Makers, mailers of computer viruses rarely face jail

Although nearly 63,000 viruses have rolled through the Internet, causing an estimated $65 billion in damage, criminal prosecutions have been few, penalties light and just a handful of people have gone to prison for spreading the destructive bugs.

A Minnesota teenager was arrested Friday, accused of disseminating a version of "Blaster." But investigators scrambling to trace that infection, along with "Sobig" and other computer viruses face a daunting challenge: an incredibly hard-to-track international crime set in an obscure and anonymous environment.

They also say they are hampered by antiquated laws and, for many years, a winking or even admiring attitude toward virus creators.

One person has been sent to prison in the United States and just two in Britain, authorities say. But the low numbers are "not reflective of how seriously we take these cases, but more reflective of the fact that these are very hard cases," said Chris Painter, the deputy chief of computer crimes at the U.S. Department of Justice.

Beginning Nov. 1, the consequences will be harsher; the U.S. Sentencing Commission has written tough new punishments for certain types of computer crimes. A virus sender who intends to cause death -- by tying up 911 emergency telephone lines, for example -- could face a life sentence.

But the senders have to be caught first, and that, say prosecutors and computer security experts, can be almost impossible.

"If the perpetrator is semi-sophisticated, they can easily mask their trail," said Elliot Turrini, former federal prosecutor in Newark, N.J.

He prosecuted David Smith, currently serving a 20-month sentence for sending a virus -- "Melissa," named after a stripper Smith knew. Smith, then 30, was captured with the help of AOL technicians, but not before his virus caused more than $80 million in damage.

"I did not expect or anticipate the amount of damage that took place. When I posted the virus, I expected that any financial injury would be minor and incidental," Smith told the judge while pleading guilty. "In fact, I included features designed to prevent substantial damage."

Arrested in another case was Onel De Guzman, author of the "Lovebug" virus that caused $7 billion in damage in 2000. But he was released because at the time there was no law in his native Philippines banning what he had done.

No damage complaint

One year earlier, Chen Ing-hau of Taiwan was arrested for writing the "Chernobyl" virus, but was released because nobody filed an official complaint about damage. He has since been rearrested.

In England, two virus senders have done prison time -- Simon Vallor, convicted this year, and Christopher Pile in 1995.

Virus senders are also almost always young, leading some to argue for restraint in punishments.

On Friday, federal agents arrested Jeffrey Lee Parson, 18, of Hopkins, Minn. The FBI said he admitted modifying the original "Blaster" infection and creating a version called "Blaster.B." At least 7,000 computers were infected, agents said.

"Kids just need to realize this isn't a game anymore," said Matthew Tanase, president of Qaddisin, a network security company in St. Louis.

Computer viruses have been around almost as long as the Internet.

In 1988, Cornell University graduate student Robert Morris set off a worm program that quickly spread through 6,000 hosts and almost halted the entire network.

Morris was arrested and eventually was placed on three years' probation, ordered to perform 400 hours of community service and fined $10,000.

That case set a precedent of dealing gently with virus senders, critics say.

"The lack of a credible criminal penalty is a problem," said Eugene H. Spafford, director of the Center for Education and Research in Information Assurance at Purdue University.

But Spafford said stiffer penalties alone are not going to end viruses.

Computer users need to "put bars on the windows" and use more antivirus software and technical guards, he said.

Social attitudes also need to be changed -- "creating the idea that hacking is not romantic, it's not clever, it's not an appropriate thing to do," he said.

Online business owners need no convincing. Facing damage to their equipment and lost profits, many are demanding tougher enforcement.

"If a virus wrecks my computer, it's just as though someone came and destroyed my house. That person should be prosecuted," said Peggy Howell, who runs an online art gallery and gift shop in Windsor, Calif.

But what becomes tricky in the legal world is that the vast majority of computer viruses don't do major damage.