Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Crime Security The Courts United States

New California Law Finally Makes Ransomware Illegal 128

Reader Trailrunner7 writes: It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.
This discussion has been archived. No new comments can be posted.

New California Law Finally Makes Ransomware Illegal

Comments Filter:
  • by gfxguy ( 98788 ) on Wednesday January 04, 2017 @01:04PM (#53605159)
    How was it NOT extortion before the law?
    • by Anonymous Coward

      It was... you missed the country of origin.

      • extortion is lawful/legal in Canada?!
        • Canada

          * California (fixing my own post)

          • by Dutch Gun ( 899105 ) on Wednesday January 04, 2017 @05:38PM (#53607043)

            So, I was curious about this, and did a little digging. For reference [shouselaw.com]:

            The elements of California extortion are:

                    The defendant threatened to do one of the following to the alleged "victim":

                            a. Unlawfully injure or use force against him/her, a third party, or his/her property,
                            b. Accuse him/her or a relative or family member of a crime, OR
                            c. Expose a secret involving him/her or a family member, or connect any of them with some kind of crime, disgrace, or scandal;

                    When making the threat or using force, the defendant intended to force the "victim" into consenting to give him/her money or property or to do an official act;
                    As a result of the threat, the "victim" did consent to give the defendant money or property or do an official act; AND
                    The "victim" then actually did give the defendant money or property or perform the official act.

            So the exchange of the ransom is required to meet California's legal definition of "extortion". Naturally, most professionally run IT shops or prudent individuals will have backups and may not pay the ransom, but the damage still may be substantial simply due to lost time and productivity. This new law creates a specific exception for ransomware, making the deployment of it a crime equivalant to extorsion, regardless of whether or not a ransom payment is made. From the text of the bill itself [ca.gov]:

            This bill would define ransomware as... [describes ransomware]... The bill would provide that a person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable as if that money or other consideration were actually obtained by means of the ransomware...

            Given this information, it appears that unpaid ransomware attacks were NOT considered "extortion" under California law. This new law provides both a legal definition for ransomware (must have gotten some help from a competent IT person here), and closes that loophole... which, btw, seems like sort of a terrible loophole for extortion as well, but whatever.

            We see further evidence of this in the first sections of the bill, which pretty much seems designed to shut down this loophole:

            523. (a) Every person who, with intent to extort any money or other property from another, sends or delivers to any person any letter or other writing, whether subscribed or not, expressing or implying, or adapted to imply, any threat such as is specified in Section 519 is punishable in the same manner as if such money or property were actually obtained by means of such threat.
            (b) (1) Every person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such money or other consideration were actually obtained by means of the ransomware.
            (2) Prosecution pursuant to this subdivision does not prohibit or limit prosecution under any other law.

            TLDR version: This law was needed due to the peculiarities of California's extortion laws.

    • IANAL, but yeah. Installing software on my PC without permission should already be trespass or vandalism; encrypting my files and demanding money for the key should already meet the definition of extortion or blackmail. I guess the fact that these assumptions are apparently false just shows how non-intuitive the law is.

    • How was it NOT extortion before the law?

      Moot.

      We're eliminating extortion, money laundering, loss of income for righting the ship ...

      To paraphrase TFS and TFA, "It's illegal to load ransomware on a computer."

      The mere existence of the ransomware is evidence of a crime, in and of itself, and extortion, money laundering, loss of income for righting the ship are collateral issues.

      • by Wulf2k ( 4703573 )

        Is it illegal to load ransomware on my own computer?

        Is this more illegal than installing something that will encrypt all the files without offering to decrypt them for money?

      • by gfxguy ( 98788 )
        To quote TFS: "In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion." The topic says that the law "finally makes ransomware illegal," but the law makes it a "form of" extortion.... my question stands, how was it NOT extortion before?
    • How was it NOT extortion before the law?

      See for example this definition of extortion: http://legal-dictionary.thefre... [thefreedictionary.com]

      If you read the definition carefully, you will find that ransomware doesn't actually fall under this definition.

      • by g01d4 ( 888748 )

        you will find that ransomware doesn't actually fall under this definition [thefreedictionary.com]

        Only under strict-common law. If you read further down:

        Most jurisdictions have statutes governing extortion that broaden the common-law definition. Under such statutes, any person who takes money or property from another by means of illegal compulsion may be guilty of the offense. When used in this sense, extortion is synonymous with blackmail, which is extortion by a private person.

        • That definition says "who takes money or property", implying that the threat by itself is likely to not count as extortion unless it's successful. I'd rather have "give me $1000 or I break your arms" count as extortion whether I hand the money over or not. Specifically, I'd like the installation and activation of ramsomware to count as extortion.

      • The obtaining of property from another induced by wrongful use of actual or threatened force, violence, **or fear,** or under color of official right.

        (Emphasis mine.)

        Seems to fit nicely under fear. I'm afraid that if I don't pay you then I'll never get my files back.

    • by mikael ( 484 )

      Because the other categories (money laundering, extortion) only applied when the files had been encrypted and a demand made. If the ransomware is loaded onto a computer system, but not activated, there's no crime committed using these categories.

      Just the act of loading software onto a PC is now enough evidence for a crime to be considered committed.

    • by Sloppy ( 14984 )

      How was it NOT extortion before the law?

      I haven't found the text of the law to read, but I can guess.

      I used to work for a place where, in the late 1980s and early 1990s we would occasionally sell ransomware to clients who had iffy credit. Pay your bill every month, and we'd send you an update to our software. Stop paying or don't install your update, and a time bomb would go off: it fails to start. The software's data wasn't encrypted or anything, but it was in a proprietary undocumented form, so it was eff

    • by Voyager529 ( 1363959 ) <voyager529@yahoo. c o m> on Wednesday January 04, 2017 @05:03PM (#53606855)

      How was it NOT extortion before the law?

      Because this is extortion...on the Internet.

    • How was it NOT extortion before the law?

      Yeah, no kidding

  • by wbr1 ( 2538558 ) on Wednesday January 04, 2017 @01:06PM (#53605169)
    I do not know california code, but I imagine installing and running software without permission is already illegal, as is unauthorized use of a system and destruction of data. Not to mention fraud.

    So.. do we really need another law? For something that is largely coming from out of the country and is unlikely to result in a prosecution except MAYBE at the federal level?

    • Yes, we need another useless law that will not have anyone convicted any time soon, just so stupid legislators can say "See, we are protecting you!"

      Right up there with Assault Rifle bans because ... "SCARY LOOKING!!!!!"

    • I imagine installing and running software without permission is already illegal, as is unauthorized use of a system and destruction of data. Not to mention fraud.

      Isn't that what the FBI, CIA and NSA do every day? Without warrants, or judges' approval . . . ?

    • by CaptainDork ( 3678879 ) on Wednesday January 04, 2017 @02:01PM (#53605613)

      ... installing and running software without permission is already illegal ...

      Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.

      I'm retired from IT and I was often pulled into management's office to answer the question, "Why did our system not stop this?"

      I answered that the "system" was granted permission by the operator, who, BTW, has attended six (6) seminars this year alone that explains users aren't allowed to use computers for personal use, so why are they panic-clicking on an attachment that their "UPS package will not be delivered until you click on this link ..." AND the fucking Firm has a contract with FEDEX for that shit anyway.

      • by wbr1 ( 2538558 ) on Wednesday January 04, 2017 @02:36PM (#53605873)
        Software installed through deception is NOT installed with permission. This is computer fraud 101. Sure the operation can bypass system restrictions at any time, but actual permission lies with the user or owner, and software installed through fraudulent means such as deception, zero-days etc is still illegal should not be considered as having been granted owner/operator permission.
        • Bullshit.

          I have all kinds of shit in place that says, "DO NOT OPEN THIS ATTACHMENT and the goddam user still opens it.

          We're a law firm and the stock answer is, "Your guy overrode your own fucking system and ASKED for the payload."

          So, no ...

          • I think you may be ignoring the legal definition of permission. For example, using login credentials that the ex-employee knew should not be used to log into a company system certainly has technical permission from the system, but I believe it's been found illegal under the CFAA.

      • Permission was granted when the user voluntarily opened a malicious attachment or navigated to a nefarious web site.

        This was modded "Informative"? You are a loon.

        I answered that the "system" was granted permission by the operator,

        So if I ask you if I can borrow your lawnmower, but instead take your car out of your garage and run it into a tree, you're ok with that because you gave me permission to take something out of your garage and you really didn't care what it was? Or a user who agreed to allow a website to install "File Compressor Pro" actually agreed to let them install ransomware instead because they agreed to allow the site to install something, it doesn't matter what?

        It matte

        • TL;DR

          It appears, from a distance, and with a quick scan, that you are intelligent and may one day make use of that attribute, but not today.

          • by wbr1 ( 2538558 )
            I try to not engage in ad hominem when I can see my self doing it, but I agree with GP. You sir are a loon.
    • by Anonymous Coward

      So.. do we really need another law?

      Sometimes, if you're in the USA.

      A few months ago my wife was on jury duty, where a guy was suspected of (actually, he took the stand(!) and incriminated himself) kidnapping a junkie and making her work as a prostitute, with occasional beatings and threats.

      Those are all illegal things in my state.

      Just one problem: this was federal court. So what he was actually charged with, was some totally absurd made-up nonsense lie about "interstate commerce." The guy was not engaging i

    • I think they wanted installing and activating ransomware to count as extortion, which it didn't.

  • Thank god (Score:3, Funny)

    by Anonymous Coward on Wednesday January 04, 2017 @01:07PM (#53605179)

    This will certainly stop them, I mean I am sure they were just waiting for a law to make it illegal then they'll stop

  • by Anonymous Coward

    I mean, we use the CFAA for damn near everything? Why not this, where it actually seems to apply?

    • I bet you are not a Californian lawyer...
    • I mean, we use the CFAA for damn near everything? Why not this, where it actually seems to apply?

      OK, an explanation could be found here on LA Times [latimes.com]. You could also read below quote (from the given link) for the specific part of the answer.

      At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.

      That doesn"t quite fit computer crime, Hoffman said.

      "With ransomware, the threat has already been carried out," he said. "The data has already been encrypted; it has already been compromised. It"s more like data kidnapping."

      At least one other state, Wyoming, has outlawed ransomware.

    • I was going to point out the same thing.

      The CFAA can be used to threaten someone with 35 years for violating a TOS in a way that is not actually a crime under any other law. But it isn't good enough to cover Ransomeware?
    • by Lehk228 ( 705449 )
      it is, but federal laws are not useful to California prosecutors.
  • by NotARealUser ( 4083383 ) on Wednesday January 04, 2017 @01:09PM (#53605209)

    If it were only so simple... This does nothing to actually prevent ransomware.

    At least the good people of California can cite a specific law instead of the broader extortion laws when they are victimized. I really think there is no point to this law. It has no means to solve the ransomware issue, it simply makes a specific case out of something that was already illegal.

    • It does do something ... It allows stupid legislators to say they did something. Remember the following logic is all that is needed.

      We must do something!
      This is something!
      Therefore we must do it!!!!!!!

      Implied is, "Anyone that opposes this is an evil hater who wants to kill you and eat kittens"

      • "Anyone that opposes this is an evil hater who wants to kill you and eat kittens"

        how eat cows/pigs is better than eat kittens?

        • how eat cows/pigs is better than eat kittens?

          Pro: cow/pig bigger than kitten, therefore don't need eat two kitten for dinner, just one cow.

          Con: cow/pig less tender, need tenderizer. Kitten yummy. Like veal. Cat, ick, old and tough.

          Pro: cow/pig available at local store. Must hunt kitten. Here kitty kitty... Hello Kitty!

        • Cows and pigs are not furry and cute. And more importantly, there are no funny cow/pig videos on YouTube. (Well, there probably are some, but nowhere near the number of kitten videos.) Have you ever seen a cow or pig say "I can has cheezburger?"
    • I think people don't understand the legal system very well. In order to secure a conviction, a prosecutor has to prove all aspects of the crime. Ransomware does involve other crimes but those may have hard elements to prove. For example it wouldn't be money laundering if somebody paid taxes on the income! Others point out that deceptive installation is installing without permission, but you have to *prove* that the user was deceived. Maybe they weren't. Maybe they knew it was ransomware and were pissed
      • For example it wouldn't be money laundering if somebody paid taxes on the income!

        And it wouldn't be ransomware without extortion.

        Why are we against criminalizing such bad behavior directly.

        Because criminalizing every variant of everything we want to prohibit leads to massive volumes of criminal law, and the expectation that something that isn't specified exactly by name isn't a crime at all. You really don't want to have to wait for the legislators to catch up with a specific law regarding "some existing crime DONE ON A COMPUTER" just because it wasn't specified that way explicitly in the current law. I point to the parallel between this and pat

        • No, I think this is a much more complicated legal case to prove. If I write a ransomware and you install it on your company's computer and the ransomware demands payment in bitcoin, one can prove that (a) I wrote the ransomware, (b) You installed in your company's computer. But I can argue that I didn't know that you were going to actually install it. And you can argue that I tricked you into installing it. So the only way to prove the case is to follow the money which may turn out to be nearly impossib
  • by Anonymous Coward

    I can finally uninstall that pesky antivirus.

  • Do nothing bureaucrats gonna bureaucrat. Let's all pat ourselves on the back for making a law that's covered by other laws!
  • It was legal before? (Score:4, Interesting)

    by HalAtWork ( 926717 ) on Wednesday January 04, 2017 @01:15PM (#53605259)

    You mean up until now I could have had my own money making machine? Oh well, missed that boat...

    • There are 49 other states in the US....

    • As others have pointed out, you would have been prosecuted under other laws. But if you were really good at Ransomware maybe you could find one area of the crime that prosecutors couldn't prove and the you could spend most of your ill-gotten gains on a legal defense. You would be no better off, a defense lawyer would make out well, your victims would be out money, and the state would have an expensive prosecution bill. Now they have a much easier case and can just arrest you right away.
  • This is one of the more absurd examples of magical thinking I have seen in a while. Why do they think this will have any impact at all?

    Most of the groups that spread the malware are based overseas. Most of them use bitcoin to collect payments so there's not even a money trail. Just what is this measure supposed to do to help anyone?

    • In California laws are about intention rather than outcome.
  • by Anonymous Coward

    That'll stop those rusky hackers!

  • So does that mean Windows won't automatically be bundled with no way to unbundle it before purchase there now?
  • ransomware absolutely sucks.

    That being said, the statement "The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, " seems a bit loaded. I'm not sure if all hacking should automatically be assumed to be illegal. Would this even be hacking or are we to assume 'everything nefarious done via computer is hacking'.

    • I'm not sure if all hacking should automatically be assumed to be illegal.

      I'm sure: the answer is NO

  • ... cause cancer in rats.

  • ... must be a reason why lawyers can't understand IT (and, I'm afraid, a medical one)
  • I'm guessing here -but this might have to do with funding. Awareness drives usually cannot be funded unless there is a specific law. With this law in place, maybe there can be funding to raise awareness amongst everyday people on how to protect themselves from ransomware.
  • by PPH ( 736903 ) on Wednesday January 04, 2017 @01:38PM (#53605429)

    It was nice to see the calendar turn over to 2017

    You were getting tired of Miss December too?

  • Yeah I'm sure this will scare the pants off some guy in his bedroom in Romania or Chelyabinsk.

    He'll probably give up his evil ways, go straight, and get a day job at the local Burger King, AMIRITE?

  • .... wouldn't it be more logical to make it illegal to PAY said ransom, unless doing so is part of an active criminal investigation to identify the person or persons that are receiving the money? This would tend to force people who try to spread ransomware to shorten the window in which they are allowed to pay the ransom so that the victims have less time to consider whether they should go to the authorities, and would have to just quickly pay the money, regardless of the legality, just to get their files
    • So, what you're saying is that people who want to pay the ransom should avoid letting any law enforcement agency know they've got the ransomware? Wouldn't you rather encourage the reporting of ransomware?

      • by mark-t ( 151149 )
        No... what I'm saying is that they shouldn't pay in the first place... and the only way to discourage this would be to make it illegal unless you had the cooperation of law enforcement (and even then only so that it was legal for law enforcement to use means at their disposal to trace a transaction, if it were technologically feasible). If people kept the fact that they had been infected to themselves (their only option if they intend to pay the ransom despite its illegality unless they also wish to pay w
        • Some people want their files back, and will want to pay. If they know that they'll be criminally charged if news gets out, they will be sure not to tell anyone, and we'll never know how much is going on, and we'll miss out on data that might be useful in tracing it. Bad guys started using ransomware without knowing what the profit would be. The ones who know that it can make money will continue to do it, and new entrants into the field won't know whether or not it works. I think we're better off encour

          • by mark-t ( 151149 )
            I understand that people want their files back, but the law does not exist to compensate people for wrong actions against them, that is the job of civil court. The law is supposed to, to the best of its ability provide some disincentive to disobeying it. If it is illegal to pay the ransom without police involvement, people who consider their files to be more important than the law will do so, but the existence of that law *will* still act as some disincentive for the people who intend on following the law
  • I mean, seriously, 10 percent of the ransom amount?

    Take down a cyber ring and you can retire in Sumatra forever!

  • by avandesande ( 143899 ) on Wednesday January 04, 2017 @03:18PM (#53606189) Journal
    Bad enough to have all your files encrypted, now you will be in trouble with the government too?
  • Thanks CA !
  • Well this is idiotic but it reminds me if the ACTUAL solution, which is to make paying ransoms in ransomware illegal. That would make it disappear really quickly. It's already illegal to financially support criminal and terrorist groups and that's who runs these so make paying it illegal!
    • Or, more likely, it would guarantee that the victim, who thinks a "backup" is something their plumber fixes but can't bear to lose those cute pictures of the sister's dog, won't ever report the crime.

    • by Anonymous Coward

      Think it through further, making paying illegal would cause an explosion in ransomware as now all those authors will be able to successfully blackmail the payers into more criminal activities. Just like drug use and prostitution, when one party can't get help the other party successfully pushes further and further.

  • Since when did outlaws start obeying the law?
    There are already plenty of laws governing this.
    No need to make a new law and clutter up the books.
    Bah, hum-bug.

  • Californian law applies in California, most malware is from Asia or Eastern Europe. I do not see how this law will affect anything.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...