Early this week, police traced the ILOVEYOU computer virus to the Philippines, but after questioning one suspect, authorities had to release him for lack of evidence. The Philippines has no computer-crime laws on its books. What U.S. laws did the perpetrators of the ILOVEYOU virus break, and could the suspects be extradited to the United States for trial?
If the United States had jurisdiction over the ILOVEYOU perpetrators, the Computer Fraud and Abuse Act would apply. Passed in 1986 and broadened several times, it outlaws a wide range of computer mischief, including: trafficking in stolen passwords, transmitting viruses that damage computers, and obtaining unauthorized information on protected computers. A violation of the Computer Fraud and Abuse Act is punishable by five years and up to $250,000 in fines, and in the case of ILOVEYOU, each infected computer might constitute a separate violation.
Philippine authorities may charge the ILOVEYOU suspects under the Access Devices Regulation Act, which outlaws the use of stolen credit cards. It appears that the suspects used stolen passwords to connect to Internet service providers. Using stolen information to obtain good or services in the Philippines is punishable by five years in prison. Prompted by the virus outbreak, members of the Philippines Congress are now calling for new computer-crime laws.
The ILOVEYOU suspects could not be automatically extradited from the Philippines to the United States because the current extradition treaty applies only when both countries share the law in question. However, the United States might be able to persuade the Philippine courts to turn the suspects over to its courts. U.S. law enforcement officials have yet to make such a request.
Security experts hope ILOVEYOU will encourage the formulation of an international cyberspace treaty, similar to those concerning the sea and outer space.
For an overview of cyber law in the United States, check out this article from New Jersey Law Review.