The European Commission is apparently considering the promulgation and adoption of a directive that would, at least in part, criminalize botnets. As I understand it, the premise behind adopting such a directive is that since botnets are capable of inflicting “harm” on a large scale, we need to separately criminalize them. I decided to examine the need for and utility of such legislation in this post.
Before I get to the botnet issue, I should, perhaps, note a few things about the European Commission. As Wikipedia explains, it is the “executive body of the European Union. The body is responsible for proposing legislation, implementing decisions, upholding the Union’s treaties and the general day-to-day running of the Union.” The European Union (EU), of course, is an
economic and political union of 27 member states which are located primarily in Europe. Committed to regional integration, the EU was established by the Treaty of Maastricht in 1993. . . . [and has] over 500 million citizens. . . .
The EU has developed a single market through a standardised system of laws which apply in all member states. . . . It enacts legislation in justice and home affairs. . . .
You can read more abut how the European Commission functions in the Wikipedia entry for the Commission. That entry notes that the Commission “[r]ecently . . . moved into creating European criminal law” which, of course, is why we’re going the analyze the botnet legislation it might draft and enact. (You can read about the processes by which the Commission drafts, adopts and enforces criminal legislation in the Wikipedia entry.)
Let’s get back to botnets. I assume everyone knows what a botnet is, but if not, you can check out Wikipedia’s entry on the topic. As Wikipedia notes, “the term `botnet’ . . . is . . . used to refer to a collection of compromised computers (called zombie computers) running” software that was surreptitiously installed without the computer owner’s knowledge and consent. The botnet software gives the person who created and/or controls the botnet the ability to direct the zombies to engage in various activities, such as launching a denial of service attack on a given target. Botnet-based denial of service attacks can be devastating, as Myanmar discovered this year and Estonia discovered in 2007.
Enough preface. We’ll assume, for the purposes of analysis, that botnets are capable of inflicting “harms” that are serious enough they can justify “criminalizing botnets.” I don’t want to focus on the justifications for taking such a step. I want to focus on (i) how we might go about criminalizing botnets and botnet attacks and (ii) whether such a step would appreciably add to the criminal law’s ability to deal with this type of cybercrime.
I always tell my students it’s easy to write new criminal laws . . . you just decide what you want to outlaw and draft a statute, throwing in some level of mens rea, articulating what the culpable conduct and/or result is/are and maybe including some penalties. I should note that, with regard to conduct and/or result, some criminal statues are “result” crimes (like homicide . . . the crime consists of causing the death of another human being, so homicide statutes target achieving a prohibited result, i.e., another’s death) and others are conduct crimes (like speeding . . . to use a rather trivial example). So we’d have to decide if we want to structure a botnet statute as targeting a particular result (which might be the creation of a botnet, maybe a botnet of a given minimum size, or the use of a botnet to inflict “harm”) of conduct (which could be the conduct involved in creating a botnet, either any botnet or one that exhibits certain characteristics, such as a minimal size or capacity for inflicting “harm” of a given magnitude).
That might sound like a daunting task . . . but the state of Texas has been kind enough to tackle it . . . in a sense, thereby giving us some guidance in how to proceed. Section 324.055 of the Texas Business and Commerce Code provides as follows:
(b) A person who is not the owner or operator of the computer may not knowingly cause or offer to cause a computer to become a zombie or part of a botnet.
(c) A person may not knowingly create, have created, use, or offer to use a zombie or botnet to:
Texas Business and Commerce Code § 324.055(b)-(d). Section (a) of the statute defines the terms “person” and “Internet service provider” . . . since the definitions are pretty routine, I won’t quote them. Section 324.002 of the Texas Business and Commerce Code define two specialized terms that are integral elements of the statute quoted above:
(9) `Zombie; means a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator.
The substantive and definitional provisions of the Texas botnet statutes are pretty straightforward, as you can see. What I find interesting is that they aren’t part of a criminal statute. As I noted earlier, these sections are part of the Business and Commerce Code; what I didn’t note, is that the § 324.055 allows the imposition of civil liability on someone who violates these provisions. More precisely § 324.055(e) provides as follows:
The following persons may bring a civil action against a person who violates this section:
The person bringing such a suit can seek an injunction against the bot herder and/or (i) actual damages resulting from the violation or (ii) “$100,000 for each zombie used to commit the violation”. Texas Business and Commerce Code § 324.055(f).
I really don’t understand the logic of drafting and adopting a statute that prohibits creating and/or using a botnet and then leaves the enforcement of the statute to civil litigants. I’m not at all sure that’s effective . . . since a civil litigant would either have to have enough resources to be able to pursue such litigation without any confidence that he/she/it would actually recover damages from the botnet perpetrator(s) or would have to be really, really confident that he/she/it could find the perpetrator(s), have him/her/it held liable in a civil suit and then collect the damages awarded in that suit from the defendant(s). I’m afraid I don’t think either of those conditions is likely to be met, at least not often enough to make this approach an effective way to create real disincentives for creating and using botnets.
What about criminal liability . . . what about using the basic prohibitional and definitional structure in the Texas statute but making the proscribed activity a crime, instead of the basis of a civil cause of action? Well, on the one hand I think criminal liability is likely, as a general matter, to be a more effective way to create disincentives for such conduct than civil liability.
On the other hand, I’m not sure what a botnet-specific criminal statute (or statutes) would add to the tools law enforcement already has. As I explained in an article I published almost ten years ago, I think the best approach to cybercrime statutes is a parsimonious one that only creates new crimes if and when a new offense is needed.
I also think we want to avoid relying on statutes that are too technologically-specific, which is another concern I have about the Texas statutes. They specifically target botnets composed of zombie computers, which reflects the empirical state of the problem at this point in time . . . but the technology may evolve so that these terms and, indeed, this approach, is no longer particularly effective.
I think the approach used in 18 U.S. Code § 1030(a)(5)(A) is much better. Section 1030(a)(5)(A), as you may know, makes it a federal crime to knowingly cause “the transmission of a program, information, code, or command, and as a result of such conduct, intentionally” cause damage to a computer. “Damage” is later defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S. Code § 1030(e)(8).
The deceptively simple § 1030(a)(5)(A) can be used to prosecute both the dissemination of malware dissemination and botnet-predicated denial of service attacks. It was, in fact, used in the 2006 prosecution of Christopher Maxwell for his role in a botnet-based denial of service attack (or attacks) that targeted a hospital and other entities.
I think a general, essentially technologically-neutral statute like § 1030(a)(5)(A) is quite adequate to prosecute the two substantive crimes that are predicated on botnets: One crime is creating a botnet; the other is using it. Section 1030(a)(5)(A) criminalizes the use of a botnet. A related statute – 18 U.S. Code § 1030(b) -- makes it a crime to attempt to commit the § 1030(a)(5)(A) offense; it seems to me that, at least in most circumstances, creating a botnet could be prosecuted as attempting to commit the § 1030(a)(5)(A) crime, i.e., attempting to use a botnet to cause “damage” to a computer. (Whether particular conduct had gone far enough to actually constitute such an attempt would, of course, be a factual issue that would have to be resolved in specific cases.)
Bottom line: I certainly don’t see anything wrong with criminalizing the use of botnets to inflict “harms” of a type that falls within the concern of the criminal law. I’m not, however, at all sure that the best way to do this is to create botnet-specific criminal statutes.