Accordingly, from the point of view of the law, programs that are installed without notifying users and/or perform actions that are not reflected in the documentation are classified as malicious from the point of view of the law.

"I System Administrator, I install RAdmin over the network for everyone - am I going to go to court?

Installing programs without notification is a fairly common occurrence in companies and organizations. Therefore, it is advisable to work out this question, approve the list of software used and include consent for its remote installation in documents signed by company employees. To avoid.

“Oh, I spread a virus across the network!”

Let's start with the funniest quote:

Under use malware their application is understood ( by any person), which activates their harmful properties.

Above I promised to look at examples of discrepancies. The law does not use the word “knowingly” very well. The phrase "distribution... computer programs..., obviously intended” can be read in two ways. Let's imagine a situation where a user or company administrator spreads a malicious program over the network. If we imagine that “knowingly” refers to malicious programs, then any unintentional distribution of a known malicious program is not good from the point of view of the law. And here the differences in approach in the first and second parts of the article play a role. Let us remind you that “Acts provided for in part one of this article committed... by a person using his official position... are punished." There is no clarification that the actions were committed unintentionally - no!

WITH subjective side the crime provided for in Part 1 of the commented article can only be committed with direct intent, since this article determines that the creation of malicious programs, known to the creator of the program, should lead to unauthorized destruction, blocking, modification or copying of information, disruption of the operation of the computer.
The use or distribution of malicious programs can also only be carried out intentionally, since in accordance with Part 2 of Art. 24 of the Criminal Code, an act committed through negligence is recognized as a crime only if it is specifically provided for by the relevant article of the Special Part of the Criminal Code.
Part 2 of the commented article, in contrast to part 1, provides for the occurrence of grave consequences due to negligence as a qualifying feature.

Another opinion on part 2:

The content of these qualifying features corresponds to the content of similar features of previously considered crimes

Another:

From the subjective side, a crime can be committed both through negligence in the form of frivolity, and with indirect intent in the form of an indifferent attitude towards possible consequences. When direct intent is established in the actions of the perpetrator, the crime is subject to qualification depending on the goal that the perpetrator set for himself, and when the consequences that he sought to achieve occurred - and depending on the consequences that occurred. In this case, the actions provided for in Art. 273 of the Criminal Code turn out to be only a way to achieve the goal. Perfect deed subject to qualification based on the totality of crimes committed.

Funny opinion by the way:

The development of malware is available only to qualified programmers who, by virtue of their vocational training must anticipate possible consequences use of these programs.

In accordance with Article 274 of the Criminal Code of the Russian Federation, criminal liability arises for violation of the rules for operating means of storage, processing or transfer computer information and information and telecommunication networks.

“I only launched it for myself!”

Another place where interpretations differ. In most interpretations, it is believed that there is no difference for oneself or not:

The crime in question will be completed from the moment of creation, use or distribution of such programs or information that create a threat of the consequences specified in the law, regardless of whether these consequences actually occurred or not. At the same time, the offender must be aware that the programs he creates or uses will obviously lead to the socially dangerous consequences specified in the law. The motive and purpose do not affect the qualification of the crime.

The answer I think is obvious.

True, the same interpretation makes leniency for shots in the leg:

However, using a malicious computer program for personal needs (for example, to destroy your own computer information) is not punishable.

“I’m not spreading the virus, I posted it on Github for general information and that’s it”

Distribution of programs is the provision of access to the reproduced version in any material form computer program, including through network and other means, as well as by selling, renting, leasing, lending for any of these purposes. One of the most typical ways to spread malware is to place it on various sites and pages of the Internet information and telecommunications network.

Thus, any publication is already distribution. Naturally, the question immediately arises about publishing exploits demonstrating vulnerability. From a legal point of view, this is not good. It is possible to recommend publication with changes that make the code inoperable - but whether the court will accept this as an argument is not known.

“Yes, I didn’t even compile, I just threw in the code for fun”

This composition is formal and does not require the occurrence of any consequences; criminal liability arises as a result of the creation, use or distribution of the program, regardless of whether any social consequences occurred as a result of this dangerous consequences. Within the meaning of the article being commented on, the presence of source codes of virus programs is already grounds for prosecution.
Responsibility arises for any action provided for by disposition, alternatively. For example, someone may be responsible for creating the malware, another for using it, and another for distributing the malware.

Even more fun:

The creation of programs is an activity aimed at developing and preparing programs that are capable, in their functionality, of unauthorized destruction, blocking, modification, copying of computer information or neutralizing means of protecting computer information.
Art. 273 of the Criminal Code of the Russian Federation establishes liability for illegal actions with computer programs recorded not only on machine media, but also on other media, including paper. This is due to the fact that the process of creating a computer program often begins with writing its text, followed by entering it into the computer or without it. Taking this into account, the presence of source texts of malicious computer programs is already grounds for prosecution under Art. 273 of the Criminal Code of the Russian Federation.

Of course, it’s cool to write source texts on paper, but it doesn’t change the meaning. Storing source codes, and especially malware, if you are brought to trial for some reason, is not good. Arbitrage practice on this score is clear. The presence on the computer of programs that can be classified as malicious and the ability, due to qualifications, to use them (insanity, I agree, but this is the practice) - serves as aggravating circumstances

“Yes, I’m only on the command line...”

Previously, we only talked about programs. But Article 273 also contains something else: “... distribution or use... of computer information known to be intended.” Let us remember that information is any bit on a computer.

Civil Code Russian Federation defines a computer program as “a set of data presented in an objective form and teams, intended for the operation of computers and other computer devices in order to obtain a certain result, including preparatory materials, obtained during the development of a computer program, and the audiovisual displays generated by it"

Therefore, any actions that knowingly modify, destroy, etc., fall under 273 of the Criminal Code of the Russian Federation.

Even copying malware can fall under the terms of the law

Form of commission of this crime there can only be an action expressed in the form of creating malicious programs for computers, making changes to already existing programs, as well as the use or distribution of such programs. The distribution of computer media with such programs is fully covered by the concept of “use”.

“I’m not 18 yet!”

The subject of this crime can be any sane person over 16 years of age.

"For what?"

Depending on the actions performed by the malicious program and the consequences, liability may be not only under Art. 273 of the Criminal Code of the Russian Federation. Two examples

If the creation, use or distribution of malware acts as a means of committing another intentional crime, then the act must be classified as a set of crimes. For example, in cases where malware is created or used to defeat copyright holder-installed tools personal protection computer program, liability arises under the relevant parts of Articles 146 and 273 of the Criminal Code of the Russian Federation.
In the event that the perpetrator, when using or distributing malware, deliberately destroyed or damaged computer equipment what caused significant damage victim, his behavior forms a set of crimes, provided for in articles 167 and 273 of the Criminal Code of the Russian Federation.

“I am from another country and am not subject to the laws of your country!”

Alas, this is not true. All actions of creation (including, as we remember, storage), distribution and use are subject to the Criminal Code of the Russian Federation. That is, if they take you with source code on the territory of the Russian Federation, you carry out any actions against citizens and institutions of the Russian Federation - you are subject to the laws of the Russian Federation.

Examples of criminals who ended up in US prisons are proof of this.

Whether you refuse responsibility or not, the law does not care. Law care committed actions. Whether you quit or not - the same. There are actions committed and there is responsibility for them.

LeakedSource (a leak aggregator that collected databases of VKontakte, Mail.ru, Rambler, Last.fm, Linkedin, Dropbox, Myspace and many other resources that had leaked onto the Internet and provided access to the passwords of leak victims to anyone who was willing to pay for them) argues that California laws do not apply to the company because it is based outside the United States.

“Why are there so few landings?”

As far as I personally know, the problem is not related to the desire to imprison, but to shortcomings in the procedures. Difficulties in combining small cases from various departments in one, experience in collecting evidence

Other countries. We won’t consider everything, we’ll limit ourselves to two

Kazakhstan

Article 206 of the Criminal Code of the Republic of Kazakhstan. Unlawful destruction or modification of information

1. Intentional unlawful destruction or modification of legally protected information stored on electronic media contained in the information system or transmitted over telecommunications networks, as well as entering knowingly false information into the information system, if this entailed fundamental violation rights and legitimate interests citizens or organizations or interests of society or state protected by law,...

Article 210. Creation, use or distribution of malicious computer programs and software products

1. Creating a computer program, software product or making changes to an existing program or software product for the purpose of unlawful destruction, blocking, modification, copying, use of information stored on electronic media, contained in an information system or transmitted over telecommunications networks, disruption of computer operation, subscriber device, computer program, information system or telecommunications networks, as well as intentional use and (or) distribution of such a program or software product...

Pretty much the same. But the intentionality of the actions is clearly stated; accidental distribution is not subject to punishment. But illegal actions have been added - something that in Russia is carried out under Article 274. The article does not contain a definition of information, as in the previous version of Art. 273 of the Criminal Code of the Russian Federation, which made it possible to include personal data and some other categories of data in such information.

And in the case of Kazakhstan, actions are not mandatory. Enough of inaction

Article 207. Disruption of the operation of an information system or telecommunications networks

1. Deliberate actions(inaction) aimed at disrupting the operation of an information system or telecommunications networks...

Ukraine

1. Creation using the method of using, distributing or creating, as well as distributing or creating, useless software and technical devices intended for the unauthorized insertion into work of electronic computing machines (computers), systems, computer "yuternich merezh chi merezh elektrozv" language , - is punishable by a fine of five hundred to one thousand non-compliant minimum incomes of citizens, either by proper robots on lines up to two years, or by abrogation of will on that very line.
2. Those same actions, committed again either behind the front group of people, or because they have become seriously ill, are punishable by reduction of liberty for up to five years.

The wording “Creation for the purpose of use” is unclear. Write but not check? In any case, the activities of any programs or technical means to change the operation of computers or networks. There is the word distribution - there is no clarification of whether it is intentional or not. I'm afraid that the unintentional falls under the law

Tags: Add tags

ST 273 of the Criminal Code of the Russian Federation.

1. Creation, distribution or use of computer programs or other
computer information knowingly intended for unauthorized destruction,
blocking, modifying, copying computer information or neutralizing funds
protection of computer information, -

labor for a term of up to four years, or imprisonment for the same period with a fine of up to
two hundred thousand rubles or in the amount wages or other income of the convicted person for the period up to
eighteen months.

2. Acts provided for in part one of this article, committed by a group of persons
By prior agreement or organized group or by a person using his
official position, as well as causing major damage or committed for selfish reasons
interest, -
shall be punishable by restriction of freedom for a term of up to four years, or forced
work for a period of up to five years with deprivation of the right to occupy certain positions or study
certain activities for a term of up to three years or without it, or imprisonment for a term
up to five years with a fine in the amount of one hundred thousand to two hundred thousand rubles or in the amount of wages
wages or other income of the convicted person for a period of two to three years or without it and with deprivation
the right to hold certain positions or engage in certain activities for a period of up to
three years or without it.

3. Acts, provided for in parts first or second of this article, if they entailed
grave consequences or created a threat of their occurrence, -
shall be punishable by imprisonment for a term of up to seven years.

Commentary to Art. 273 Criminal Code

1. Objective side characterized alternatively envisaged actions in a relationship special subject crimes: computer programs or other computer information knowingly intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of computer information protection measures (in common parlance, usually called viruses).

2. Creating a program or information involves any activity aimed at writing at least one copy of the program or information, either individually or jointly with other persons. When co-creating a program, a person can accept both creative participation in writing, and provide technical support written by other persons. The created program does not necessarily have to have the properties of novelty; it may be a simple repetition of the code of another program.

Distribution involves both paid and gratuitous transfer programs (information) or media containing the program (information) to other persons without signs of using the program. Distribution is also possible in the form of a one-time transfer of a program (information) or a medium with a program (information) to other persons. Distribution methods are different: using communication means (including computer networks), communication of the program code verbally or writing, copying a program (information) from one medium to another, transferring a medium with a program (information), etc.

The use of a program (information) occurs when a program is introduced into a computer or computer network, regardless of whether this entails any consequences, since the crime is completed at the time the corresponding actions are committed.

3. Special qualified personnel(Part 3) is characterized by the onset or creation real threat the occurrence of serious consequences, which include disruption of the work of enterprises, institutions, organizations; failure in work public transport, funds mass media or a real danger of disasters in transport or communications; prolonged failure of computer networks; destruction of significant or large amounts of data, etc.

Creation, use and distribution of malicious computer programs (Article 273 of the Criminal Code)

The article provides criminal liability for creating computer programs or modifying them, knowingly leading to unauthorized destruction, blocking and modification, or copying of information, disruption of operation information systems, as well as the use of such programs or machine media with such programs. The article protects the rights of the owner of a computer system to the inviolability of the information contained in it.

Under the creation of malware, Art. 273 of the Criminal Code of the Russian Federation refers to programs specially designed to disrupt the normal functioning of a computer. Normal functioning refers to the performance of the operations for which these programs are intended. The most common types of malware are the well-known computer viruses and logic bombs. This law must be read as it is written. The article itself is not about viruses, but about malware - between them one sees a big difference. A virus is just one such program.

IN modern world There are several thousand virus programs, and their number increases every year. According to some estimates, from three to eight new virus programs are created every day in the world.

The question of how to determine whether a program is malicious is very difficult, especially for a non-expert. There are a lot of malicious programs for computers. Thus, malicious software includes network worms, classic file viruses, Trojans, hacker utilities and other programs that deliberately cause harm to the computer on which they are executed.

"Network Worms"

penetration of remote computers;

launch your copy on a remote computer;

further distribution to other computers on the network.

"Classic computer viruses"

subsequent launch of your code upon any user actions;

further implementation into other computer resources.

"Trojan programs"

IN this category includes programs that carry out various actions not authorized by the user: collecting information and transmitting it to an attacker, its destruction or malicious modification, disruption of the computer, use of computer resources for unseemly purposes.

“Hacker utilities and other malware”

utilities for automating the creation of viruses, worms and Trojans (constructors);

software libraries designed to create malicious software;

hacker utilities for hiding the code of infected files from anti-virus scanning (file encryptors);

“evil jokes” that make it difficult to work with a computer;

programs that knowingly tell the user false information about your actions in the system;

other programs that in one way or another intentionally cause direct or indirect damage to this or remote computers.

At the beginning of 1997, the first cases of the creation and distribution of Trojan programs that steal access passwords to the AOL system were recorded. In 1998, with the spread of Internet services in Europe and Russia, similar Trojan programs appeared for other Internet services. Until now, Trojans that steal dial-up passwords, AOL passwords, and access codes for other services make up a significant portion of the daily “receipts” in the laboratories of antivirus companies around the world.

Trojans of this type, like viruses, are usually created by young people who do not have the means to pay for Internet services. It is characteristic that as Internet services become cheaper, the specific number of such Trojan programs decreases.

Petty thieves also create other types of Trojan programs: those that steal registration data and key files various software products (often online games) that use the resources of infected computers in the interests of their “owner”, etc.

To bring to justice under Art. 273. It is not necessary that there be any negative consequences for the owner of the information; the very fact of creating programs or making changes to existing programs, which obviously lead to negative consequences listed in the article. The use of the program means publication, reproduction, distribution and other actions to put them into circulation. Use can be carried out by writing to the computer memory, on material carrier, distribution over networks, or through other transmission to others.

Criminal liability under this article arises as a result of the creation of a program, regardless of whether this program was used or not. Within the meaning of Art. 273 the presence of source codes of malicious programs is already grounds for prosecution. It should be borne in mind that in some cases the use of such programs will not be criminally punishable. This applies to the activities of organizations developing anti-virus programs and having the appropriate license.

This article consists of two parts that differ from each other in terms of the attitude of the criminal to the actions performed. Crime, provided for by part 1 tbsp. 273, can only be committed intentionally, with the knowledge that the creation, use or distribution of malicious programs must obviously lead to a violation of the integrity of information. Moreover, goals and motives do not affect the qualification of an encroachment under this article, therefore the noblest motives (the fight for the environmental purity of the planet) do not exclude responsibility for in itself criminal act. The maximum punishment for the offender in this case will be imprisonment for up to three years.

Part two art. 273, as an additional qualifying feature, provides for the occurrence of grave consequences due to negligence. When committing a crime under Part 2 of this article, a person is aware that he is creating a malicious program, using or distributing such a program or its media, and either foresees the possibility of grave consequences, but without sufficient grounds for this, arrogantly hopes to prevent them, or does not foresees these consequences, although with the necessary care and forethought he should and could have foreseen them. This norm is logical, since the development of malicious programs is available only to qualified programmers who, due to their professional training, must foresee the potential consequences of using these programs, which can be very diverse: human death, harm to health, the occurrence of real danger military or other disaster, disruption of the functioning transport systems. Under this part, the court may order maximum punishment in the form of seven years' imprisonment.

In the field of using computer information, the most dangerous acts include the creation, use, and distribution of malicious information or programs. Responsibility for this crime is fixed in Article 272 of the Criminal Code of the Russian Federation. 273, 274 the norms of the Code can be called related to it by the object of the crime. In all these acts they are social relations aimed at ensuring safe use technical devices, software and computer information. Let's consider further Art. 273 of the Criminal Code of the Russian Federation with comments experts.

Objective side

It is expressed in:

• creation of computer programs or other computer information, the use of which is aimed at unauthorized destruction, blocking, modification, copying of data or neutralization of means of their protection;
• use of specified programs or information;
• distribution of malicious computer materials.

Computer program

It should be understood as an objective form of providing a set of commands and data intended for the operation of computers and other computer devices in order to obtain certain results.

A computer program that is deliberately intended for unauthorized destruction, modification, blocking, copying of information, as well as to neutralize security measures, a specially created (written) program, is called malicious. Upon gaining control, it is capable of performing actions that are not authorized by the user and causing damage as a result.

Computer virus

He is considered the most dangerous looking programs. A computer virus can multiply, attach itself to other programs, and perform various unwanted actions. It can corrupt directories, distort files, calculation results, erase memory, disrupt the normal operation of the computer, display extraneous messages on the screen, etc.

Historical reference

The term "computer virus" began to be used in the early 1980s. It was introduced into use by Professor F. Cohen. There is a known case when a virus created by student Morris infected and disabled more than a thousand computers, including those of the US Department of Defense.

Malicious programs began to spread in all countries of the world, including Russia. Thus, one of the employees of the Togliatti machine-building plant made changes to computer system, as a result of which the conveyor stopped for 6 hours, and the plant suffered significant material losses.

Creation of a virus

Creation is one of illegal actions specified in disposition 273 of the Criminal Code of the Russian Federation. Creation should be understood as a set of actions, including the preparation of initial information intended to control certain components of the information processing system for their destruction, modification, blocking or copying, violation normal operation network or computer devices.

Use of malware

It is understood as the direct release of the virus, reproduction, distribution and other operations aimed at introducing it into circulation in a modified form, including for the commission of a crime provided for 273 article of the Criminal Code of the Russian Federation. Example Using malware is installing it on your computer.

Spread of the virus

It consists of deliberately providing access to a program reproduced in any form. This can be direct introduction to the network, sale, provision for use or loan, import. For example, Article 273 of the Criminal Code of the Russian Federation covers actions committed by the offender on someone else’s computer, the use of floppy disks with malware, and copying to disk. Distribution can also be carried out via the Internet.

Important point

It should be taken into account that the actions given in the dispositions 273, 272 articles of the Criminal Code of the Russian Federation, are always active. It is impossible to commit crimes by inaction.

Actions provided for Article 273, art. 272 of the Criminal Code of the Russian Federation, should then be considered criminal when they objectively create the danger of unauthorized blocking, destruction, modification or copying of information, disruption of the functioning of computer devices and their networks.

will not be considered criminal actions the person who created the malware, if only single characters (stroke, dot, etc.) are displayed on the screen when it is used. If the virus does not pose a danger to the owner (owner) of the data and cannot objectively lead to the consequences specified in Article 273 of the Criminal Code of the Russian Federation, the actions can be regarded as insignificant.

Features of the composition

Its design is defined as formal. For liability under Article 273 of the Criminal Code of the Russian Federation it is necessary to have consequences expressed in the destruction, modification, copying, blocking of data, disruption of the functioning of computer devices. To qualify, there must be at least one proven fact of committing any action specified in the norm.

Specifics of legal assessment of the crime

If the distribution, creation, or use of a malicious program is a method of committing another deliberate illegal act, then the actions of the perpetrator are classified as a set of crimes. This rule is used, in particular, in cases where a virus is created or used to defeat protection measures installed by the copyright holder. In such situations, liability will arise under Articles 273 and 146 of the Code.

Subjective aspect

Any sane individual over the age of 16 can be held accountable.

The subjective side of the act is expressed in the presence of direct intent. The subject understands that he creates malware or computer information capable of destroying, blocking, copying, modifying data, disrupting the normal functioning of a computer device, or using/distributing a virus, is aware of the consequences of this, but desires their occurrence.

The corresponding conclusions follow from the content of the norm, which contains a clear indication of the knowledge of the person’s actions. This fact in itself excludes the likelihood of committing an act with indirect intent or negligence.

The goals and motives of the subject are not considered as required elements composition. They may, however, be taken into account when sentencing.

If an entity, having used or distributed malware, intentionally destroyed/damaged computer devices, which resulted in significant damage, the behavior of the perpetrator is qualified under the totality of Articles 273 and 167 of the Code.

Qualifying compositions

Part 2 of Article 273 of the Criminal Code of the Russian Federation provides for punishment for an act that was committed as part of a group of persons, an organized group, or by a citizen who used his official position, and also that resulted in major harm or was committed from selfish interest. In these cases, the circle of subjects is expanded. Anyone can be held liable executive who used his authority to commit an act.

Part 3 establishes a particularly qualifying feature. In this case, those responsible for creating, distributing or using malicious software to block, copy, destroy, modify data, neutralize protective equipment if these actions caused serious consequences or created a threat of their occurrence.

1. Unauthorized access to legally protected computer information, that is, information on machine media, in an electronic computer (computer), computer system or their network, if this act entailed the destruction, blocking, modification or copying of information, disruption of the operation of the computer, computer system or their network, - is punishable by a fine of two hundred to five hundred minimum sizes wages or in the amount of wages or other income of the convicted person for a period of two to five months, or correctional labor for a term of six months to one year, or imprisonment for a term of up to two years. 2. The same act committed by a group persons by prior conspiracy or by an organized group, or by a person using his official position, as well as having access to a computer, a computer system or their network, is punishable by a fine in the amount of five hundred to eight hundred times the minimum wage, or in the amount of the wages or other income of the convicted person. for a period of five to eight months, or correctional labor for a term of one to two years, or arrest for a term of three to six months, or imprisonment for a term of up to five years. Commentary on Article 272 1. Criminal law protection of computer information has been introduced in Russian criminal legislation for the first time. Earlier, on September 23, 1992, the Law “On legal protection programs for electronic computers and databases" (see Gazette of the Russian Federation, 1992, No. 42, Art. 2325) and February 20, 1995 - the federal law“On information, informatization and protection of information” (see Social Protection of the Russian Federation, 1995, No. 8, Art. 609). These laws provide for a set of measures to protect computers, databases, networks and computer information in general. In Art. 20 of the Law of September 23, 1992 contained a provision that the release under one's own name of someone else's computer program or database, or the illegal reproduction or distribution of such works entails criminal liability in accordance with the law. However, the corresponding criminal law were not accepted then. Obviously, they considered Art. 141 of the Criminal Code of the RSFSR, although it did not provide for liability for the mentioned acts. These issues, in our opinion, are resolved in Art. Art. 146 and 147 of the Criminal Code (see comments to these articles). 2. Inclusion of Art. 272, as well as Art. Art. 273 and 274 of the Criminal Code, in the section on crimes encroaching on public safety And public order, determines the object of the crimes in question. But that would be too much general approach. Specifically, these crimes are directed against that part established order public relations, which regulates the production, use, distribution and protection of computer information. Clarification of this circumstance is important in order to delimit the crimes provided for in Art. 272 - 274 of the Criminal Code, from other crimes related to the use of computers, computer systems and their networks to commit other crimes. In cases where computer equipment is the subject of crimes against property, its theft, destruction or damage is subject to qualification under Art. Art. 158 - 168 CC. But the point is that information structure(programs and information) cannot be the subject of crimes against property, since machine information does not meet any of the main criteria for the subject of crimes against property, in particular does not have physical sign. As for the computer as a crime weapon, it should be considered among such means as weapons or vehicles. In this sense, the use of a computer has practical significance when committing a crime, such as theft Money or hiding taxes. Such actions are not considered as independent crimes, but are subject to qualification under other articles of the Criminal Code in accordance with the object of the encroachment (see more details: New criminal law Russia. Special part. M., 199