Assignment II

Example case – ILOVEYOU virus

On May 5, 2000, many users received strange emails from people they knew. The subject lines of
the emails were “ILOVEYOU.” The emails contained a virus. If users opened the emails, the virus
corrupted image fi les on the hard disk and sent itself as an email to users in the victim ’s contact list.
Given the interesting subject line, the email has also entered the information security folklore as the “love
bug” virus. The virus affected an estimated 50 million computers worldwide.
The legal follow up to the virus was interesting and highlights the limitations of law enforcement
in dealing with cybercrimes. The FBI quickly identified Manila, Philippines, as the source of the virus
and a recent college student, Onel de Guzman, as the author of the virus. However, virus dissemination
was not a crime in the Philippines at the time. Therefore, De Guzman could neither be prosecuted in the
Philippines nor be extradited to the United States for prosecution under US laws for the act of creating the
virus.
Under heavy international pressure, De Guzman was charged with theft and credit card fraud in
June 2000. However, on August 21, 2000, all charges were dismissed for lack of evidence.
Philippines eventually created a law criminalizing virus dissemination, but it is relatively weak.
The maximum punishment is 2 weeks imprisonment and a fi ne equivalent to $100.
REFERENCES
Arnold , W. “ Philippines to drop charges on e-mail virus ,” New York Times , August 22, 2000
Brenner , S.W. “ Cybercrime jurisdiction ,” Crime, Law and Social Change , 2006 , 46 : 189 – 206
EXAMPLECASEQUESTIONS
1. What was de Guzman ’s motivation for releasing the ILOVEYOU virus?
2. What is the penalty for creating and/or disseminating a virus in your country?
3. Laws typically allow judges considerable latitude in awarding sentences based on the facts of the case.
Based on your response to question 2 above, what penalty would you award de Guzman?
4. Why did you choose this penalty?

C R I T I C A L T H I N K I N G E X E R C I S E – T H E I N T E R N E T, “ A M E R I C A N
VALUES,”ANDSECURITY
In conventional thinking, one of the big reasons for our information security problems is that the
designers of the Internet did not build security in the underlying Internet technologies such as TCP and
IP. If only TCP and IP also incorporated security, we would have a much more secure information
infrastructure.
However, writing for the IEEE Security and Privacy magazine in 2011, Dan Geer, Chief
Information Security officer for In-Q-Tel, a non-profit venture capital fi rm for technologies that support
the CIA, stated that the developers of the Internet embedded their interpretations of “American values” in
the underlying Internet technologies. This is why IP, the Internet technology that transfers data across the
Internet, is “open, non-hierarchical, and self-organizing.” Once the data leaves your computer, you have
no control over how it is delivered to the destination. The protocol provides no mechanisms for
governments to impose restrictions on the flow of information on the Internet, other than restricting user
access to the Internet. Dan suggests that the Internet may also be a very successful American cultural
export, bringing openness and freedom of information wherever it is adopted.
Adopting this view, Dan believes that the lack of security in the underlying Internet protocols is a
strength, not a weakness. The Internet requires end users to take responsibility for their own security,
instead of relying on security provided by the fabric of the Internet. An Internet that does not take
responsibility for security also does not restrict any user from connecting to any other user, protecting the
users’ rights to freedom of association. A secure Internet could curtail this freedom in the name of
security, requiring permission from the Internet provider for access to a desired resource.
Reference
Geer , D.E. Jr. “ A time for choosing ,” IEEE Security and Privacy , January/ February 2011 , 96 – 95

CRITICALTHINKINGQUESTIONS
1. How could our information infrastructure been more secure if the underlying Internet incorporated
security technologies such as encryption?
2. How could the usability of the Internet been crippled if the underlying Internet technologies had
incorporated more security?
3. Based on your responses to these two questions, do you agree with Dan Geer ’s assessment that
leaving security to be the responsibility of end users is a good idea?