First published: 31st January 2008
Japanese Police have arrested three men in a case involving the creation and distribution of malware called Harada in the Japanese media. Harada is thought to be related to the Pirlames Trojan horse. The malware displays images of popular anime characters while deleting MP3 and movie files. However, reports indicate that the three are being charged, not with the destruction of data, but with copyright violation for using the anime images, due to a lack of "applicable cybercrime laws"!
However, this does not match with other information about cybercrime law in Japan. In most jurisdictions, including Hong Kong, specifically writing a virus is not illegal. It would be crazy to make such a law: the formal definition of a computer virus covers far too much, to take an ancient example, a bootable DOS disc with the diskcopy.exe program is a functional computer virus - should we arrest Bill Gates for writing DOS? This makes Graham Cluley's remark about this case, "It isn't illegal to write viruses in Japan," odd, does Mr Cluley think a law that would make many ordinary programmers into criminals is advisable? Instead, good laws usually refer to intent and damage. In Hong Kong, intentionally making unauthorised changes to programs or data is categorised as criminal damage. This makes spreading a computer virus illegal (it modifies other programs), and also covers the intentional damage to data caused by Harada.
Does Japan have a law that could be applied? Speaking at the 2004 AVAR Conference in Tokyo, Takashi Garcia SATO, Assistant Director, Superintendent, Cybercrime Division of the National Police Agency, Japan, gave statistics for three types of cybercrime in Japan: unauthorised computer access, crime against computer / data and internet crime. As a specific example of a crime against computer / data, he reported the 2004 March, Hyogo case where a criminal deleted hospital's data including 500 patients' name, address and disease name and obstructed business of the hospital because he received a caution in the hospital and got angry.
Both the Hyogo case and the current Harada case feature the intentional destruction of data without a clear profit motive, so it would appear that Japan does have an applicable law. However, it may be that the specific wording of the law makes it difficult to be applied where the damage is intermediated by malware. It would be interesting to hear more.
Updated: 25th January 2008
Graham Cluley has clarified that his quote was poorly crafted if it's suggestion that he thinks making virus-writing illegal is a good idea, and it's better to get the bad guys with the usual data
destruction / unauthorised access laws. The Sophos website has been updated.