When Is Stealing Not Theft?

Earlier today, the Nanshan District Court of Shenzhen, in southern China, convicted 11 members of a password-theft syndicate to between six months and one year of imprisonment.

According to the official press, the syndicate led by Jin has been operating from three malware development bases in northern China, each employing exploit developers, Web site hijackers, command and control, and other teams to support the ultimate goal of stealing passwords for the Tencent QQ instant messenging network.

The malware “workers” are reportedly paid a commission of 0.5 cents RMB (renminbi, or yuan) per stolen password, and the top performer was believed to have made as much as 7,000 RMB in a month. The stolen passwords in turn were sold to a broker, where the virtual gold or “QQ coins” harvested from the stolen accounts and often used for online gaming, were traded for real money. This has been a very profitable modus operandi for many virtual gold seekers, leading to the increase in game password stealers since 2006.

For the “infringement of personal communications,” according to Chinese law, each of the 11 members received between six to 12 months imprisonment. In comparison, the crime of stealing an equivalent amount of real-world money in China carries a hefty sentence of more than five years. As Mr. Qing Feng of the Legal Affairs Office of the Chinese State Council explains, the current laws interpret the stealing of passwords and “QQ coins” as the deletion or modification of data, which does not match the legal definition of theft.

Disputes over virtual properties and crimes involving virtual theft are a growing issue in both the real and virtual worlds. Barely three months ago, a Dutch teenager was arrestedfor stealing virtual furniture in an online game.