Tuesday, November 23, 2010

Outlawing Botnets

The European Commission is apparently considering the promulgation and adoption of a directive that would, at least in part, criminalize botnets. As I understand it, the premise behind adopting such a directive is that since botnets are capable of inflicting “harm” on a large scale, we need to separately criminalize them. I decided to examine the need for and utility of such legislation in this post.

Before I get to the botnet issue, I should, perhaps, note a few things about the European Commission. As Wikipedia explains, it is the “executive body of the European Union. The body is responsible for proposing legislation, implementing decisions, upholding the Union’s treaties and the general day-to-day running of the Union.” The European Union (EU), of course, is an

economic and political union of 27 member states which are located primarily in Europe. Committed to regional integration, the EU was established by the Treaty of Maastricht in 1993. . . . [and has] over 500 million citizens. . . .

The EU has developed a single market through a standardised system of laws which apply in all member states. . . . It enacts legislation in justice and home affairs. . . .

You can read more abut how the European Commission functions in the Wikipedia entry for the Commission. That entry notes that the Commission “[r]ecently . . . moved into creating European criminal law” which, of course, is why we’re going the analyze the botnet legislation it might draft and enact. (You can read about the processes by which the Commission drafts, adopts and enforces criminal legislation in the Wikipedia entry.)

Let’s get back to botnets. I assume everyone knows what a botnet is, but if not, you can check out Wikipedia’s entry on the topic. As Wikipedia notes, “the term `botnet’ . . . is . . . used to refer to a collection of compromised computers (called zombie computers) running” software that was surreptitiously installed without the computer owner’s knowledge and consent. The botnet software gives the person who created and/or controls the botnet the ability to direct the zombies to engage in various activities, such as launching a denial of service attack on a given target. Botnet-based denial of service attacks can be devastating, as Myanmar discovered this year and Estonia discovered in 2007.

Enough preface. We’ll assume, for the purposes of analysis, that botnets are capable of inflicting “harms” that are serious enough they can justify “criminalizing botnets.” I don’t want to focus on the justifications for taking such a step. I want to focus on (i) how we might go about criminalizing botnets and botnet attacks and (ii) whether such a step would appreciably add to the criminal law’s ability to deal with this type of cybercrime.

I always tell my students it’s easy to write new criminal laws . . . you just decide what you want to outlaw and draft a statute, throwing in some level of mens rea, articulating what the culpable conduct and/or result is/are and maybe including some penalties. I should note that, with regard to conduct and/or result, some criminal statues are “result” crimes (like homicide . . . the crime consists of causing the death of another human being, so homicide statutes target achieving a prohibited result, i.e., another’s death) and others are conduct crimes (like speeding . . . to use a rather trivial example). So we’d have to decide if we want to structure a botnet statute as targeting a particular result (which might be the creation of a botnet, maybe a botnet of a given minimum size, or the use of a botnet to inflict “harm”) of conduct (which could be the conduct involved in creating a botnet, either any botnet or one that exhibits certain characteristics, such as a minimal size or capacity for inflicting “harm” of a given magnitude).

That might sound like a daunting task . . . but the state of Texas has been kind enough to tackle it . . . in a sense, thereby giving us some guidance in how to proceed. Section 324.055 of the Texas Business and Commerce Code provides as follows:

(b) A person who is not the owner or operator of the computer may not knowingly cause or offer to cause a computer to become a zombie or part of a botnet.

(c) A person may not knowingly create, have created, use, or offer to use a zombie or botnet to:

(1) send an unsolicited commercial electronic mail message . . .;

(2) send a signal to a computer system or network that causes a loss of service to users;

(3) send data from a computer without authorization by the owner or operator of the computer;

(4) forward computer software designed to damage or disrupt another computer or system;

(5) collect personally identifiable information; or

(6) perform an act for another purpose not authorized by the owner or operator of the computer.

(d) A person may not:

(1) purchase, rent, or otherwise gain control of a zombie or botnet created by another person; or

(2) sell, lease, offer for sale or lease, or otherwise provide to another person access to or use of a zombie or botnet.

Texas Business and Commerce Code § 324.055(b)-(d). Section (a) of the statute defines the terms “person” and “Internet service provider” . . . since the definitions are pretty routine, I won’t quote them. Section 324.002 of the Texas Business and Commerce Code define two specialized terms that are integral elements of the statute quoted above:

(1-a) `Botnet’ means a collection of two or more zombies. . . .

(9) `Zombie; means a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator.

The substantive and definitional provisions of the Texas botnet statutes are pretty straightforward, as you can see. What I find interesting is that they aren’t part of a criminal statute. As I noted earlier, these sections are part of the Business and Commerce Code; what I didn’t note, is that the § 324.055 allows the imposition of civil liability on someone who violates these provisions. More precisely § 324.055(e) provides as follows:

The following persons may bring a civil action against a person who violates this section:

(1) a person who is acting as an Internet service provider and whose network is used to commit a violation under this section; or

(2) a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, as a result of the violation.

The person bringing such a suit can seek an injunction against the bot herder and/or (i) actual damages resulting from the violation or (ii) “$100,000 for each zombie used to commit the violation”. Texas Business and Commerce Code § 324.055(f).

I really don’t understand the logic of drafting and adopting a statute that prohibits creating and/or using a botnet and then leaves the enforcement of the statute to civil litigants. I’m not at all sure that’s effective . . . since a civil litigant would either have to have enough resources to be able to pursue such litigation without any confidence that he/she/it would actually recover damages from the botnet perpetrator(s) or would have to be really, really confident that he/she/it could find the perpetrator(s), have him/her/it held liable in a civil suit and then collect the damages awarded in that suit from the defendant(s). I’m afraid I don’t think either of those conditions is likely to be met, at least not often enough to make this approach an effective way to create real disincentives for creating and using botnets.

What about criminal liability . . . what about using the basic prohibitional and definitional structure in the Texas statute but making the proscribed activity a crime, instead of the basis of a civil cause of action? Well, on the one hand I think criminal liability is likely, as a general matter, to be a more effective way to create disincentives for such conduct than civil liability.

On the other hand, I’m not sure what a botnet-specific criminal statute (or statutes) would add to the tools law enforcement already has. As I explained in an article I published almost ten years ago, I think the best approach to cybercrime statutes is a parsimonious one that only creates new crimes if and when a new offense is needed.

I also think we want to avoid relying on statutes that are too technologically-specific, which is another concern I have about the Texas statutes. They specifically target botnets composed of zombie computers, which reflects the empirical state of the problem at this point in time . . . but the technology may evolve so that these terms and, indeed, this approach, is no longer particularly effective.

I think the approach used in 18 U.S. Code § 1030(a)(5)(A) is much better. Section 1030(a)(5)(A), as you may know, makes it a federal crime to knowingly cause “the transmission of a program, information, code, or command, and as a result of such conduct, intentionally” cause damage to a computer. “Damage” is later defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S. Code § 1030(e)(8).

The deceptively simple § 1030(a)(5)(A) can be used to prosecute both the dissemination of malware dissemination and botnet-predicated denial of service attacks. It was, in fact, used in the 2006 prosecution of Christopher Maxwell for his role in a botnet-based denial of service attack (or attacks) that targeted a hospital and other entities.

I think a general, essentially technologically-neutral statute like § 1030(a)(5)(A) is quite adequate to prosecute the two substantive crimes that are predicated on botnets: One crime is creating a botnet; the other is using it. Section 1030(a)(5)(A) criminalizes the use of a botnet. A related statute – 18 U.S. Code § 1030(b) -- makes it a crime to attempt to commit the § 1030(a)(5)(A) offense; it seems to me that, at least in most circumstances, creating a botnet could be prosecuted as attempting to commit the § 1030(a)(5)(A) crime, i.e., attempting to use a botnet to cause “damage” to a computer. (Whether particular conduct had gone far enough to actually constitute such an attempt would, of course, be a factual issue that would have to be resolved in specific cases.)

Bottom line: I certainly don’t see anything wrong with criminalizing the use of botnets to inflict “harms” of a type that falls within the concern of the criminal law. I’m not, however, at all sure that the best way to do this is to create botnet-specific criminal statutes.


Eric FREYSSINET said...

Hello ! As you know a directive is not per se a "law" but a direction given to EU countries that would then implement it in their legislations.

France for instance would - I guess - confirm to the EC that our current legislation covers 90% of the directive already and maybe add one or two pieces of text if needed.


Eric Freyssinet

JJ Oerlemans said...

In article 10 of the proposed Directive aggravating circumstances are created. When botnets are used when commiting crimes like hacking or adding malware to a computer the penalty is at least 5 years according to article 10(2). It is fomulated as following: "when committed through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage, such as disrupted system services, financial cost or loss of personal data."

So no specific article for the criminalization of botnets is created, the use of botnets is rather an aggravating circumstance when committing other computer crimes. Since the effect of botnets can be so great, I can understand why they want to create higher penalties for this.

Of course the problem you address, that it is difficult to formulate the penalization of botnets, still exists. It is too bad that in the Directive it is not clear in what a 'significant number of information systems' exactly are and what is 'considerable damage'.
The criminilazation is also unneccasary. When using a botnet many other (computer)crimes could be committed. For example in Dutch legislation, specific crimes with higher penalties exist for sabotaging governmental or essential infrastructure (by hacking, (d)dos-attacks, etc.). This could be done by using a botnet. When enacted, it does however rises some pentalties for crimes in the Netherlands, because it is formulated broader.

What's really interesting about the European proposal though is that, when accepted and enacted, the European Commission creates criminal laws for all the Member States and is able to enforce this legislation. Criminal law used to be something the European Union had nothing to do with; Member States decided what to criminlize for which penalties. Since the Treaty of Lisbon the EU can also harmonize laws on criminal law (and not just laws which have to do with economics). With Directives, the European Commission can make sure the laws are properly enacted and if not, they can punish a Member State.

I think it is great you wrote about this new proposal and your blog is very interesting!

J.J. Oerlemans (PhD Student Leiden University)