Code = Speech in Wyoming, but what about Poisoned Code?
Privacy Plus+
Privacy, Technology and Perspective
Code = Speech in Wyoming, but what about Poisoned Code? This week, the Wyoming legislation passed a bill designed to protect software developers from criminal liability for the code they write.
Under Wyoming’s new bill, code is designated as a “digital expression,” which is defined as “an expression that is communicated through source code or a computer program.” In relevant part, the bill states (we think, unartfully):
A digital expression that does not otherwise constitute a crime or subject the person responsible for creating the digital expression to criminal liability under the Wyoming Criminal Code shall not serve as the sole basis for any criminal liability based on the use of that digital expression by another person. (emphasis added)
Presumably, the key phrase in the bill is “sole basis” – surely, developers could be prosecuted for uses of code that constitute a crime, but not merely for the act of writing the code. A link to the bill, which was passed unanimously by Wyoming’s Senate and is awaiting the signature of the governor, follows:
https://wyoleg.gov/2020/Enroll/HB0008.pdf
We aren’t aware of instances where a developer has been prosecuted just because of code they’ve written, at least on any charge that would be curable if the code were declared to be “expression” or “speech” clothed by the First Amendment. So the bill strikes us as a “solution in search of a problem,” or perhaps merely a benign advertisement that Wyoming wants to be a friendly forum for software developers generally.
But sometimes, even the most benign bill can have unintended consequences.
Who’s the “Expressive Developer?”: We support Wyoming’s continued efforts to cultivate software development in the context of blockchain, but we question whether some of them are consistent with best practices, particularly in a world driven by AI. For blockchain, of course, many networks are designed to be decentralized and autonomous. It may well be hard to attribute liability to a single developer for writing such code, and might also have the effect of insulating parties who should be liable based on the fact that someone, somewhere, wrote a line of code while vacationing at Yellowstone.
The Danger of Poisoned Code: Also consider a case where an autonomous vehicle crashes. Would it be reasonable to hold a developer criminally liable if that developer intentionally wrote code that contained a "backdoor" or a bug designed to cause the crash? We think so.
In fact, researchers at Cornell Tech have confirmed the dangers posed by “code poisoning” in open source environments. Among other things, they believe that such “poisoned” code could potentially compromise algorithmic trading, email accounts and more. A link to the paper by Eugene Bagdasaryan – a computer science PhD candidate at Cornell Tech — and Professor Vitaly Shmatikov (funded by a Google Faculty Research Award, the NSF and the Schmidt Futures program) follows:
https://drive.google.com/file/d/1CTVcliUblX35cWfB49Xjhf8xk-fM3QH1/edit
While the Wyoming bill may be well-intended, no developer should be able to avoid liability for intentional acts, such as intentionally writing malicious code.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.