International review of criminal policy - United Nations Manual on
the prevention and control of computer-related crime
The burgeoning of the world of information technologies has, however, a negative side:
it has opened the door to antisocial and criminal behavior in ways that would never have
previously been possible. Computer systems offer some new and highly sophisticated
opportunities for law-breaking, and they create the potential to commit traditional types
of crimes in non-traditional ways. In addition to suffering the economic consequences of
computer crime, society relies on computerized systems for almost everything in life, from
air, train and bus traffic control to medical service coordination and national security.
Even a small glitch in the operation of these systems can put human lives in danger.
Society's dependence on computer systems, therefore, has a profound human dimension. The
rapid transnational expansion of large-scale computer networks and the ability to access
many systems through regular telephone lines increases the vulnerability of these systems
and the opportunity for misuse or criminal activity. The consequences of computer crime
may have serious economic costs as well as serious costs in terms of human security.
CONTENTS
1. When future historians scrutinize the second half of the twentieth century, they
will be reviewing what is sure to be known as the Information Revolution. Humankind has
progressed further in the last 50 years than in any other period of history. One of the
reasons for this rapid advance in technology is the computer. Technological capabilities
have increased at an accelerating pace, permitting ever larger and more sophisticated
systems to be conceived and allowing ever more sensitive and critical functions to be
assigned to them.1
2. Indeed, the world is undergoing a second Industrial Revolution. Information
technology today touches every aspect of life, irrespective of location on the globe.
Everyone's daily activities are affected in form, content and time by the computer.
Businesses, Governments and individuals all receive the benefits of this Information
Revolution. While providing tangible benefits in time and money, the computer has also had
an impact on everyday< life, as computerized routines replace mundane human tasks. 2
More and more of out businesses, industries, economies, hospitals and Governments are
becoming dependent on computers. Computers are not only used extensively to perform the
industrial and economic functions of society but are also used to perform many functions
upon which human life itself depends. medical treatment and air traffic control are but
two examples. Computers are also used to store confidential data of a political, social,
economic or personal nature. They assist in the improvement of economies and of living
conditions in all countries. Communications, organizational functioning and scientific and
industrial progress have developed so rapidly with computer technology that our form of
living has changed irreversibly.
3. With the computer, the heretofore impossible has now become possible, The computer
has allowed large volumes of data to be reduced to high-density, compact storage, nearly
imperceptible to the human senses, It has allowed an exponential increase in speed, and
even the most complex calculations can be completed in milliseconds. The miniaturization
of processors has permitted worldwide connectivity and communication. Computer literacy
continues o grow.
4. The burgeoning of the world of information technologies has, however, a negative
side: it has opened the door to antisocial and criminal behavior in ways that would never
have previously been possible. Computer systems offer some new and highly sophisticated
opportunities for law-breaking, and they create the potential to commit traditional types
of crimes in non-traditional ways. In addition to suffering the economic consequences of
computer crime, society relies on computerized systems for almost everything in life, from
air, train and bus traffic control to medical service coordination and national security.
Even a small glitch in the operation of these systems con put human lives in danger.
Society's dependence on computer systems, therefore, has a profound human dimension. The
rapid transnational expansion of large-scale computer networks and the ability to access
many systems through regular telephone lines increases the vulnerability of these systems
and the opportunity for misuse or criminal activity. The consequences of computer crime
may have serious economic costs as well as serious costs in terms of human security.
5. Laws, criminal justice systems and international cooperation have not kept pace with
technological change. Only a few countries have adequate laws to address the problem, and
of these, not one has resolved all of the legal, enforcement and prevention problems.
6. When the issue is elevated to the international scene, the problems and inadequacies
are magnified. Computer crime is a new form of transnational crime and effectively
addressing it requires concerted international cooperation. This can only happen, however,
if there is a common framework for understanding what the problem is and what solutions
there may be.
7. Some of the problems surrounding international cooperation in the area of computer
crime and criminal law can be summarized as follows:
- The lack of global consensus on what types of conduct should constitute a
computer-related crime;
- The lack of global consensus on the legal definition of criminal conduct;
- The lack of expertise on the part of police, prosecutors and the courts in this field;
- The inadequacy of legal powers for investigation and access to computer systems,
including the inapplicability of seizure powers to intangibles such as computerized data;
- The lack of harmonization between the different national procedural laws concerning the
investigation of computer-related crimes;
- The transnational character of many computer crimes;
- The lack of extradition and mutual assistance treaties and of synchronized law
enforcement mechanisms that would permit international cooperation, or the inability of
existing treaties to take into account the dynamics and special requirements of
computer-crime investigation.
8. Examination of these questions has already occurred to some degree at the
international and regional levels. In particular, the Organisation for Economic
Co-operation and Development (OECD) and the Council of Europe have produced guidelines for
policy makers and legislators.
9. In 1983, OECD undertook a study of the possibility of an international application
and harmonization of criminal laws to address the problem of computer crime or abuse. In
1986, it published Computer-Related Crime: Analysis of Legal Policy, a report that
surveyed the existing laws and proposals for reform in a number of Member States and
recommended a minimum list of abuses that countries should consider prohibiting and
penalizing by criminal laws, for example, computer fraud and forgery, the alteration of
computer programs and data and the copyright and interception of the communications or
other functions of a computer or telecommunication system. A majority of members of the
Committee on Information, Computer and Communications Policy also recommended that
criminal protections should be developed for other types of abuse, including the theft of
trade secrets and unauthorized access to, or use of, computer systems.
10. Following the completion of the OECD report, the Council of Europe initiated its
own study of this issue with a view to developing guidelines to assist legislators in
determining what conduct should be prohibited by the criminal law and how this should be
achieved, having regard for the conflict of interest between civil liberties and the need
for protection. The minimum list of OECD was expanded considerably by adding other types
of abuses that were recommended as deserving of the application of the criminal law. The
Select Committee of Experts on Computer-Related Crime of the Committee on Crime Problems
examining these questions also addresses other areas, such as privacy protection, victims,
prevention, procedural issues such as the international search and seizure of data banks,
and international cooperation in the investigation and prosecution of computer crime.
Recommendation R(89)9 of the Council of Europe on computer-related crime, which contains
guidelines for national legislatures, was adopted by the Committee of Ministers of the
Council of Europe on 13 September 1989.
11. In 1992, OECD developed a set of guidelines for the security of information
systems, which is intended to provide a foundation on which States and the private sector
may construct a framework for the security of information systems. In that same year, the
Council of Europe began a study that will concentrate on procedural and international
cooperation issues related to computer crime and information technology.
12. Despite these international efforts, much remains to be accomplished in order to
achieve international cooperation. While much of the international work has so far been
centered in western European and OECD countries, the potential extent of computer crime is
as broad as the extent of the international telecommunication systems. All regions of the
world must become involved in order to prevent this new form of criminality.
13. Ensuring the integrity of computer systems is a challenge facing both developed and
developing countries. It is predicted that within the next decade, it will be necessary
for developing nations to experience significant technological growth in order to become
economically self-sufficient and more competitive in world markets. As dependence on
computer technology grows in all nations, it will be crucial to ensure that the rate of
technological dependence does not outstrip the rate at which the corresponding social,
legal and political frameworks are developing. It is important to plan for security and
crime prevention at the same time that computer technology is being implemented.
14. The participation of both developed and developing nations in international
computer-crime initiatives is an encouraging trend. For example, the three associated
conferences on computer crime at Würzburg in October 1992 were attended by delegates from
Africa, Asia, eastern and western Europe, Latin America, the Middle East and North
America. An adequate response to computer crime requires that both developed and
developing nations should encourage regional and international organizations to examine
the issue and promote crime prevention programs on a national level.
15. This strategy is necessary, both immediately and in the long term, to ensure
international cooperation and to foster the political will to create a secure information
community and the universal criminalization of computer crime.
16. Following the Seventh United Nations Congress on the Prevention of Crime and the
Treatment of Offenders, which took place in 1985, the Secretary-General prepared a report
entitled "Proposals for concerted international action against forms of crime
identified in the Milan Plan of Action" (E/AC.57/1988/16). Computer crime was
discussed in paragraphs 42-44 of that report.
17. In preparation for the Eighth United Nations Congress on the Prevention of Crime
and the Treatment of Offenders, the Asia and Pacific Regional Preparatory Meeting
indicated concern with the effects of technological progress, as reflected in computer
crimes (A/CONF.144)RPM.2).
18. At the 12th plenary meeting of the Eighth Congress, which took place in 1990, the
representative of Canada introduced a draft resolution on computer-related crimes on
behalf of the 21 sponsors. At its 13th plenary meeting, the Congress adopted the
resolution, in which it, inter alia, called upon Member States to intensify their efforts
to combat computer crime by considering, if necessary, the following measures:
- "Modernization of national criminal laws and procedures, including measures to:
- Ensure that existing offences and laws concerning investigative powers and admissibility
of evidence in judicial proceedings adequately apply and, if necessary, make appropriate
changes;
- In the absence of laws that adequately apply, create offences and investigative and
evidentiary procedures, where necessary, to deal with this novel and sophisticated form of
criminal activity;
- Provide for the forfeiture or restitution of illegally acquired assets resulting from
the commission of computer-related crimes;
- Improvement of computer security and prevention measures, taking into account the
problems related to the protection of privacy, the respect for human rights and
fundamental freedoms and any regulatory mechanisms pertaining to computer usage;
- Adoption of measures to sensitize the public, the judiciary and law enforcement agencies
to the problem and the importance of preventing computer-related crimes;
- Adoption of adequate training measures for judges, officials and agencies responsible
for the prevention, investigation, prosecution and adjudication of economic and
computer-related crimes;
- Elaboration, in collaboration with interested organizations, of rules of ethics in the
use of computers and the teaching of these rules as part of the curriculum and training in
informatics;
- Adoption of policies for the victims of computer-related crimes which are consistent
with the United Nations Declaration of Basic Principles of Justice for Victims of Crime
and Abuse of Power, including the restitution of illegally obtained assets, and measures
to encourage victims to report such crimes to the appropriate authorities." 5
19. In its resolution, the Eighth Congress also recommended that the Committee on Crime
Prevention and Control should promote international efforts in the development and
dissemination of a comprehensive framework of guidelines and standards that would assist
Member States in dealing with computer-related crime and that it should initiate and
develop further research and analysis in order to find new ways in which Member States may
deal with the problem of computer-related crime in the future. It also recommended that
these issues should be considered by an ad hoc meeting of experts and requested the
Secretary-General to consider the publication of a technical publication on the prevention
and prosecution of computer-related crime.
20. It is difficult to determine when the first crime involving a computer actually
occurred. The computer has been around in some form since the abacus, which is known to
have existed in 3500 B.C. in Japan, China and India. In 1801 profit motives encouraged
Joseph Jacquard, a textile manufacturer in France, to design the forerunner of the
computer card. This device allowed the repetition of a series of steps in the weaving of
special fabrics. So concerned were Jacquard's employees with the threat to their
traditional employment and livelihood that acts of sabotage were committed to discourage
Mr. Jacquard from further use of the new technology. A computer crime had been committed.
21. There has been a great deal of debate among experts on just what constitutes a
computer crime or a computer-related crime. Even after several years, there is no
internationally recognized definition of those terms. Indeed, throughout this Manual the
terms computer crime and computer-related crime will be used interchangeably. There is no
doubt among the authors and experts who have attempted to arrive at definitions of
computer crime that the phenomenon exists. However, the definitions that have been
produced tend to relate to the study for which they were written. The intent of authors to
be precise about the scope and use of particular definitions means, however, that using
these definitions out of their intended context often creates inaccuracies. A global
definition of computer crime has not been achieved; rather, functional definitions have
been the norm.
22. Computer crime can involve criminal activities that are traditional in nature, such
as theft, fraud, forgery and mischief, all of which are generally subject everywhere to
criminal sanctions. The computer has also created a host of potentially new misuses or
abuses that may, or should, be criminal as well.
23. In 1989, expanding on work that had been undertaken by OECD, the European Committee
on Crime Problems of the Council of Europe produced a set of guidelines for national
legislators that enumerated activities that should be subject to criminal sanction. By
discussing the functional characteristics of target activities, the Committee did not
attempt a formal definition of computer crime but left individual countries to adapt the
functional classification to their particular legal systems and historical traditions.
24. The terms "computer misuse" and "computer abuse" are also used
frequently, but they have significantly different implications. Criminal law recognizes
the concepts of unlawful or fraudulent intent and of claim of right; thus, any criminal
laws that relate to computer crime would need to distinguish between accidental misuse of
a computer system, negligent misuse of a computer system and intended, unauthorized access
to or misuse of a computer system, amounting to computer abuse. Annoying behavior must be
distinguished from criminal behavior in law.
25. In relation to the issue of intent, the principle of claim of right also informs
the determination of criminal behavior. For example, an employee who has received a
password from an employer, without direction as to whether a particular database can be
accessed, is unlikely to be considered guilty of a crime if he or she accesses that
database. However, the principle of claim of right would not apply to the same employee
who steals a password from a colleague to access that same database, knowing his or her
access is unauthorized; this employee would be behaving in a criminal manner.
26. A distinction must be made between what is unethical and what is illegal; the legal
response to the problem must be proportional to the activity that is alleged. It is only
when the behavior is determined to be truly criminal that criminal prohibition and
prosecution should be sought. The criminal law, therefore, should be employed and
implemented with restraint.
27. Only a small portion of crimes come to the attention of the law enforcement
authorities. In his book Computer Security, J. Carroll states that "computer crime
may be the subject of the biggest cover-up since Watergate". While it is possible to
give an accurate description of the various types of computer offences committed, it has
proved difficult to give an accurate, reliable overview of the extent of losses and the
actual number of criminal offences. At its Colloquium on Computer Crimes and Other Crimes
against Information Technology, held at Würzburg, Germany, from 5 to 8 October 1992, AIDP
released a report on computer crime based on reports of its member countries that
estimated that only 5 per cent of computer crime was reported to law enforcement
authorities.
28. The number of verifiable computer crimes is not, therefore, very high. This fact
notwithstanding, authorities point out that the evidence of computer crime discernible
from official statistical sources, studies and surveys indicates the phenomenon should be
taken seriously.
29. The American Bar Association conducted a survey in 1987: of 300 corporations and
government agencies, 72 claimed to have been the victim of computer-related crime in the
12-month period prior to the survey, sustaining losses estimated to range from $ 145
million to $ 730 million. In 1991, a survey of security incidents involving
computer-related crime was conducted at 3,000 Virtual Address Extension (VAX) sites in
Canada, Europe and the United States of America. Seventy-two per cent of the respondents
said that a security incident had occurred within the previous 12-month period; 43 per
cent indicated that the security incident they had sustained had been a criminal offence.
A further 8 per cent were uncertain whether they had sustained a security incident.
Similar surveys conducted around the world report significant and widespread abuse and
loss.
30. Law enforcement officials indicate from their experience that recorded computer
crime statistics do not represent the actual number of offences; the term "dark
figure", used by criminologists to refer to unreported crime, has been applied to
undiscovered computer crimes. The invisibility of computer crimes is based on several
factors. First, sophisticated technology, that is, the immense, compact storage capacity
of the computer and the speed with which computers function, ensures that computer crime
is very difficult to detect. In contrast to most traditional areas of crime, unknowing
victims are often informed after the fact by law enforcement officials that they have
sustained a computer crime. Secondly, investigating officials often do not have sufficient
training to deal with problems in the complex environment of data processing. Thirdly,
many victims do not have a contingency plan for responding to incidents of computer crime,
and they may even fail to acknowledge that a security problem exists.
31. An additional cause of the dark figure is the reluctance of victims to report
computer offences once they have been discovered. In the business sector, this reluctance
is related to two concerns. Some victims may be unwilling to divulge information about
their operations for fear of adverse publicity, public embarrassment or loss of goodwill.
Other victims fear the loss of investor or public confidence and the resulting economic
consequences. Some experts have suggested that these factors have a significant impact on
the detection of computer crime.
32. History has shown that computer crime is committed by a broad range of persons:
students, amateurs, terrorists and members of organized crime groups. What distinguishes
them is the nature of the crime committed. The individual who accesses a computer system
without further criminal intent is much different from the employee of a financial
institution who skims funds from customer accounts.
33. The typical skill level of the computer criminal is a topic of controversy. Some
claim that skill level is not an indicator of a computer criminal, while others claim that
potential computer criminals are bright, eager, highly motivated subjects willing to
accept a technological challenge, characteristics that are also highly desirable in an
employee in the data-processing field.
34. It is true that computer criminal behavior cuts across a wide spectrum of society,
with the age of offenders ranging from 10 to 60 years and their skill level ranging from
novice to professional. Computer criminals, therefore, are often otherwise average persons
rather than supercriminals possessing unique abilities and talents. 8 Any person of any
age with a modicum of skill, motivated by the technical challenge, by the potential for
gain, notoriety or revenge, or by the promotion of ideological beliefs, is a potential
computer criminal.
35. According to a number of studies, however, employees represent the largest threat,
and indeed computer crime has often been referred to as an insider crime. One study
estimated that 90 per cent of economic computer crimes were committed by employees of the
victimized companies. A recent survey in North America and Europe indicated that 73 per
cent of the risk to computer security was attributable to internal sources and only 23 per
cent to external criminal activity.
36. As advances continue to be made in remote data processing, the threat from external
sources will probably increase. With the increasing connectedness of systems and the
adoption of more user-friendly software, the sociological profile of the computer offender
may change.
37. Owing to the greater complexity of certain computer routines and augmented security
measures, it is becoming increasingly unlikely that any one person will possess all the
information needed to use a computer system for criminal purposes. Organized computer
criminal groups, composed of members from all over the world, are beginning to emerge.
Corresponding with this increasing cooperation in criminal activity, the escalating
underground use of electronic bulletin boards for clandestine criminal communication has
been detected around the world. Rapidly improving telecommunication technology has added
to the threat from external sources. Computer-based voice mailbox systems, for example,
are being used by the computer criminal community to exchange stolen access numbers,
passwords and software.
38. The advent of viruses and similar mechanisms whereby computer software can be made
to act almost on its own initiative poses a new and significant threat. Sophisticated
viruses and devices such as "logic bombs" and "trojan horses",
discussed below, can be targeted for specific objectives at specific industries to commit
a variety of traditional criminal offences, from mere mischief of extortion. These crimes,
furthermore, can be committed immediately or can be planted to spring at a future date.
39. Computer criminals have gained notoriety in the media and appear to have gained
more social acceptability than traditional criminals. The suggestion that the computer
criminal is a less harmful individual, however, ignores the obvious. The current threat is
real. The future threat will be directly proportional to the advances made in computer
technology.
40. Historically, economic value has been placed on visible and tangible assets. With
the increasing appreciation that intangible data can possess economic value, they have
become an economic asset that can be targeted for crime. Tangible assets in the computer
environment, therefore, often have a double value. The replacement cost of a piece of
computer equipment may represent only a small portion of the economic loss caused by the
theft of, or damage to, that equipment. Of much greater significance is the value of the
information lost or made unaccessible by the misappropriation or damage.
41. Computer systems are particularly vulnerable to threats because of a number of
interacting factors. The more significant of these are analysed briefly below.
1. Density of information and processes
42. Storage technology has allowed the development of filing systems that can
accommodate billions of characters of data on-line. Providing different access privileges
for different users of such systems is often difficult. A further problem lies in the fact
that, owing to the methods for accessing stored information, a single error can have
widespread impact. This fact can be used to great advantage by a party who wants to
corrupt data or disrupt service.
43. At the same time, memory management techniques allow many independent processes to
be supported concurrently within a single operating system. Independent data files can be
combined to produce new and unforeseen relationships. Data items may be linked to produce
a new item with a higher level of sensitivity than the original discrete data components.
The centralization of information and processing functions provides an attractive target
for the infiltrator or saboteur intent on attacking the functions or information assets of
an organization.
44. The density of data stored on such media as tapes, diskettes, cassettes and
microfilms means that the loss or theft of such items can be very significant.
2. System accessibility
45. Before security became a significant design criterion, the goal was often to
provide the maximum computing capability to the largest possible user community. Access
concerns once confined to the restricted computer room area must now be extended to remote
terminal locations and interconnecting communications links. However, remote terminal
stations and transmission circuits are often not subject to the same controls as those in
the main centre. Two forms of attack that exploit remote access are the use of fraudulent
identification and access codes to obtain the use of system resources and the unauthorized
use of an unattended terminal, logged on by an authorized person.
46. Because of the desire to give system users maximum capability, unrestricted access
privileges are often granted rather than allowing only the privileges necessary to perform
an intended function. A transaction-oriented system permitting read-only or inquiry-only
access offers a greater degree of protection than a system offering full programming
capability.
47. Many systems in current use offer very limited ability to control user capabilities
related to passive data and programs on a read-only, read-write or execute basis. This
situation frequently necessitates operating on the assumption that every user has the
capability to use the full computing potential of the operating system. A known
penetration technique that utilizes this weakness involves disguising user instructions
intended for clandestine purposes as a common utility, such as a file-copying routine, or
inserting them into an existing routine. When the illicit code is activated, it performs
functions more privileged than were intended for that user.
48. Finally, computer control functions are normally made accessible to numerous
support and maintenance personnel. Tampering with software or hardware logic to obtain
extended privilege or to disable protection features has been known to occur. The exposure
provided through increasingly easy access to electronic data processing (EDP) resources is
an important contributor to the vulnerability of modern computer systems.
3. Complexity
49. The typical operating environment of medium- and large-scale systems is
characterized by support for local batch, remote batch, interactive and, occasionally,
real-time user modes. Typical operating systems contain from 200,000 to 25 million
individual instructions. The number of logic states that are possible during execution in
a multiprogramming or multiprocessing environment approaches infinity. It is not
surprising that such systems are not fully understood by anyone, including the designers,
or that they are often unreliable. It is only possible to prove the presence of errors,
not their absence, and any system error can result in down time or a potential security
fault. Even when systems have been carefully designed, errors in implementation,
maintenance and operation can still occur. The prospective infiltrator can be expected to
take full advantage of the uncertainties created by system complexity. Incidents have been
noted where deliberate attempts to confuse operators, or to interrupt systems by attacking
little-known weaknesses, have been instrumental in producing security violations.
4. Electronic vulnerability
50. The reliance of computer systems on electronic technology means that they are
subject to problems of reliability, fragility, environmental dependency and vulnerability
to interference and interception. On systems using telecommunications, these
vulnerabilities extend to the whole communications network in use.
51. Traditional forms of electronic eavesdropping can be readily adapted to exploit
data-processing systems. They include wire-tapping and bugging, the analysis of
electromagnetic radiations from equipment and monitoring of the cross-talk induced in
adjacent electrical circuits. Interconnecting data communications circuits also suffer the
same vulnerabilities, and communications on them can be subject to misrouting. A variation
on wire-tapping involves the illegal use of a minicomputer to intercept data
communications and to generate false commands or responses to other system components.
52. In the commission of a fraud, electronic technology has an advantage over manual
data manipulation, which generally leaves behind an audit trail. Computer data, however,
can be instantly changed or erased with minimal chance of detection, by, for example, a
virus or logic bomb. The computer criminal can easily modify systems to perpetrate the
fraud and then cover the evidence of the offence. It is suggested, moreover, that data
processing is protected by only one tenth of the controls afforded to the same process in
the manual environment, an insufficiency that facilitates the opportunity to commit crime
without detection.
53. The performance of EDP systems may also be adversely affected by electromagnetic
interference. Conducted or radiated electrical disturbances can interfere with the
operation of electronic equipment. The system may suffer only very temporary and
intermittent impairment, measurable in microseconds and from which recovery is possible,
or it may suffer complete equipment failure, resulting in an inability to process.
54. All hardware is susceptible to failure through ageing, physical damage and
environmental change. To ensure that error propagation is confined to non-sensitive
functions, i.e., that the system fails safely, malfunctions must be detected immediately.
Progress is being made towards this goal, but few designs in current use offer the desired
level of reliability.
5. Vulnerability of electronic data-processing media
55. It is sometimes inferred that a degree of security is provided by the inability of
humans to translate machine-readable data in the form of punched holes in cards or tape,
magnetic states on tapes, drums and disks, and electrical states in processing or
transmission circuits. In practice, not only can such computerized information codes be
readily interpreted by most technical personnel, but the data obscurity created has the
additional negative effect of creating identification and accounting problems.
56. Because the contents of most EDP media are not visually evident, data-processing
personnel are often required to handle sensitive files without being aware they are doing
so. As a result, the control of data items becomes a problem. Scratched tapes, discarded
core memories can all contain residual data that may demand special attention. Because
identity and accountability have been lost, safeguards are frequently relaxed for these
items even though the same information is protected elsewhere in the system. The ease with
which such sources of information can be utilized has resulted in several well-publicized
system penetrations.
6. Human factors
57. As discussed above, employees represent the greatest threat in terms of computer
crime. It is not uncommon, operators, media librarians, hardware technicians and other
staff members to find themselves in positions of extraordinary privilege in relation to
the key functions and assets of their organization. A consequence of this situation is the
probability that such individuals are frequently exposed to temptation.
58. A further complication is the tendency on the part of management to tolerate less
stringent supervisory controls over EDP personnel. The premise is that the work is not
only highly technical and specialized but difficult to understand and control. As an
example systems software support is often entrusted to a single programmer who generates
the version of the operating system in use, establishes password or other control lists
and determines the logging and accounting features to be used. In addition, such personnel
are often permitted, and sometimes encouraged, to perform these duties during non-prime
shift periods, when demands on computer time are light. As a result, many of the most
critical software development and maintenance functions are performed in an unsupervised
environment. It is also clear that operators, librarians and technicians often enjoy a
degree of freedom quite different from that which would be considered normal in a more
traditional employment area.
59. There is another factor at play in the commission of computer crime. Criminological
research has identified a variation of the Robin Hood syndrome: criminals tend to
differentiate between doing harm to individual people, which they regard as highly
immoral, and doing harm to a corporation, which they can more easily rationalize. Computer
systems facilitate these kinds of crimes, as a computer does not show emotion when it is
attached. 12
60. Situations in which personnel at junior levels are trusted implicitly and given a
great deal of responsibility, without commensurate management control and accountability,
occur frequently in the EDP environment. Whether the threat is from malicious or
subversive activities or from honest errors on the part of staff members, the human aspect
is perhaps the most vulnerable aspect of EDP systems.
61. All stages of computer operations are susceptible to criminal activity, either as
the target of the crime or the instrument of the crime or both. Input operations, data
processing, output operations and communications have all been utilized for illicit
purposes. The more common types of computer-related crime are categorized next.
1. Fraud by computer manipulation
62. Intangible assets represented in data format, such as money on deposit or hours of
work, are the most common targets of computer-related fraud. Modern business is quickly
replacing cash with deposits transacted on computer systems, creating an enormous
potential for computer abuse. Credit card information, as well as personal and financial
information on credit-card clients, have been frequently targeted by the organized
criminal community. The sale of this information to counterfeiters of credit cards and
travel documents has proven to be extremely lucrative. Assets represented in data format
often have a considerably higher value than traditionally targeted economic assets,
resulting in potentially greater economic loss. In addition, improved remote access to
databases allows the criminal the opportunity to commit various types of fraud without
ever physically entering the premises of the victim.
63. Computer fraud by input manipulation is the most common computer crime, as it is
easily perpetrated and difficult to detect. Often referred to as "data
diddling", it does not require any sophisticated computer knowledge and can be
committed by anyone having access to normal data-processing functions at the input stage.
64. Program manipulation, which is very difficult to discover and is frequently not
recognized, requires the perpetrator to have computer-specific knowledge. It involves
changing existing programs in the computer system or inserting new programs or routines. A
common method used by persons with specialized knowledge of computer programming is the
trojan horse, whereby computer instructions are covertly placed in a computer program so
that it will perform an unauthorized function concurrent with its normal function. A
trojan horse can be programmed to self-destruct, leaving no evidence of its existence
except the damage that it caused. 13 Remote access capabilities today also allow the
criminal to easily run modified routines concurrently with legitimate programs.
65. Output manipulation is effected by targeting the output of the computer system. The
obvious example is cash dispenser fraud, achieved by falsifying instructions to the
computer in the input stage. Traditionally, such fraud involved the use of stolen bank
cards. However, specialized computer hardware and software is now being widely used to
encode falsified electronic information on the magnetic strips of bank cards and credit
cards.
66. There is a particular species of fraud conducted by computer manipulation that
takes advantage of the automatic repetitions of computer processes. Such manipulation is
characteristic of the specialized "salami technique", whereby nearly
unnoticeable, "thin slices" of financial transactions are repeatedly removed and
transferred to another account. 10
2. Computer forgery
67. Where data are altered in respect of documents stored in computerized form, the
crime is forgery. In this and the above examples, computer systems are the target of
criminal activity. Computers, however, can also be used as instruments with which to
commit forgery. The created a new library of tools with which to forge the documents used
in commerce. A new generation of fraudulent alteration or counterfeiting emerged when
computerized colour laser copiers became available. 14 These copiers are capable of
high-resolution copying, the modification of documents and even the creation of false
documents without benefit of an original, and they produce documents whose quality is
indistinguishable from that of authentic documents except by an expert.
3. Damage to or modifications of computer data or programs
68. This category of criminal activity involves either direct or covert unauthorized
access to a computer system by the introduction of new programs known as viruses,
"worms" or logic bombs. The unauthorized modification, suppression or erasure of
computer data or functions with the internet to hinder normal functioning of the system is
clearly criminal activity and is commonly referred to as computer sabotage. Computer
sabotage can be the vehicle for gaining economic advantage over a competitor, for
promoting the illegal activities of ideologically motivated terrorists or for stealing
data or programs (also referred to as "bitnapping") for extortion purposes. In
one reported incident at London, Ontario, in 1987, a former employee of a company sought
unsuccessfully to sabotage the computer system of the company by inserting a program into
the system that would have wiped it out completely.
69. A virus is a series of program codes that has the ability to attach itself to
legitimate programs and propagate itself to other computer programs. A virus can be
introduced to a system by a legitimate piece of software that has been infected, as well
as by the trojan horse method discussed above.
70. The potential purposes of viruses are many, ranging from the display of harmless
messages on several computer terminals to the irreversible destruction of all data on a
computer system. In 1990, Europe first experienced a computer virus, used to commit
extortion in the medical research community. The virus threatened to destroy increasing
amounts of data if no ransom was paid for the "cure". A significant amount of
valuable medical research data was lost as a result.
71. A worm is similarly constructed to infiltrate legitimate data-processing programs
and to alter or destroy the data, but it differs from a virus in that it does not have the
ability to replicate itself. In a medical analogy, the worm can be compared to a benign
tumor, the virus to a malignant one. However, the consequences of a worm attack can be
just as serious as those of a virus attack: for example, a bank computer can be
instructed, by a worm program that subsequently destroys itself, to continually transfer
money to an illicit account.
72. A logic bomb, also known as a "time bomb", is another technique by which
computer sabotage can be perpetrated. The creation of logic bombs requires some
specialized knowledge, as it involves programming the destruction or modification of data
at a specific time in the future. Unlike viruses or worms, however, logic bombs are very
difficult to detect before they blow up; thus, of all these computer crime schemes, they
have the greatest potential for damage. Detonation can be timed to cause maximum damage
and to take place long after the departure of the perpetrator. The logic bomb may also be
used as a tool of extortion, with a ransom being demanded in exchange for disclosure of
the location of the bomb.
73. Irrespective of motive, the fact remains that the use of viruses, worms and logic
bombs constitutes unauthorized modification of legitimate computer data or programs and
thus fall under the rubric computer sabotage, although the motive of the sabotage may be
circumstantial to the alteration of the data.
4. Unauthorized access to computer systems and service
74. The desire to gain unauthorized access to computer systems can be prompted by
several motives, from simple curiosity, as exemplified by many hackers, to computer
sabotage or espionage. Intentional and unjustified access by a person not authorized by
the owners or operators of a system may often constitute criminal behavior. Unauthorized
access creates the opportunity to cause additional unintended damage to data, system
crashes or impediments to legitimate system users by negligence.
75. Access is often accomplished from a remote location along a telecommunication
network, by one of several means. The perpetrator may be able to take advantage of lax
security measures to gain access or may find loopholes in existing security measures or
system procedures. Frequently, hackers impersonate legitimate system users; this is
especially common in systems where users can employ common passwords or maintenance
passwords found in the system itself.
76. Password protection is often mischaracterized as a protective device against
unauthorized access. However, the modern hacker can easily circumvent this protection
using one of three common methods. If a hacker is able to discover a password allowing
access, then a trojan horse program can be placed to capture the other passwords of
legitimate users. This type of program can operate concurrently with the normal security
function and is difficult to detect. The hacker can later retrieve the program containing
the stolen passwords by remote access.
77. Password protection can also be bypassed successfully by utilizing password
cracking routines. Most modern software effects password security by a process that
converts a user's selected password into a mathematical series, a process known as
encryption. Encryption disguises the actual password, which is then almost impossible to
decrypt. Furthermore, legitimate security software has been developed that allows access
to data only after it checks encrypted passwords against a dictionary of common passwords
so as to alert system administrators of potential weakness in security. However, this same
security process can be imitated for illegitimate purposes. Known as a "cracker"
program when used for illegitimate purposes, these tools encrypt some or all of the data
of the system. This creates a dictionary of data to compare with cracker software, for the
purpose of identifying common passwords and gaining access to the system. A variety of
these system-specific encryption routines can be obtained from hacker bulletin boards
around the world and are regularly updated by the criminal community as security
technology develops.
78. The third method commonly used to access a system is the "trapdoor"
method, whereby unauthorized access is achieved through access points, or trapdoors,
created for legitimate purposes, such as maintenance of the system.
79. The international criminal hacker community uses electronic bulletin boards to
communicate system infiltration incidents and methods. In one case, details of a Canadian
attempt to access a system were found on suspects in an unrelated matter in England; they
had removed the material from a bulletin board in Germany. This sharing of information can
facilitate multiple unauthorized infiltrations of a system from around the globe,
resulting in staggering telecommunication charges to the victim.
80. With the development of modern telecommunications system, a new field for
unauthorized infiltration was created. Personal telecommunications have been expanded with
the advent of portable, cellular telecommunication devices. The criminal community has
responded to these advances by duplicating the microchip technology.
81. Modern telecommunications systems are equally vulnerable to criminal activity.
Office automation systems such as voice mail boxes and private business exchanges are, in
effect, computer systems, designed for the convenience of users. However, convenience
features such as remote access and maintenance capabilities, call-forwarding and
voice-messaging are easily infiltrated by computer criminals.
82. Modern telecommunications systems, like other computer systems, are also
susceptible to abuse by remote access. The integration of telecommunications systems means
that once one system is accessed, a computer operator with sufficient skill could
infiltrate the entire telecommunications network of a city. The usual motive for
telecommunications crime is to obtain free telecommunications services. However, more
innovative telecommunications fraud has also been uncovered, and telecommunications
systems have been used to disguise other forms of criminal activity.
5. Unauthorized reproduction of legally protected computer programs
83. The unauthorized reproduction of computer programs can mean a substantial economic
loss to the legitimate owners. Several jurisdictions have dictated that this type of
activity should be the subject of criminal sanction. The problem has reached transnational
dimensions with the trafficking of these unauthorized reproductions over modern
telecommunication networks.
84. The criminal codes of all countries have, up to the present, predominantly
protected tangible and visible objects. Although protection for information and other
intangible things or values existed before the middle of the twentieth century, it did not
play an important role until very recently. The last few decades have seen significant
changes: the development from industrial to post-industrial society, the increasing value
of information in economics, culture and politics, and the growing importance of computer
technology have led to legal challenges and new legal responses to information law. In the
1970s, the resulting change of paradigm, from corporeal to incorporeal objects, began to
touch substantive criminal law, in several waves of computer crime legislation.
85. A new doctrine of criminal information is emerging in the area of al legal science,
founded on the still-developing concepts of information law and the law of information
technology. In accordance with modern cybernetics and informatics, information law now
recognizes information as a third fundamental factor in addition to matter and energy.
Based on empirical analysis, this concept evaluates information both as a new economic,
cultural and political asset and as being specifically vulnerable to unique forms of
crime.
86. It is obvious in the new approach that the legal evaluation of corporal objects
differs considerably from the evaluation of incorporeal (information) objects. First,
there is an important conceptual distinction between information and data that is both
technologically and legally relevant. Information is a process or relationship that occurs
between a person's mind and a stimulus. Data, whether in corporeal or incorporeal (e.g.
electromagnetic impulse) form, constitute a stimulus. Data are merely a representation of
information or of some concept. Information is the interpretation that an observer applies
to the data. Different information may be received from the same data, depending on their
interpretation. Thus, when data are destroyed or appropriated, it is the representation
that is destroyed or appropriated and not the actual information, idea or knowledge. The
latter may still subsist in a person's mind or in another copy of the data.
87. The second difference concerns the protection of the proprietor or holder of
corporeal and incorporeal objects. Whereas corporeal objects are more exclusively
attributed good that flows freely in a free society. It is not itself subject, therefore,
to exclusive protection in the same way as tangible property. A third difference between
the legal regimes of tangibles and intangibles is that, in protecting information, not
only must one consider the economic interests of its proprietor or holder, but one must
also preserve the interests of those persons concerned with the contents of the
information. This aspect results in new issues of privacy protection, which is dealt with
in chapter III.
88. Paragraphs 89-115 investigate how far the various national systems protect the
holder of information and paragraphs 116-126 examine activities undertaken in this field
of law on the international level.
89. Two primary issues are raised by the use of legislation to protect the holder or
processor of data or information. First, to what extent is the criminal law an adequate
appropriate mechanism for guaranteeing the integrity and correctness of data or
information? Secondly, when or how should the interests of proprietors or holders in the
exclusive use or secrecy of data or information be protected?
1. The integrity and correctness of data
The integrity of data
90. Until the 1980s, in most legal systems the integrity of computer-stored data was
covered by general provisions regarding damage to property, vandalism or mischief.
However, these provisions were developed to protect tangible objects; thus their
application in the information sphere posed new questions. In a few criminal codes the
mere erasure of data without damaging the physical medium does not fall under the
traditional provisions regarding damage to property, since electrical impulses are not
considered to be corporeal property and interference with the use of physical medium is
not considered to be destruction. However, the prevailing opinion in most countries
considers the deliberate damage or destruction of data on tapes or disks to be equivalent
to damage to, or interference with the use of, property (i.e. vandalism) de lege data,
since the use of the tape or disk has been affected.
91. To clarify the situation, new legislation has been enacted in many countries. Some
countries amended the traditional statues on mischief, vandalism or damage to tangible
property; others created specific provisions. The legislation of a few countries covers
all kind of documents, not only computer-stored data. In the United States, a number of
state laws contain more specific sanctions for the insertion or intrusion of a computer
virus, and on the federal level, a provision sanctions the reckless causing of damage when
a federal computer system is intentionally accessed without authorization. Some legal
systems also include specific qualifications for computer sabotage that leads to the
obstruction of business or of national security.
The correctness of data
92. Owing to its fragmentary character, criminal law is too blunt an instrument to
guarantee the general correctness of data, especially its informational content. Only in
specific cases, such as balance sheet items, medical reports or other specific documents,
can it attempt to guarantee the preservation of faultless data.
93. Some of the most important criminal law provisions covering the integrity, as well
as he correctness, of specific data are provisions on forgery, which guarantee the
authenticity of a document for the statement that it contains. In some countries, the
provisions on forgery require visual readability of statements embodied in a document and,
for this reason, do not cover electronically stored data. With the intention of giving
electronically based documents the same legal protection as paper-based declarations, some
enacted or proposed new statues on forgery that relinquish visual perceptibility. De lege
lata, courts in other countries came to the same result.
False data as a means to attack other legally protected interests
94. Traditionally, the involvement of computer data (e.g. in the case of murder
committed by the manipulation of a computerized hospital supervision system) does not
create specific legal complications. The respective legal provisions are formulated in
terms of result, and it is completely irrelevant if the result is achieved with the
involvement of a computer.
95. In the area of financial manipulations the situation is different. In many legal
systems the statutory definitions of theft, larceny and embezzlement require that the
offender take an "item of another person's property". In such systems, the
provisions are not applicable if the perpetrator appropriates deposit money. In many
countries, these provisions also cause difficulties in regard to the manipulation of
financial transactions through automated cash dispensers. The statutory provisions on
fraud in some legal systems demand the deception of a person. They cannot be used when a
computer is deceived. Statutory definitions of breach of trust or abus de confiance, which
exist in several countries, sometimes apply only to offenders in high positions and not to
punchers, operators or programmers; some provisions also have restrictions on which
objects may be protected. Consequently, many legal systems have looked for solution de
lege data without overstretching the wording of existing provisions, and new laws on
computer fraud have been enacted in many countries. Such clarifications or amendments
should be considered, if necessary.
2. The exclusive use of data or information
96. The exclusive use of information by its holder is protected by three legal
instruments: (a) new, computer-specific statutes concerning illegal access to or use of
computer systems; (b) the general rules of intellectual property law, especially copyright
law; and (c) the general rules of trade secret law, especially the provisions on economic
espionage.
Special statutes protecting exclusive access to and use of computer systems
97. In many countries, since the 1980s, the protection of computer data by the general
provisions of trade secret law and intellectual property law has not been considered to be
sufficient. In response to the new cases of hacking, many States developed new statutes
protecting a "formal sphere of secrecy or privacy" for computer data by
criminalizing illegal access to or use of another person's computer, thereby also
protecting the computer data contained therein. This new legislation became necessary
because, in most countries, protection of this "formal sphere or privacy"
against illegal access to computer-stored data and computer communication could not be
guaranteed by traditional criminal provisions.
98. As far as wire-tapping and the interception of data communications are concerned,
the traditional wire-tap statutes of most legal systems refer only to the interception of
communications. Therefore, legislative proposals that cover wire-tapping and other forms
of electronic surveillance or the interception of computer system functions or
communications have been put forth in many countries. When enacting legislation in this
area, it is important that the new law should address interception in all of its possible
forms, whether of communications to, from or within a computer system, or of inadvertent
or advertent emissions of radiation.
99. Similarly, traditional provisions on trespassing and forgery often cannot be used.
In all countries, the applicability of traditional penal provisions to unauthorized access
to data-processing and storage systems is generally difficult. Therefore, new legislative
provisions concerning such access have been enacted in many countries. These provisions
demonstrate various approaches. Some criminalize "mere" access to EDP systems;
other punish access only in cases where the accessed system is protected by security
measures or where the perpetrator has harmful intentions or where data obtained, modified
or damaged. Some countries combine several of these approaches in a single provision
covering both "mere" access (in the form of a basic hacking offence) and
qualified forms of access (in the form of a more serious ulterior offence with more severe
sanctions).
100. One problem concerns the circumstances under which an initially authorized access
may become unauthorized or may otherwise turn into a criminal action. In most countries,
the new provisions deal only with the initial unauthorized access, thus criminalizing only
the acts of outsiders; other countries also proscribe unauthorized use of or presence in
systems, thus also criminalizing use or "time theft" by both outsiders and
employees. A special solution to protect employees can be found in the California state
law, which does not apply to employees if their use is within the scope of their
employment or, in the case of uses outside the scope of employment, the use does not
result in any injury or the value of the used services does not exceed $100.
101. The discussion about initially authorized access demonstrates that illegal access
to computer systems is closely connected to, and partly overlaps with, the criminalization
of unauthorized use of computers (i.e. both use without authority and time theft),
although up to the present this close relationship has not yet been generally realized by
all countries. De lege ferenda in most civil law countries the problem of illegal use of
computers is reduced to the illegal use of computer hardware and discussed within the
context of furtum usus of corporeal property. In this context many civil law countries
reject a general criminalization of furtum usus of tangibles (with some exceptions, such
as for moto vehicle joyriding) and consequently do not incorporate a provision against the
illegal use of computers or time theft in their new computer crime laws. However, there
are (mainly Nordic) countries that have a legal tradition of criminalizing the
unauthorized use of corporeal property, so that the new reform proposals of these
countries also criminalize the unauthorized use of computer systems. Many common law
countries or parts thereof (e.g. Canada and many States of the United States) have
recognized the relationship between access and use, and in statutory definitions subsume
either "access" or "use" into the other concept, thereby creating a
single legal concept that address both situations for the purposes of the new penal
provisions. Since the unauthorized use of computer systems generally presupposes
unauthorized access to that system, an adequate access or use provision could at the same
time cover the other delict as well.
102. A further distinction that is sometimes recognized is one between (a) the
unauthorized obtaining of computer services or time that is ordinarily provided for a fee
and (b) the unauthorized use of computer systems in general. The delict in respect of the
former is the unauthorized obtaining of computer services without payment of the requisite
fee, thereby causing the owner of the system to suffer a financial loss. In some
countries, such abuse is covered by general theft of service laws. The statutes of other
countries, however, are limited to the unlawful use, waste or withdrawal of electricity.
General theft and fraud statutes may be applicable in some countries, while in other
countries specific provisions have had to be enacted to deal with this type of theft of
service.
103. The delict in respect of the mere unauthorized use of the computer is the
violation of the exclusive use rights of the owner. Addressing this problem raises all of
the issues previously discussed in relation to the issues of unauthorized access and
unauthorized use.
Intellectual property law
104. The concept of intellectual property law has been predicated both on the
recognition of natural rights in intellectual property and on the policy of encouraging
the creation of works by granting a certain premium to the creators. In the field of
information technology, this concept is especially important for the protection of
computer programs and semiconductor topographies.
Computer programs
105. Depending on the circumstances, trade secret protection may apply to
computer-stored date, including computer programs themselves. However, since these legal
devices are restricted to secret programs, special relationships and/or specific acts of
accessing information, they are not sufficient to guarantee secure trade with respect to
computer programs in general. The price discrepancy between expensive originals of
computer programs and cheaper unauthorized reproductions is so vast that there is a demand
in all countries for the more comprehensive regulation of these activities. Protective
systems could be expanded to include non-secret programs and could be applicable to third
parties.
106. In recent years, many countries have debated the scope of copyright law, given
that patent law can protect only a small number of programs, such as those that include a
technical invention. With the aim of avoiding legal uncertainty, many countries have
expressly provided copyright protection for computer programs by way of legislative
amendments. This fundamental recognition of the need to copyright computer programs can,
however, only be regarded as a first step. The creation of effective copyright protection
for computer programs raises explicitly the question of the appropriate scope of copyright
protection, as well as some additional problems. Until now, these questions have been
solved in disparate and often unsatisfactory ways in many countries.
107. The role op penal copyright protection has also been evaluated differently in
various countries. In the past, copyright law in common law systems rarely, if ever,
resorted to penal sanctions; civil law systems, in contrast, have traditionally punished
infringements of copyright by lenient criminal sanctions. The increase in audio- and
videotape piracy in recent years, however, has necessitated more stringent criminal
sanctions in both systems; thus the distinction between civil and common law systems has
been effectively removed.
108. Although some of the new laws are still confined to phonographic products, many
are of a more general nature. Reform proposals providing more severe criminal sanctions
for copyright infringements have been enacted in many countries. These efforts to achieve
more effective copyright protection are justified, since attacks against intellectual
property deserve a criminal law response as much as do the more conventional attacks on
corporeal property. The reluctance to criminalize copyright infringements, still evident
in some countries, could be counteracted by adequate civil law provisions. The law can be
structured to differentiate between less objectionable activities, such as private back-up
copying, and more clearly criminal behaviour, which either causes economic damage or is
regularly committed for gain.
Semiconductor products
109. Computer programs are not the only new economic values created by modern computer
technology. As is evidenced by the miniaturization of computers and the development of
fifth-generation computers, the technique of integrated circuits is becoming more and more
sophisticated. The possibilities of copying the topography of semiconductor products give
rise to demand for an effective protection of such products in order to stop unauthorized
reproduction.
110. In most countries, it remains unclear to what extent the topography of
semiconductor products is protected against reproductions by patent law, copyright law,
registered designs, trade secret law and competition law. In the United States, special
protection for computer chips was provided by the Semiconductor Chip Protection Act of
1984. 8 Many states followed this sui generis approach by enacting similar legislation.
111. However, criminal sanctions provided under this type of legislation differ from
country to country. In contrast to the laws of Canada, Italy and the United States, the
new Finnish, German, Japanese, Netherlands and Swedish laws include criminal sanctions,
which among other things punish the infringement of a circuit layout right. Civil and
penal sanctions for egregious infringements of circuit layout rights require serious
consideration.
The protection of trade secrets
112. When information is acquired by stealing a corporeal carrier of information, such
as a printout, tape or disk, the traditional penal provisions on theft, larceny or
embezzlement are not problematic in application. However, the ability of data-processing
and communication systems to copy data quickly, inconspicuously and, often, via
telecommunication facilities has meant that most of these acts of traditional information
carrier theft are replaced with acts of actual information acquisition. Therefore, the
question arises, To what extent can or should the pure acquisition of incorporeal
information be covered by these provisions? Most countries are reluctant to apply
traditional provisions on theft and embezzlement to the unauthorized appropriation of
secret information, because these provisions generally require that corporeal property be
taken away with the intention of depriving the victim of use or control The acquisition of
information (e.g. by copying it or taking away a copy) does not necessarily deprive the
original holder of the information. The data may still exist intact, or other copies my
exist.
113. Additionally, in many countries the traditional laws of theft also require that
the thing that is taken constitute property. However, legislators and the judiciary in
many of these countries are reluctant to ascribe a property status to information, even
confidential information. The issue of misappropriation of information raises a number of
broader legal, social and economic issues. The conflict of interest between the free flow
of information and the right to confidentiality must be taken into account, as must be the
economic interests in certain kinds of information. Just as in the area of intellectual
property law solutions in this area must also provide for an appropriate degree of
flexibility to balance these competing interests. Traditional property law, with its
emphasis on exclusivity to one owner, does not adequately account for the dynamics of
information in an information society. Rather than relying on traditional theft
provisions, special laws may need to be enacted. 2
114. As a result of problems in applying the general property law to cover trade
secrets, in many countries the misappropriation of someone else's secret information is
covered by special provisions on trade secrets law. These provisions protect trade secrets
by prohibiting only certain condemnable acts of obtaining information, either by
provisions of the penal code or by penal or civil provisions of statutes against unfair
competition. These laws generally attempt to balance the competing interests.
115. Generally speaking, it can be said that criminal trade secret law and civil unfair
competition law are less developed in common law countries, at least statutorily, and in
Asian countries than in continental Europe. As far as future policy-making is concerned,
the international trend towards trade secret protection should be encouraged. To achieve
an international consensus, all legal systems could, either in their penal codes or in
statutes against unfair competition, establish penal trade secret protection reinforced by
adequate civil provisions on unfair competition.
116. In order to effectively address computer crime, concerted international
cooperation is required. Such can only occur, however, if there is a common framework for
understanding what the problem is and what solutions are being considered. To date,
international harmonization of the legal categories and definition of computer crime has
been proposed by the United Nations, by OECD and by the Council of Europe.
2. First initiatives of OECD
117. The first comprehensive international effort dealing with the criminal law
problems of computer crime was initiated by OECD. From 1983 to 1985, an ad hoc committee
of OECD discussed the possibilities of an international harmonization of criminal laws in
order to fight computer-related economic crime. In September 1985, the committee
recommended that member countries consider the extent to which knowingly committed acts in
the field of computer-related abuse should be criminalized and covered by national penal
legislation.
118. In 1986, based on a comparative analysis of substantive law, OECD suggested that
the following list of acts could constitute a common denominator for the different
approaches being taken by member countries:
- "The input, alteration, erasure and/or suppression of computer data and/or computer
programs made willfully with the intent to commit an illegal transfer of funds or of
another thing of value;
- The input, alteration, erasure and/or suppression of computer data and/or computer
programs made willfully with the intent to commit a forgery;
- The input, alteration, erasure and/or suppression of computer data and/or computer
programs, or other interference with computer systems, made willfully with the intent to
hinder the functioning of a computer and/or telecommunication system;
- The infringement of the exclusive right of the owner of a protected computer program
with the intent to exploit commercially the program and put in on the market;
- The access to or the interception of a computer and/or telecommunication system made
knowingly and without the authorization of the person responsible for the system, either
(i) by infringement of security measures or (ii) for other dishonest or harmful
intentions." 9
2. The guidelines of the Council of Europe
119. From 1985 to 1989, the Select Committee of Experts on Computer-Related Crime of
the Council of Europe discussed the legal problems of computer crime. The Select Committee
and the European Committee on Crime Problems prepared Recommendation No. R(89)9, which was
adopted by the Council on 13 September 1989. 10
120. This document "recommends the Governments of Member States to take into
account, when reviewing their legislation or initiating new legislation, the report on
computer-related crime... and in particular the guidelines for the national
legislatures". The guidelines for national legislatures include a minimum list, which
reflects the general consensus of the Committee regarding certain computer-related abuses
that should be dealt with by criminal law, as well as an optional list, which describes
acts that have already been penalized in some States, but on which an international
consensus for criminalization could not be reached.
121. The minimum list of offences for which uniform criminal policy on legislation
concerning computer-related crime had been achieved enumerates the following offences:
- Computer fraud. The input, alteration, erasure or suppression of computer data or
computer programs, or other interference with the course of data processing that
influences the result of data processing, thereby causing economic or possessory loss of
property of another person with the intent of procuring an unlawful economic gain for
himself or for another person;
- Computer forgery. The input, alteration erasure or suppression of computer data or
computer programs, or other interference with the course of data processing in a manner or
under such conditions, as prescribed by national law, that it would constitute the offence
of forgery if it had been committed with respect to a traditional object of such an
offence;
- Damage to computer data or computer programs. The erasure, damaging, deterioration or
suppression of computer data or computer programs without right;
- Computer sabotage. The input, alteration erasure or suppression of computer data or
computer programs, or other interference with computer systems, with the intent to hinder
the functioning of a computer or a telecommunications system;
- Unauthorized access. The access without right to a computer system or network by
infringing security measures;
- Unauthorized interception. The interception, made without right and by technical means,
of communications to, from and within a computer system or network;
- Unauthorized reproduction of a protected computer program. The reproduction,
distribution or communication to the public without right of a computer program which is
protected by law;
- Unauthorized reproduction of a topography. The reproduction without right of a
topography protected by law, of a semiconductor product, or the commercial exploitation or
the importation for that purpose, done without right, of a topography or of a
semiconductor product manufactured by using the topography."
122. The optional list contains the following conduct:
- Alteration of computer data or computer programs. The alteration of computer data or
computer programs without right;
- Computer espionage. The acquisition by improper means or the disclosure, transfer or use
of a trade or commercial secret without right or any other legal justification, with
intent either to cause economic loss to the person entitled to the secret or to obtain an
unlawful economic advantage for oneself or a third person;
- Unauthorized use of a computer. The use of a computer system or network without right,
that either: (i) is made with the acceptance of significant risk of loss being caused to
the person entitled to use the system or harm to the system or its functioning, or (ii) is
made with the intent to cause loss to the person entitled to use the system or harm to the
system or its functioning, or (iii) causes loss to the person entitled to use the system
or harm to the system or its functioning;
- Unauthorized use of a protected computer program. The use without right of a computer
program which is protected by law and which has been reproduced without right, with the
intent, either to procure and unlawful economic gain for himself or for another person or
to cause harm to the holder of the right."
3. Resolution of the General Assembly
123. In 1990, the legal aspects of computer crime were also discussed by the United
Nations, particularly at the Eighth United Nations Congress on the Prevention of Crime and
the Treatment of Offenders, at Havana, as well as at the accompanying symposium on
computer crime organized by the Foundation for Responsible Computing. The Eighth United
Nations Congress adopted a resolution on computer-related crime, a portion of which was
quoted in paragraph 18. 124. In its resolution 45/121, the General Assembly welcomed the
instruments and resolutions adopted by the Eighth Congress and invited Governments to be
guided by them in the formulation of appropriate legislation and policy directives in
accordance with the economic, social, legal, cultural and political circumstances of each
country.
4. The proposed resolution of the Association Internationale de Droit Pénal
125. The draft resolution of the AIDP Colloquium, held at Würzburg, 5-8 October 1992,
contains a number of recommendations, including the following:
"3. To the extent that traditional criminal law is not sufficient, modification of
existing, or the creation of new offences should be supported of other measures are not
sufficient (principle of subsidiarity).
4. In the enactment of amendments and new provisions, emphasis should be put on
precision and clarity. In areas where criminal law is only an annex to other areas of law
(as in the area of copyright law), this requirement should also be applied to the
substantive material or that other law.
5. In order to avoid overcriminalization, regard should be given to the scope to which
criminal law extends in related areas. Extensions that range beyond these limits require
careful examination and justification. In this respect, one important criterion in
defining or restricting criminal liability is that offences in this area be limited
primarily to intentional acts.
...
7. Having regard to the advances in information technology, the increase in related
crime since the adoption of the 1989 recommendation of the Council of Europe, the
significant value of intangibles in the information age, the desirability to promote
further research and technological development and the high potential for harm, it is
recommended that States should also consider, in accord with their legal traditions and
culture and with reference to the applicability of their existing laws, punishing as
crimes the conduct described in the ´optional list´, especially the alteration of
computer data and computer espionage.
8. Furthermore, it is suggested that some of the definitions in the Council of Europe
lists - such as the offence of unauthorized access - may need further clarification and
refinement in the light of advances in information technology and changing perceptions of
criminality. For the same reasons, other types of abuses that are not included expressly
in the lists, such as trafficking in wrongfully obtained computer passwords and other
information about means of obtaining unauthorized access to computer systems, and the
distribution or viruses or similar programs, should also be considered as candidates for
criminalization, in accord with national legal traditions and culture and with reference
to the applicability of existing laws. In light of the high potential damage that can be
caused by viruses, worms and other such programs that are meant, or are likely, to
propagate into and damage, or otherwise interfere with, data, programs or the functioning
of computer systems, it is recommended that more scientific discussion and research be
devoted to this area. Special attention should be given to the use of criminal norms that
penalize recklessness or the creation of dangerous risks, and to practical problems of
enforcement. Consideration might also be given as to whether the resulting crime should be
regarded as a form of sabotage offence.
9. In regard to the preceding recommendations, it is recognized that different legal
cultures and traditions may resolve some of these issues in different ways while,
nevertheless, still penalizing the essence of the particular abuse. States should be
conscious of alternative approaches in other legal systems." 13
126. The draft resolution acknowledges the work of OECD and the Council of Europe and
welcomes the guidelines adopted by the latter, which create a minimum list of criminal
acts as well as an optional list of acts that should be penalized by national law. The
draft resolution is expected to be adopted, with or without revisions, at a conference of
AIDP to be held at Rio de Janeiro in 1994.
127. Unlike the legal rules concerning corporeal objects, information law does not only
consider the economic interests of the proprietor or holder but also takes into account
the interests of persons concerned with the content of information. Before the invention
of computers, the legal protection of persons in regard to the content of information was
limited. Few provisions existed in the criminal law other than those in relation to libel.
Since the 1970s, however, new technologies have expanded the possibilities of collecting,
storing, accessing, comparing, selecting, linking and transmitting data, thereby causing
new threats to privacy. This has prompted many countries to enact new elements of
administrative, civil and penal regulations, as discussed in paragraphs 128-132. Various
international measures, outlined in paragraphs 133-145, support this evolution by
developing a common approach to privacy protection.
128. The penal provisions in privacy laws largely refer to the corresponding
administrative provisions. Accordingly, first the administrative provisions are surveyed
briefly and then the related questions of criminal law are dealt with.
1. Differing concepts of privacy laws
129. Special legislation against infringements of privacy have been past in most
western legal systems. Moreover, the courts in most countries have also developed a civil
action protecting privacy interests. An analysis of national laws demonstrates that
various international actions have led to a considerable degree of uniformity among the
general administrative and civil law regulations of national privacy laws. Most national
privacy statutes include, for example, provisions addressing the limitation of data
collection or the individual's right of access to his or her personal data. In spite of
this tendency, considerable differences in general administrative and civil regulations
remain. These differences concern the legislative rationale, the scope of application
(especially with regard to legal persons and manually recorded data), the procedural
requirements for commencing the processing of personal data and the substantive
requirements for processing such data, as well as the respective control institutions.
130. The differences among the general administrative regulations are not only relevant
for administrative law but to a significant extent also determine the existence of
differences between criminal law provisions, which largely refer to these regulations. For
example, one difference among criminal offences in various national privacy laws is found
in the prohibition of the use of various types of data.
2. Differing acts covered by criminal law.
131. The main difference among the penal privacy offences, however, derive not from
their general scope of application but from the different illegal acts that they cover .
These differences in penal coverage are mainly caused by a divergent evaluation of the
criminal character of privacy infringements and the role that penal law should play in
this field. In some countries, especially Canada, Japan and the United States , criminal
law is not widely used for privacy protection. In other countries, the criminal law
includes comprehensive lists of severe criminal offences that refer to many of the actions
regulated by administrative law. Some legislation even punishes negligent acts. In
Finland, the Committee on Informational Crimes and, in France, the Commission for the
Revision of the Penal Code intend to stress the importance of criminal sanctions of
privacy legislations by implementing the most important infringements in their general
penal codes.
132. The most important differences among the crimes against privacy in the various
data protection laws emerge when the penal provisions are analysed in detail. Such a
comparative analysis should differentiate four main categories of criminal privacy
infringements, which are to be found particularly in European privacy laws:
- The first main group of crimes against of privacy relates to infringements of
substantive privacy rights and includes such acts as illegal disclosure, dissemination,
obtaining of and/or access to data; unlawful use of data; illegal entering, modification
and/or falsification of data with an intent to cause damage; collection, recording and/or
storage of data, which is illegal for reasons of substantive policy; or storage of
incorrect data. Detailed analysis of the respective criminal provisions indicates that
these substantive infringements of privacy rights differ with regard not only to the data
covered but also to the types of acts punished. They differ further according to the
extent to which the described acts are permitted by law. Since the penal provisions either
refer to the respective general provisions of the civil privacy laws or justify exceptions
permitting the use of personal data by reference to general clauses, which are similar to
those of the administrative provisions, all anomalies, inaccuracies and uncertainties in
the field of administrative law can also be found within the corresponding penal
provisions;
- As a result of the uncertainties in the substantive provisions, many legal systems rely
to a great extent on a second, and additional, group of offences and are directed towards
enforcing various formal legal requirements or orders of supervisory agencies. These
offences, included in most privacy laws, generally contain more precise descriptions of
the prohibited conduct than do the substantive offences. However, these formal provisions
also vary considerably among the various national laws. The main type of formal infraction
covered in many states by penal law concerns infringement of the legal requirements for
commencing the processing of personal data (e.g. registration, notification, application
for registration, declaration or licensing). Additional, and considerably varying,
offences that can be found in much of the European privacy legislation are infringement of
certain regulations, prohibitions or decisions of the regulatory authorities; refusal to
give information or release of false information to the regulatory authorities; refusal to
grant access to property and refusal to permit inspections by regulatory authorities;
obstruction of the execution of a warrant; failure to appoint a controller of data
protection for a company; and failure to record the grounds or means for the dissemination
of personal data;
- A third type of criminal privacy infringement is infringement of access laws, e.g. the
individual's rights to access information (freedom of information). With respect to a
party's right of access, in many European countries it is an offence to give false
information or not to inform the registered party or not to reply to a request;
- Some countries go further and punish neglect of security measures with an administrative
fine or even with a criminal sanction. This constitutes a fourth type of offence.
1. Harmonization of underlying administrative and civil law
133. In the field of administrative and civil privacy legislation, various
international organizations have developed a common approach to privacy protection in
order to prevent the proliferation of different concepts and national regulations that
would impede the transborder flow of data. The main work in this field has so far been
accomplished by OECD, the Council of Europe and the European Union.
The OECD guidelines
134. In 1977, OECD began to elaborate guidelines governing the protection of privacy
and transborder flows of personal data. These guidelines were adopted by the Council of
OECD in 1980 as a recommendation to the member States. The eight main points of the
guidelines concern the principles of limitation on collection; data quality; specification
of purpose; limitation of use; security and safeguards; openness; individual
participation; and accountability.
Activities of the Council of Europe
135. In 1980, the Committee of Ministers of the Council of Europe, which had been
considering privacy concerns since 1968, adopted the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data. In contrast to the OECD
guidelines, which are voluntary in nature, the Council of Europe Convention is a
contractual commitment of the ratifying States and is legally binding. It formulates 10
basic principles representing minimum standards that must be incorporated in the
legislation of the contracting States. Although similar to those of OECD, these principles
are narrower and more specific.
136. Further initiatives were undertaken by the Committee of Experts on Data Protection
of the Council of Europe. Since the opening for signature of the Convention, the Committee
has pursued a sectoral approach to data protection issues aimed at elaborating guidelines,
in the form of non-binding recommendations, addressed to the Governments of the member
States.
Proposals of the European Union
137. The European Union started to harmonize privacy laws in 1976. A decisive
breakthrough for European privacy protection was reached in September 1990, when the
Commission of the European Communities submitted a draft package containing six proposals
in the field of personal data protection and information security. The package included
the draft of a general directive on data protection applicable to all personal data files
within the scope of European Union law. Within the context of the IMPACT2 program of the
European Union, the Commission intends to elaborate, when necessary, the instruments
concerning personal data protection in specific sectors of information services, mailing
list services, credit ratings and solvency services.
Activities of the United Nations
138. In 1988, the Subcommission on the Prevention of Discrimination and the Protection
of Minorities of the Commission on Human Rights elaborated draft guidelines for the
regulation of computerized personal data files (E/CN.4/Sub.2/1988/22, annex I). In its
resolution 45/95, the General Assembly adopted a revised version of these guidelines,
which contain principles similar to those of the OECD guidelines and the Council of Europe
Convention.
2. Harmonization of criminal law
139. In contrast to the progress achieved in administrative and civil privacy law,
international harmonization in the field of criminal privacy law has still not really
begun. The main initiative is being undertaken by the Council of Europe. The
above-mentioned Convention of the Council of Europe contains, in article 10, a provision
stating that "each party undertakes to establish appropriate sanctions and remedies
for violation of ... the basic principles for data protection". However, this clause
allows States to determine the nature of the sanctions and remedies (civil, administrative
or criminal), as well as their scope of application.
140. Further studies to harmonize criminal privacy law were undertaken in the course of
the work of the Select Committee of Experts on Computer-Related Crime of the Council of
Europe, mentioned in paragraphs 119-122. The Committee recommended six basic principles
that should be taken into account by member States when enacting legislation in the field
of computer-related criminal privacy:
- "The protection of privacy against offences caused by modern computer technology is
of great importance. However, this protection should be based primarily on administrative
and civil law regulations. Recourse to criminal law should be made only as a last resort.
This means that criminal sanctions should be used only in cases of severe offences in
which adequate regulation cannot be achieved by administrative or civil law measures
(ultima ratio principle);
- The respective criminal provisions must describe the forbidden acts precisely and should
avoid vague general clauses. A precise description of illegal acts, without however
resorting to a casuistic legislation technique, can easily be achieved, for example, for
specific sensitive data. In cases in which precise descriptions of illegal acts are not
possible, due to the necessity of a difficult balancing of interests (privacy versus
freedom of information), criminal law should decline to incriminate substantive
infringements of privacy and adopt a formal approach, based on administrative requirements
of notification of potentially harmful data-processing activities. Failure to comply with
these notification requirements and to obey regulations of the data protection authorities
could then be subject to sanctions. These formal offences are in accordance with the
principle of culpability as long as they can be considered bans per se
(Gefährdungsdelikte, délits-obstacles), which punish the endangering of privacy rights.
In many areas, criminal privacy infringements, therefore, would presuppose both the
infringement of formal requirements as well as the endangering of substantive privacy
rights (principle of precision in the wording of criminal law);
- The criminalized acts should be described as clearly as possible by the respective penal
law provisions . Therefore, a too-extensive use of the referral technique (that is, the
technique pursuant to which activities regulated outside the penal law provisions are
criminalized by reference) makes criminal provisions unclear and incomprehensible and
should be avoided. If implicit or explicit references of the criminal law are used , the
criminal provision itself should at least give an adequate idea of the forbidden acts
(clearness principle);
- Different computer-related infringements of privacy should not be criminalized in one
global provision . The principle of culpability requires a differentiation according to
the interests affected, the acts committed and the status of the perpetrator, as well as
of his intended aims and other mental elements (principle of differentiation);
- In principle, computer-related infringements of privacy should only be punishable if the
perpetrator acts with intent. Criminalization of negligent acts should be an exception
requiring a special justification (principle of intent);
- Minor computer-related offences against privacy should be punished only in accordance
with Council of Europe Recommendation No.(87)18 on the simplification of criminal justice,
on complaint of the victim or of the Privacy Protection Commissioner or of the Privacy
Protection Authority (principle of complaint)."5
141. In future, further harmonization of criminal privacy law might be achieved along
the lines outlined in the draft directive of the European Union. Chapter VII, article 23,
of that draft directive, which concerns sanctions , demands that each member State provide
in its laws the use of "sufficient sanctions" to guarantee the rules based on
the directive.
142. The issue of privacy protection was also discussed at the AIDP Colloquium on
Computer Crime and Other Crimes against Information Technology (see paragraphs 116-126).
The discussion demonstrated significant differences of opinion as to the means by which
and the degree to which protection should be afforded by administrative , civil,
regulatory and criminal law. The draft resolution of the colloquium recommended,
therefore, that "non-penal measures should be given priority, especially where the
relations between the parties are governed by contract" and that criminal provisions
"should only be used where civil law or data protection law do not provide adequate
legal remedies".
143. The Colloquium noted the basic principles, as advanced by the Council of Europe,
that should be taken into account by States when enacting criminal legislation in this
field. The draft resolution of the Colloquium proposes further that criminal provisions in
the privacy area should in particular:
- "Be used only in serious cases, especially those involving highly sensitive data or
confidential information traditionally protected by law;
- Be defined clearly and precisely rather than by the use of vague or general clauses
(Generalklauseln), especially in relation to substantive privacy law;
- Differentiate as between varying levels and requirements of culpability;
- Display caution, in particular, as regarding matters of intent;
- Permit the prosecutorial authorities to take into account, in respect of some types of
offences, the wishes of the victim regarding the institution of prosecution."
144. The draft resolution also noted as follows:
"The significance of protecting privacy interests in the transformed information
age should be recognized, but also balanced by the legitimate interests in the free flow
and distribution of information within society. These interests include the right of
citizens to access, by legal means consistent with international human rights, information
about themselves which is held by others."
145. The Colloquium concluded that further study of this issue should be undertaken.
146. Computer-specific procedural law problems arise not only in the prosecution of
computer-crime cases but also in many other fields of criminal investigation. This is
especially illustrated by the prosecution of economic crimes , predominantly in the field
of banking, where most of the relevant evidence is stored in automated data-processing
systems. In the field of traditional crime, computer-stored evidence is already a
significant issue, as is illustrated by cases of drug traffickers conducting their
business using personal computers and international telecommunication systems. In future,
new optical storage devices based on compact disc technology will further encourage the
destruction of originals (if paper originals still exist) after the information has been
recorded in automated data-processing systems. Owing to these new technical developments
and to the growing use of computers in all areas of economic and social life, courts and
prosecution authorities will depend to an increasing extent on evidence stored or
processed by modern information technology.
147. The resulting replacement of visible and corporeal objects of proof by invisible
and intangible evidence in the field of information technology not only creates practical
problems but also opens up new legal issues: the coercive powers of prosecuting
authorities, discussed in paragraphs 148-165; specific problems with personal data,
discussed in paragraphs 166-170; and the admissibility of computer-generated evidence,
discussed in paragraphs 171-175. The relevant problems are dealt with not only at the
national level but also by various international organizations, as discussed in paragraphs
176-185.
148. In accordance with the practical requirements of investigations in the field of
information technology and based on the various coercive powers existing in most legal
systems, an analysis of the coercive powers of prosecuting authorities has to
differentiate among search and seizure in automated information systems; duties of active
cooperation; and wire-tapping of telecommunication systems and "eavesdropping"
of computers.
1. Search and seizure in automated information systems
Problems of traditional law
149. Collecting data stored or processed in computer systems generally first requires
entry to and search of the premises in which the computer system is installed (powers of
search and entry of premises); it is then necessary that the data can be seized or
captured (powers of seizure and retention).
150. With respect to the investigation of computer data permanently stored on a
corporeal data carrier, the general limitation of the powers of search and seizure to the
search and seizure of (corporeal) objects relevant to the proceedings or to finding the
truth does not, in most countries, pose serious problems, since the right to seize and to
inspect the corporeal data carrier or, in case of internal memories, the central
processing unit also includes the right to inspect the data. In other words, there is no
difference whether the data are fixed with ink on paper or by magnetic impulses in
electronic data carriers. This conclusion is even m |
