[Home] [E-Mail Services] [Internet Services] [Some Cloak and Dagger Links] [Research Index]
Investigation Tool: Knowledge |
Computer Crime Page 3 of 7:Next Page >>>>>>> |
A. Background
84. The criminal codes of all countries have, up to the present, predominantly protected tangible and visible objects. Although protection for information and other intangible things or values existed before the middle of the twentieth century, it did not play an important role until very recently. The last few decades have seen significant changes: the development from industrial to post-industrial society, the increasing value of information in economics, culture and politics, and the growing importance of computer technology have led to legal challenges and new legal responses to information law. In the 1970s, the resulting change of paradigm, from corporeal to incorporeal objects, began to touch substantive criminal law, in several waves of computer crime legislation.
85. A new doctrine of criminal information is emerging in the area of al legal science, founded on the still-developing concepts of information law and the law of information technology. In accordance with modern cybernetics and informatics, information law now recognizes information as a third fundamental factor in addition to matter and energy. Based on empirical analysis, this concept evaluates information both as a new economic, cultural and political asset and as being specifically vulnerable to unique forms of crime.
86. It is obvious in the new approach that the legal evaluation of corporal objects differs considerably from the evaluation of incorporeal (information) objects. First, there is an important conceptual distinction between information and data that is both technologically and legally relevant. Information is a process or relationship that occurs between a person's mind and a stimulus. Data, whether in corporeal or incorporeal (e.g. electromagnetic impulse) form, constitute a stimulus. Data are merely a representation of information or of some concept. Information is the interpretation that an observer applies to the data. Different information may be received from the same data, depending on their interpretation. Thus, when data are destroyed or appropriated, it is the representation that is destroyed or appropriated and not the actual information, idea or knowledge. The latter may still subsist in a person's mind or in another copy of the data.
87. The second difference concerns the protection of the proprietor or holder of corporeal and incorporeal objects. Whereas corporeal objects are more exclusively attributed good that flows freely in a free society. It is not itself subject, therefore, to exclusive protection in the same way as tangible property. A third difference between the legal regimes of tangibles and intangibles is that, in protecting information, not only must one consider the economic interests of its proprietor or holder, but one must also preserve the interests of those persons concerned with the contents of the information. This aspect results in new issues of privacy protection, which is dealt with in chapter III.
88. Paragraphs 89-115 investigate how far the various national systems protect the holder of information and paragraphs 116-126 examine activities undertaken in this field of law on the international level.
B. The development of national law
89. Two primary issues are raised by the use of legislation to protect the holder or processor of data or information. First, to what extent is the criminal law an adequate appropriate mechanism for guaranteeing the integrity and correctness of data or information? Secondly, when or how should the interests of roprietors or holders in the exclusive use or secrecy of data or nformation be protected?
1. The integrity and correctness of data
90. Until the 1980s, in most legal systems the integrity of computer-stored data was covered by general provisions regarding damage to property, vandalism or mischief. However, these provisions were developed to protect tangible objects; thus their application in the information sphere posed new questions. In a few criminal codes the mere erasure of data without damaging the physical medium does not fall under the traditional provisions regarding damage to property, since electrical impulses are not considered to be corporeal property and interference with the use of physical medium is not considered to be destruction. However, the prevailing opinion in most countries considers the deliberate damage or destruction of data on tapes or disks to be equivalent to damage to, or interference with the use of, property (i.e. vandalism) de lege data, since the use of the tape or disk has been affected.
91. To clarify the situation, new legislation has been enacted in many countries. Some countries amended the traditional statues on mischief, vandalism or damage to tangible property; others created specific provisions. The legislation of a few countries covers all kind of documents, not only computer-stored data. In the United States, a number of state laws contain more specific sanctions for the insertion or intrusion of a computer virus, and on the federal level, a provision sanctions the reckless causing of damage when a federal computer system is intentionally accessed without authorization. Some legal systems also include specific qualifications for computer sabotage that leads to the obstruction of business or of national security.
92. Owing to its fragmentary character, criminal law is too blunt an instrument to guarantee the general correctness of data, especially its informational content. Only in specific cases, such as balance sheet items, medical reports or other specific documents, can it attempt to guarantee the preservation of faultless data.
93. Some of the most important criminal law provisions covering the integrity, as well as he correctness, of specific data are provisions on forgery, which guarantee the authenticity of a document for the statement that it contains. In some countries, the provisions on forgery require visual readability of statements embodied in a document and, for this reason, do not cover electronically stored data. With the intention of giving electronically based documents the same legal protection as paper-based declarations, some enacted or proposed new statues on forgery that relinquish visual perceptibility. De lege lata, courts in other countries came to the same result.
94. Traditionally, the involvement of computer data (e.g. in the case of murder committed by the manipulation of a computerized hospital supervision system) does not create specific legal complications. The respective legal provisions are formulated in terms of result, and it is completely irrelevant if the result is achieved with the involvement of a computer.
95. In the area of financial manipulations the situation is different. In many legal systems the statutory definitions of theft, larceny and embezzlement require that the offender take an "item of another person's property". In such systems, the provisions are not applicable if the perpetrator appropriates deposit money. In many countries, these provisions also cause difficulties in regard to the manipulation of financial transactions through automated cash dispensers. The statutory provisions on fraud in some legal systems demand the deception of a person. They cannot be used when a computer is deceived. Statutory definitions of breach of trust or abus de confiance, which exist in several countries, sometimes apply only to offenders in high positions and not to punchers, operators or programmers; some provisions also have restrictions on which objects may be protected. Consequently, many legal systems have looked for solution de lege data without overstretching the wording of existing provisions, and new laws on computer fraud have been enacted in many countries. Such clarifications or amendments should be considered, if necessary.
2. The exclusive use of data or information
96. The exclusive use of information by its holder is protected by three legal instruments: (a) new, computer-specific statutes concerning illegal access to or use of computer systems; (b) the general rules of intellectual property law, especially copyright law; and (c) the general rules of trade secret law, especially the provisions on economic espionage.
97. In many countries, since the 1980s, the protection of computer data by the general provisions of trade secret law and intellectual property law has not been considered to be sufficient. In response to the new cases of hacking, many States developed new statutes protecting a "formal sphere of secrecy or privacy" for computer data by criminalizing illegal access to or use of another person's computer, thereby also protecting the computer data contained therein. This new legislation became necessary because, in most countries, protection of this "formal sphere or privacy" against illegal access to computer-stored data and computer communication could not be guaranteed by traditional criminal provisions.
98. As far as wire-tapping and the interception of data communications are concerned, the traditional wire-tap statutes of most legal systems refer only to the interception of communications. Therefore, legislative proposals that cover wire-tapping and other forms of electronic surveillance or the interception of computer system functions or communications have been put forth in many countries. When enacting legislation in this area, it is important that the new law should address interception in all of its possible forms, whether of communications to, from or within a computer system, or of inadvertent or advertent emissions of radiation.
99. Similarly, traditional provisions on trespassing and forgery often cannot be used. In all countries, the applicability of traditional penal provisions to unauthorized access to data-processing and storage systems is generally difficult. Therefore, new legislative provisions concerning such access have been enacted in many countries. These provisions demonstrate various approaches. Some criminalize "mere" access to EDP systems; other punish access only in cases where the accessed system is protected by security measures or where the perpetrator has harmful intentions or where data obtained, modified or damaged. Some countries combine several of these approaches in a single provision covering both "mere" access (in the form of a basic hacking offence) and qualified forms of access (in the form of a more serious ulterior offence with more severe sanctions).
100. One problem concerns the circumstances under which an initially authorized access may become unauthorized or may otherwise turn into a criminal action. In most countries, the new provisions deal only with the initial unauthorized access, thus criminalizing only the acts of outsiders; other countries also proscribe unauthorized use of or presence in systems, thus also criminalizing use or "time theft" by both outsiders and employees. A special solution to protect employees can be found in the California state law, which does not apply to employees if their use is within the scope of their employment or, in the case of uses outside the scope of employment, the use does not result in any injury or the value of the used services does not exceed $100.
101. The discussion about initially authorized access demonstrates that illegal access to computer systems is closely connected to, and partly overlaps with, the criminalisation of unauthorized use of computers (i.e. both use without authority and time theft), although up to the present this close relationship has not yet been generally realized by all countries. De lege ferenda in most civil law countries the problem of illegal use of computers is reduced to the illegal use of computer hardware and discussed within the context of furtum usus of corporeal property. In this context many civil law countries reject a general criminalization of furtum usus of tangibles (with some exceptions, such as for motor vehicle joyriding) and consequently do not incorporate a provision against the illegal use of computers or time theft in their new computer crime laws. However, there are (mainly Nordic) countries that have a legal tradition of criminalizing the unauthorized use of corporeal property, so that the new reform proposals of these countries also criminalize the unauthorized use of computer systems. Many common law countries or parts thereof (e.g. Canada and many States of the United States) have recognized the relationship between access and use, and in statutory definitions subsume either "access" or "use" into the other concept, thereby creating a single legal concept that address both situations for the purposes of the new penal provisions. Since the unauthorized use of computer systems generally presupposes unauthorized access to that system, an adequate access or use provision could at the same time cover the other delict as well.
102. A further distinction that is sometimes recognized is one between (a) the unauthorized obtaining of computer services or time that is ordinarily provided for a fee and (b) the unauthorized use of computer systems in general. The delict in respect of the former is the unauthorized obtaining of computer services without payment of the requisite fee, thereby causing the owner of the system to suffer a financial loss. In some countries, such abuse is covered by general theft of service laws. The statutes of other countries, however, are limited to the unlawful use, waste or withdrawal of electricity. General theft and fraud statutes may be applicable in some countries, while in other countries specific provisions have had to be enacted to deal with this type of theft of service.
103. The delict in respect of the mere unauthorized use of the computer is the violation of the exclusive use rights of the owner. Addressing this problem raises all of the issues previously discussed in relation to the issues of unauthorized access and unauthorized use.
104. The concept of intellectual property law has been predicated both on the recognition of natural rights in intellectual property and on the policy of encouraging the creation of works by granting a certain premium to the creators. In the field of information technology, this concept is especially important for the protection of computer programmes and semiconductor topographies.
1 Computer programs
105. Depending on the circumstances, trade secret protection may apply to computer-stored date, including computer programs themselves. However, since these legal devices are restricted to secret programs, special relationships and/or specific acts of accessing information, they are not sufficient to guarantee secure trade with respect to computer programmes in general. The price discrepancy between expensive originals of computer programmes and cheaper unauthorized reproductions is so vast that there is a demand in all countries for the more comprehensive regulation of these activities. Protective systems could be expanded to include non-secret programs and could be applicable to third parties.
106. In recent years, many countries have debated the scope of copyright law, given that patent law can protect only a small number of programs, such as those that include a technical invention. With the aim of avoiding legal uncertainty, many countries have expressly provided copyright protection for computer programmes by way of legislative amendments. This fundamental recognition of the need to copyright computer programmes can, however, only be regarded as a first step. The creation of effective copyright protection for computer programmes raises explicitly the question of the appropriate scope of copyright protection, as well as some additional problems. Until now, these questions have been solved in disparate and often unsatisfactory ways in many countries.
107. The role op penal copyright protection has also been evaluated differently in various countries. In the past, copyright law in common law systems rarely, if ever, resorted to penal sanctions; civil law systems, in contrast, have traditionally punished infringements of copyright by lenient criminal sanctions. The increase in audio- and videotape piracy in recent years, however, has necessitated more stringent criminal sanctions in both systems; thus the distinction between civil and common law systems has been effectively removed.
108. Although some of the new laws are still confined to phonographic products, many are of a more general nature. Reform proposals providing more severe criminal sanctions for copyright infringements have been enacted in many countries. These efforts to achieve more effective copyright protection are justified, since attacks against intellectual property deserve a criminal law response as much as do the more conventional attacks on corporeal property. The reluctance to criminalize copyright infringements, still evident in some countries, could be counteracted by adequate civil law provisions. The law can be structured to differentiate between less objectionable activities, such as private back-up copying, and more clearly criminal behaviour, which either causes economic damage or is regularly committed for gain.
109. Computer programmes are not the only new economic values created by modern computer technology. As is evidenced by the miniaturization of computers and the development of fifth-generation computers, the technique of integrated circuits is becoming more and more sophisticated. The possibilities of copying the topography of semiconductor products give rise to demand for an effective protection of such products in order to stop unauthorized reproduction.
110. In most countries, it remains unclear to what extent the topography of semiconductor products is protected against reproductions by patent law, copyright law, registered designs, trade secret law and competition law. In the United States, special protection for computer chips was provided by the Semiconductor Chip Protection Act of 1984. 8 Many states followed this sui generis approach by enacting similar legislation.
111. However, criminal sanctions provided under this type of legislation differ from country to country. In contrast to the laws of Canada, Italy and the United States, the new Finnish, German, Japanese, Netherlands and Swedish laws include criminal sanctions, which among other things punish the infringement of a circuit layout right. Civil and penal sanctions for egregious infringements of circuit layout rights require serious consideration.
112. When information is acquired by stealing a corporeal carrier of information, such as a printout, tape or disk, the traditional penal provisions on theft, larceny or embezzlement are not problematic in application. However, the ability of data-processing and communication systems to copy data quickly, inconspicuously and, often, via telecommunication facilities has meant that most of these acts of traditional information carrier theft are replaced with acts of actual information acquisition. Therefore, the question arises, To what extent can or should the pure acquisition of incorporeal information be covered by these provisions? Most countries are eluctant to apply traditional provisions on theft and mbezzlement to the unauthorized appropriation of secret nformation, because these provisions generally require that orporeal property be taken away with the intention of depriving he victim of use or control The acquisition of information (e.g. y copying it or taking away a copy) does not necessarily deprive he original holder of the information. The data may still exist ntact, or other copies my exist.
113. Additionally, in many countries the traditional laws of theft also require that the thing that is taken constitute property. However, legislators and the judiciary in many of these countries are reluctant to ascribe a property status to information, even confidential information. The issue of misappropriation of information raises a number of broader legal, social and economic issues. The conflict of interest between the free flow of information and the right to confidentiality must be taken into account, as must be the economic interests in certain kinds of information. Just as in the area of intellectual property law solutions in this area must also provide for an appropriate degree of flexibility to balance these competing interests. Traditional property law, with its emphasis on exclusivity to one owner, does not adequately account for the dynamics of information in an information society. Rather than relying on traditional theft provisions, special laws may need to be enacted. 2
114. As a result of problems in applying the general property law to cover trade secrets, in many countries the misappropriation of someone else's secret information is covered by special provisions on trade secrets law. These provisions protect trade secrets by prohibiting only certain condemnable acts of obtaining information, either by provisions of the penal code or by penal or civil provisions of statutes against unfair competition. These laws generally attempt to balance the competing interests.
115. Generally speaking, it can be said that criminal trade secret law and civil unfair competition law are less developed in common law countries, at least statutorily, and in Asian countries than in continental Europe. As far as future policy-making is concerned, the international trend towards trade secret protection should be encouraged. To achieve an international consensus, all legal systems could, either in their penal codes or in statutes against unfair competition, establish penal trade secret protection reinforced by adequate civil provisions on unfair competition.
C. The international harmonization of criminal law
116. In order to effectively address computer crime, concerted international cooperation is required. Such can only occur, however, if there is a common framework for understanding what the problem is and what solutions are being considered. To date, international harmonization of the legal categories and definition of computer crime has been proposed by the United Nations, by OECD and by the Council of Europe.
1. First initiatives of OECD
117. The first comprehensive international effort dealing with the criminal law problems of computer crime was initiated by OECD. From 1983 to 1985, an ad hoc committee of OECD discussed the possibilities of an international harmonization of criminal laws in order to fight computer-related economic crime. In September 1985, the committee recommended that member countries consider the extent to which knowingly committed acts in the field of computer-related abuse should be criminalized and covered by national penal legislation.
118. In 1986, based on a comparative analysis of substantive law, OECD suggested that the following list of acts could constitute a common denominator for the different approaches being taken by member countries:
"The input, alteration, erasure and/or suppression of computer data and/or computer programmes made willfully with the intent to commit an illegal transfer of funds or of another thing of value;
The input, alteration, erasure and/or suppression of computer data and/or computer programmes made willfully with the intent to commit a forgery;
The input, alteration, erasure and/or suppression of computer data and/or computer programs, or other interference with computer systems, made willfully with the intent to hinder the functioning of a computer and/or telecommunication system;
The infringement of the exclusive right of the owner of a protected computer programme with the intent to exploit commercially the programme and put in on the market;
The access to or the interception of a computer and/or telecommunication system made knowingly and without the authorization of the person responsible for the system, either (i) by infringement of security measures or (ii) for other dishonest or harmful intentions." 9
2. The guidelines of the Council of Europe
119. From 1985 to 1989, the Select Committee of Experts on Computer-Related Crime of the Council of Europe discussed the legal problems of computer crime. The Select Committee and the European Committee on Crime Problems prepared Recommendation No. R(89)9, which was adopted by the Council on 13 September 1989. 10
120. This document "recommends the Governments of Member States to take into account, when reviewing their legislation or initiating new legislation, the report on computer-related crime... and in particular the guidelines for the national legislatures". The guidelines for national legislatures include a minimum list, which reflects the general consensus of the Committee regarding certain computer-related abuses that should be dealt with by criminal law, as well as an optional list, which describes acts that have already been penalized in some States, but on which an international consensus for criminalisation could not be reached.
121. The minimum list of offences for which uniform criminal policy on legislation concerning computer-related crime had been achieved enumerates the following offences:
Computer fraud. The input, alteration, erasure or suppression of computer data or computer programs, or other interference with the course of data processing that influences the result of data processing, thereby causing economic or possessory loss of property of another person with the intent of procuring an unlawful economic gain for himself or for another person;
Computer forgery. The input, alteration erasure or suppression of computer data or computer programs, or other interference with the course of data processing in a manner or under such conditions, as prescribed by national law, that it would constitute the offence of forgery if it had been committed with respect to a traditional object of such an offence;
Damage to computer data or computer programs. The erasure, damaging, deterioration or suppression of computer data or computer programmes without right;
Computer sabotage. The input, alteration erasure or suppression of computer data or computer programs, or other interference with computer systems, with the intent to hinder the functioning of a computer or a telecommunications system;
Unauthorized access. The access without right to a computer system or network by infringing security measures;
Unauthorized interception. The interception, made without right and by technical means, of communications to, from and within a computer system or network;
Unauthorized reproduction of a protected computer program. The reproduction, distribution or communication to the public without right of a computer programme which is protected by law;
Unauthorized reproduction of a topography. The reproduction without right of a topography protected by law, of a semiconductor product, or the commercial exploitation or the importation for that purpose, done without right, of a topography or of a semiconductor product manufactured by using the topography."
122. The optional list contains the following conduct:
Alteration of computer data or computer programs. The alteration of computer data or computer programmes without right;
Computer espionage. The acquisition by improper means or the disclosure, transfer or use of a trade or commercial secret without right or any other legal justification, with intent either to cause economic loss to the person entitled to the secret or to obtain an unlawful economic advantage for oneself or a third person;
Unauthorized use of a computer. The use of a computer system or network without right, that either: (i) is made with the acceptance of significant risk of loss being caused to the person entitled to use the system or harm to the system or its functioning, or (ii) is made with the intent to cause loss to the person entitled to use the system or harm to the system or its functioning, or (iii) causes loss to the person entitled to use the system or harm to the system or its functioning;
Unauthorized use of a protected computer program. The use without right of a computer programme which is protected by law and which has been reproduced without right, with the intent, either to procure and unlawful economic gain for himself or for another person or to cause harm to the holder of the right."
3. Resolution of the General Assembly
123. In 1990, the legal aspects of computer crime were also discussed by the United Nations, particularly at the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, at Havana, as well as at the accompanying symposium on computer crime organized by the Foundation for Responsible Computing. The Eighth United Nations Congress adopted a resolution on computer-related crime, a portion of which was quoted in paragraph 18. 124. In its resolution 45/121, the General Assembly welcomed the instruments and resolutions adopted by the Eighth Congress and invited Governments to be guided by them in the formulation of appropriate legislation and policy directives in accordance with the economic, social, legal, cultural and political circumstances of each country.
4. The proposed resolution of the Association Internationale de Droit Penal
125. The draft resolution of the AIDP Colloquium, held at Wurzburg, 5-8 October 1992, contains a number of recommendations, including the following:
"3. To the extent that traditional criminal law is not sufficient, modification of existing, or the creation of new offences should be supported of other measures are not sufficient (principle of subsidiarity).
4. In the enactment of amendments and new provisions, emphasis should be put on precision and clarity. In areas where criminal law is only an annex to other areas of law (as in the area of copyright law), this requirement should also be applied to the substantive material or that other law.
5. In order to avoid over-criminalisation, regard should be given to the scope to which criminal law extends in related areas. Extensions that range beyond these limits require careful examination and justification. In this respect, one important criterion in defining or restricting criminal liability is that offences in this area be limited primarily to intentional acts.
...
7. Having regard to the advances in information technology, the increase in related crime since the adoption of the 1989 recommendation of the Council of Europe, the significant value of intangibles in the information age, the desirability to promote further research and technological development and the high potential for harm, it is recommended that States should also consider, in accord with their legal traditions and culture and with reference to the applicability of their existing laws, punishing as crimes the conduct described in the optional list , especially the alteration of computer data and computer espionage.
8. Furthermore, it is suggested that some of the definitions in the Council of Europe lists - such as the offence of unauthorized access - may need further clarification and refinement in the light of advances in information technology and changing perceptions of criminality. For the same reasons, other types of abuses that are not included expressly in the lists, such as trafficking in wrongfully obtained computer passwords and other information about means of obtaining unauthorized access to computer systems, and the distribution or viruses or similar programs, should also be considered as candidates for criminalisation, in accord with national legal traditions and culture and with reference to the applicability of existing laws. In light of the high potential damage that can be caused by viruses, worms and other such programmes that are meant, or are likely, to propagate into and damage, or otherwise interfere with, data, programmes or the functioning of computer systems, it is recommended that more scientific discussion and research be devoted to this area. Special attention should be given to the use of criminal norms that penalize recklessness or the creation of dangerous risks, and to practical problems of enforcement. Consideration might also be given as to whether the resulting crime should be regarded as a form of sabotage offence.
9. In regard to the preceding recommendations, it is recognized that different legal cultures and traditions may resolve some of these issues in different ways while, nevertheless, still penalizing the essence of the particular abuse. States should be conscious of alternative approaches in other legal systems." 13
126. The draft resolution acknowledges the work of OECD and the Council of Europe and welcomes the guidelines adopted by the latter, which create a minimum list of criminal acts as well as an optional list of acts that should be penalized by national law. The draft resolution is expected to be adopted, with or without revisions, at a conference of AIDP to be held at Rio de Janeiro in 1994.