Is there such a thing as a good worm? Jim Rapoza replied in the affirmative in his Tech Directions column of April 21, “Up with good worms,” suggesting that such a creation could crawl the Web to patch security holes. However, in considering the possibility of an automated, Internetwide fix, we must consider what we can do and what we may do.
First, can we do this? Yes, but, like the Sorcerers Apprentice, the author of a well-meaning worm may find it going hideously awry. I have heard proposals to release exactly the sort of code you contemplate, and the most vocal opponents were technical experts. I dont know whether a good worm can be safe and effective, but this merits serious technical study. In addition, who would carry the risk of liability if the code worked differently in the wild than it did in the lab?
Second, may we do this? Under federal criminal law, I am prepared to argue that hacking a machine and altering its data without permission is an impairment to its integrity, which is a felony if it reaches a certain seriousness, such as a $5,000 loss. Even if a hacker cracks your network for a beneficial purpose, his unknowable state of mind is slim comfort. Even so, the criminal law offers some safe harbor for writers of good worms. The key concept is authorization, permission to access the computer and to alter its data or operation. As a legal matter, permission may be granted or even implied in many ways, but it may not be inferred, as you argue, simply from careless system maintenance. Besides, any careless-security exception would logically operate in all cases and essentially authorize anyone to alter data on the offending computer.
Fortunately, there are narrower ways to get authorization. For example, ISPs already have user permission, through terms of service, to alter data on user machines, and if these agreements dont already authorize changes made to improve security, they certainly could. An enterprising ISP might offer an anti-virus vendors automatic patching services free to users as a marketing strategy and as self-protection. Similarly, users might prefer cable modem service with a preinstalled firewall.
Another way to gain authorization is via governmental permission. Police officers are both empowered and limited by court orders, and regulatory officials can invade private space under strict rules. Rapozas SARS example is similar: Individuals can be quarantined for public health but only according to objective standards by people with governmental authority.
Beware of a major issue: Enforcement of health rules is mostly local, while the Internet is anything but. Although federal law could answer the “may” question in the United States, it does not address foreign users.
Martha Stansell-Gamm is chief, Computer Crime and Intellectual Property Section, U.S. Department of Justice, Washington, www.cybercrime.gov.