You might think it strange, but the creation of viruses and malware isn't illegal in most jurisdictions. Most virus-writers have been prosecuted on secondary grounds such as unauthorized access or modification, malicious damage and so on. More recent malware authors, botmasters and such may also fall foul of similar issues, or other criminal activities such as fraud or even extortion (for example, threatening a DDoS – Distributed Denial of Service – attack). This, of course, reflects a general shift from virus writing for laughs and bragging rights to malware for profit.
An interesting recent example of a nation going against the flow is Japan, which recently plugged a malware-shaped hole in its legislation by criminalizing not only the creation and distribution of malware without reasonable cause (hopefully, working in this industry constitutes reasonable cause!), but also its acquisition and storage.
And now the Mainichi Daily News has reported that one Yasuhiro Kawaguchi was arrested yesterday on suspicion of "saving a virus on his computer," though the story suggests distribution of malware too. Apparently he has admitted intending to infect users of the "Share" file exchange program with the offending malware, as punishment for "chaotic" file sharing behaviour. Which seems bizarre, given that the malware was discovered when police investigated him regarding a suspected breach of copyright legislation by illegal sharing manga.
Historically, legislation based on the suppression of malware at source hasn't been particularly successful, so it will be interesting to see how effective it is in Japan. Especially as it includes some of the provisions of the Budapest Convention on Cybercrime, to which the US is also a signatory, and underpins the law-enforcement provisions of the White House's International Strategy for Cyberspace.
Hat tip to Jonathan Poon for flagging the Mainichi article and to Geekosystem for the Japanese legal background.
Author David Harley, We Live Security