Computer Missuse Act

As malware is in the same class as viruses - replace the word malware for virues in your post and make your own mind up.

Also if you were involved in the coding knowing that this is damaging code I think you'd also be liable.

There are at least two cases coming to law which debate this very point.

Music industry and Sony (I think) have both issued spyware which they are using to prosecute file sharers or to directly stop copying of music.
Both are in court over privacy and computer misuse though I do not think their software was damaging, and I hope they lose.

Knowingly producing such code I believe is an offence. As is distributing it.

The Act created three new offences:

• Unauthorised access to computer material :

This is the lowest level of offence. It includes gaining access to a system owned by someone else and taking a look at the data it contains. This is an offence even if no damage is done, and no files are deleted or changed. The very act of accessing material without authorisation is illegal.
This offence carries a penalty of imprisonment up to six months and/or a fine.

• Unauthorised access with intent to commit or facilitate commission of further offences :

This builds on the previous offence. The key here is the addition of ‘intent to commit...further offences’. It includes guessing or stealing a password, and using that to access, say another person’s on-line bank account and transferring their money to another account.
For this offence the penalty is up to five years’ imprisonment and/or a fine.

• Unauthorised modification of computer material :

This could include deleting files, changing the desktop set-up or introducing viruses with the intent to impair the operation of a computer, or access to programs and data. The word ‘intent’ means it has to be done deliberately, rather than someone deleting files by mistake. This also includes using a computer to damage other computers , even though the computer used to do this is itself not modified in any way. This offence carries a penalty of up to five years and/or a fine.

From what you have described there is no clear offence in creating the code described, the offence would occour at the moment that code was executed and used to gain unauthorised access to another system. The offender in this case would be the person responcible for the execution of that code, not the person who orignially wrote it. Up untill now most cases have involved virus writers or other creators of 'malware' both creating and executing the code involved leading to the conviction of the creator.

You *could* argue that while you wrote the code you never intended to use it outside of the development environment and that you had no control over the end use of that code.

Having said all that it's a very grey area and I wouldnt want to stand up in court and argue the point without some serious legal backup

DaveB summarises the CMA very well and makes the clear distinction between creating and executing the code.

Assuming all this was theoretical, if it was me, I would write some pretty serious terms and conditions for this code including transferring all risk to the client for any actions carried out with that code.

Sony's latest one is definatly damageing, not only does it create many security holes but if you try to remove it, it can damage hardwear to the point that it might be simpler to just replace the whole machine.

Auntie says sony are recalling the CD's

They must be scared of something
http://news.bbc.co.uk/1/hi/technology/4441928.stm

They are scared of all the negative press it caused. Most of the trades have been calling for boycotts of sony goods since it started, not a good thing just before xmass.

Especially does not help them that the first patch they released made a bigger security hole in peoples systems and the uninstaller that they released made even bigger ones again (and reports of it breaking peoples pc's)

There are already worms "in the wild" looking for systems with this crap installed to take control of them

The multiple class action law suits that have started plus the concerns that they might have broken various new state laws (plus GLP softwear licences) is not helping them feel safe either.

This might stop you being sued, but won't have any effect on your criminal liability.

If you can't be prosecuted for a direct criminal act for writing the software, I think you could be prosecuted for "aiding and abetting" the person who uses it to perform a criminal act.