at an Infragard meeting last year, outlining the differences between crime, terrorism and war and between cybercrime, cyberterrorism and cyberwarfare; at one point, a member of the audience said something like, “You lawyers certainly have a lot of boxes”, which I thought was very good comment.

We do have a lot of boxes, and if law is to make any sense, the boxes must be distinct and must each have a specific, dedicated purpose. There are many reasons for that, perhaps the most important of which is that the law must be knowable, i.e., must be publicized and be clear enough that the average person can understand what is, and is not, illegal. It’s not enough to say someone knew what they were doing was “wrong;” it’s a basic precept of criminal law that you must have known that what you were doing was a crime, which implicitly indicates that you had to know what kind of crime it was. Now, I don’t mean to say that when someone kills another person they must, prior to the killing, have consciously thought, “I’m about to commit second-degree manslaughter.” That’s not what we require; what we require is the more generalized knowledge that what you’re about to do constitutes taking the life of another human being which is a crime under the law where you live. Basically, you have to know you’re committing homicide; you don’t have to know the precise degree and type of homicide.

Getting back to the use of ransomware, the tendency to equate seizing a computer or data and holding it until the victim pays up with kidnapping and the payment of ransom always bothered me because I didn’t think you could kidnap property. Now, when I say it “bothered” me, I don’t mean I stressed out about it; I mean it was one of those subtle, nagging bothers you get some time but don’t ever really do anything about.

I finally decided to address this particular subtle, nagging bother so I did some research into the law of kidnapping and ransom. I found, as I suspected I would, that the crime of kidnapping has for millennia been defined as “the forcible abduction or stealing away of Man, woman, or child”. William Blackstone, Commentaries on the Laws of England, Volume IV page 219. If you check out Blackstone’s comments on kidnapping, you’ll see that he cites the Bible for the proposition that kidnapping used to be a capital crime.

I also consulted more contemporary resources. Ernest Alix’s book Ransom Kidnapping In America, 1876-1974 (Southern Illinois University Press 1978) says the “legal basis of kidnapping is the taking . . . of a person against his will and without lawful authority.” Ransom Kidnapping at page xvi. (If you’re interested, he developed a typology of kidnapping that divides it into 15 different categories, which is pretty amazing.)

I checked treatises on criminal law and came up with the same result – kidnapping, as its name implies, is abducting someone without lawful authority and usually for the purposes of demanding payment for their return. If you’re like me, you might wonder why it’s called “kidnapping” . . . since I, for one, tend to equate “kid” with either a child or a small goat, either of which seems a peculiar linguistic driver for identifying a crime that involves abducting people. I finally found a site that explains why it’s called “kidnapping” (it apparently began as the abduction of children, and the name stuck as it evolved into abducting adults, as well).

Getting back to the law, the Model Penal Code (which, as I’ve noted before, is an influential template that defines traditional crimes) defines kidnapping as follows:

A person is guilty of kidnapping if he unlawfully removes another from his place of residence or business, or a substantial distance from the vicinity where he is found, or if he unlawfully confines another for a substantial period in a place of isolation, . . . too hold [the person] for ransom or reward. . . .

Model Penal Code § 212.1. I did a quick check of U.S. state kidnapping statutes, and they all seem to define the crime as involving the abduction of a person and holding that person for ransom. California’s statute, for example, defines kidnapping as follows:

Any person who seizes, confines, inveigles, entices, decoys, abducts, . . . or carries away another person by any means whatsoever with intent to hold or detain, or who holds or detains, that person for ransom. . . is guilty of a felony.

California Penal Code § 209(a). I didn’t find any state statute that defines kidnapping in terms of abducting or detaining property in order to obtain a ransom; and I couldn’t find any reported cases that do this, either. I checked treatises on criminal law and legal encyclopedias – like Corpus Juris Secundum -- and still couldn’t find any mention of holding property for ransom as constituting kidnapping.

It seems pretty clear, then, that the terms “kidnapping” and “ransom” only apply when a human being has been abducted and/or is being detained without lawful authority until someone gives the kidnappers money or property to induce them to let the victim go. And that brings us back to ransomware.

I’m not, obviously, saying that what happens when a computer or computer data is effectively abducted and held incommunicado until the owner pays up isn’t a crime. Of course is, it (or should be). The question is, “What crime is being committed?”

I think it’s extortion. As I explained in an earlier post, extortion is a kind of theft, but instead of taking the person’s property without their consent the extortion forces them to hand it over voluntarily by threatening . . . something. The Model Penal Code defines extortion primarily in terms of “threatening to inflict bodily injury on anyone”, though it does include other alternatives, one of which might encompass threatening to damage or simply withhold property. Model Penal Code § 223.4(1).

I found a number of state statutes that define extortion in terms of threatening to damage someone else’s property in order to get them to give you money or some other valuable item. Arizona defines extortion as “knowingly obtaining or seeking to obtain property or services by means of a threat to . . . [c]ause damage to property.” Arizona Revised Statutes § 13-1804(A)(3). (The statute also defines extortion as threatening to injure a person, as well as to engage in other conduct.) And Colorado defines it as making a “threat to confine or restrain . . . or damage the property . . . of, the threatened person or another person”. Colorado Revised Statutes § 18-3-207(1)(a). Other states have similar statutes. And federal courts have held that the basic federal extortion statute – 18 U.S. Code § 1951 – encompasses threats to damage someone’s property. U.S. v. Unthank, 109 F.3d 1205 (U.S. Court of Appeals for the Seventh Circuit 1997).

It seems than, that “ransomware” should really be called “extortionware.” I notice that stories talking about ransomware often refer to the perpetrator’s “extorting” money from the victim, so maybe everyone implicitly realizes that it’s about extortion, not kidnapping.

The only possible glitch I can see in terms of applying extortion statutes that encompass threats to damage property to the use of ransomware is the issue as to whether they’re actually threatening to “damage property.” I can seen an argument that since they’re not threatening to cause physical damage to physical property, these statutes don’t apply to the use of ransomware (a/k/a extortionware). It might, then be a good idea for states and the federal government (and any countries that define extortion in a fashion similar to the way it’s defined in the U.S.) to consider revising their statutes so they clearly encompass this kind of activity.

We could, instead, create a specific “computer extortion statute” to encompass the use of ransomware, but I, for one, don’t think we need to do that. As I’ve argued here before, I think best approach to the emerging varieties of computer crime is to bring them within existing offenses whenever possible. Aside from anything else, that means we can use established law and precedent in deciding when charges are appropriate and if and when they’ve been proven beyond a reasonable doubt.


David Schwartz said...

I disagree.

I think 'ransomware' is perfect. 'Ransom' is defined as compensation demanded to return a person or property. (You are correct that it's not kidnapping, but kidnappers are not the only people who may demand a ransom.)

Property is 'held for ransom' if it has been taken from its rightful owners and money is demanded to return it.

I believe 'extortion' is inappropriate because nothing is threatened. There is nothing that will be done if payment is not made.

Extortion requires you to be threatening to do something that will cause harm and demand a payment not to do it. Demanding a payment to do something the victim wants you to do is not extortion.

Digital Trust said...

The harm expressed by withholding data is naturally harm to the entity from denial of access to their information. If we ransom your medical records, do you think that would be harmful? How about your tax records? Withholding data for a ransom is a natural extension of extortion. IANAL.

Flash Papers said...

It's great to see good information being shared.