Main problems related to the Cyber Crime
The technological revolution carried out during this second half of the century, is undoubtedly strongly linked to the progress of the computer science.
The computer science, considered as a tool of inappreciable use in nearly all aspects of our lives, has already caused changes in the customs, which, in other times were unthinkable: without the use of computers and computer programs of medium sophistication, it would be unthinkable –as it was in other times- that any person could carry out their banking transactions out of business hours; or even draw cash from automatic cashiers late at night; or that even all their case history could be stored and updated in health centers, allowing , in this way, an easier medical care.
These mere examples show us how strong is the progress of this new technology that, from day to day, becomes part of our every-day activities, without even noticing it several times.
But reversely to the great advantages established as from the massive use of personal computers, the use of this technology through non-established or illegal means, can cause damages of such an extent as the benefits that the illegal use permits.
As it generally happens, the legal systems have a more slowly development than the social changes; consequently, if we take into account that the progress in the computer science is vertiginous, it is not difficult to deduce that the punishment systems for the illegal behaviors related to this technology stayed behind.
Regarding this matter, it is convenient to remember that, in terms of criminal law, individual rights are in force, which impede by analogy, the enforcement of a law to a case not specifically contemplated. I believe this is the most important issue that enables the dealing with cyber crimes in a special way and different from the behaviors forbidden by the traditional criminal law.
2.- First issue: the definition of cyber crimes.
In order to deal with cyber crimes, it must be clear which is the main target to be dealt with. In the specific case of the computer delinquency, if we think about a tool of international scope, in the first place, a definition of “cyber crime” should be developed to be accepted almost universally.
To reach this type of definition, it would be interesting to previously describe the different behaviors which the concept “cyber crime” makes reference to.
The traditional classification proposed by Sieber (Ulrich Sieber, “The International Handbook on Computer Crime”), allows to distinguish two large groups of cyber crimes: the cyber crimes of economic type and the cyber crimes against the privacy.
In the first group, the perpetration of some impairment of resources is relevant. In the second group, the cyber crime affects the privacy of people.
Likewise, it should be noted that when we analyze some of the behaviors that we generically call cyber crimes, we found that in some cases, the computer science system (generally software as well as hardware) is the target of the criminal act. On the other hand, in other cases, the computer science system is the tool for the criminal act.
Consequently, and these preliminary differences already stated, the analysis should be dedicated to the definition of cyber crime. This is not the moment to give any definition about the matter, but whatever may this be, should comprise the following behaviors, already explained by Sieber.
1) Cyber Crimes of economic type:
- Fraud committed through the manipulation of computer science systems: these behaviors are characterized by the manipulation of data contained in computer systems with the purpose of obtaining illegal profits.
- Illegal copy of software and computer science spying: this group comprises the behaviors aimed to obtain data from a computer system in an illegal way. It has to be taken into account that the target of appropriation can be of “data” as well as of the same computer program.
- Computer sabotage: these behaviors are the ones that damage the computer systems. It should be emphasized that the concept of damage must comprise the physical elements (hardware), as well as the intangible elements contained in a computer program.
- The illegal use of computer systems belonging to other people: this type of behavior consists basically of the use, without authorization, of computers and programs belonging to other people. It has to be emphasized that the damage is generally caused in the companies owners of the elements used without authorization, because the rental that would correspond are not paid, or because the same company pays a third party for the use of an improper service.
It could be also added to all this classification the access to the computer systems without authorization, without fraudulent purpose of sabotage or damage. In these cases, the behavior has the challenge of surpassing the access barrier as the only aim. The problem is that in the process of illegal access, damages, that are not contemplated by the one who tries to illegally gain access, may be caused.
2) Cyber Crimes affecting the privacy
Truly, several behaviors previously stated for the cyber crimes of economic type, are similar to the ones that would correspond to this classification; the only difference would be that the behaviors would not affect the proprietorship as a juridical right protected by the law, but would affect other juridical rights, such as the privacy.
In such sense, it seems that in order to consider that damage is caused to privacy, those behaviors related to what we call illegal copy of software and computer spying should be forbidden.
I consider an interesting issue to discuss, if an international convention about cyber crimes should also dedicate to the cyber crimes not affecting the proprietorship.
3.- Second issue: the present criminal legislation and the necessary or unnecessary need to create particulars definitions of crimes.
In my opinion, this issue should be discussed, although it seems that in the international scope is already established that for the criminal protection of the behaviors previously stated, it is necessary the amendment of the traditional criminal legislation.
The methods that may be adopted are mainly three: 1) creation of particular definitions of crimes; 2) reinterpretation of the already existing crimes, with the purpose of mending the small gaps and 3) together with the reinterpretation, the addition of some paragraphs to the already existing crimes in order to remedy the gaps.
From these three possibilities, the second is the one that in the scope of international commitments should be excluded. This is so, because the interpretation of the law corresponds to the judges, for which it would be impossible to establish a reinterpretative order coming from international entities.
Thus, I consider that it would be interesting to discuss the convenience of creating particular definitions of crimes or of amending the traditional criminal law. In order to determine on this matter, it wouldn’t be a bad idea that the different countries describe the present condition of their legislation and the interpretation of this legislation made by the judges.
For instance, In the Argentine Republic, the criminal protection of the software has been tried by means of the enforcement of the criminal rules set forth in the Copyrights Law. Until 1995, some courts considered that the illegal copy of software was defined in the chapter of penalties that the mentioned law contains.
Nevertheless, when one of the cases was under investigation by the National Court of Criminal Annulment (National Court of Criminal Annulment , Division, case 400 entitled “Autodesk vs. Remedy for annulment”), one of the Court’s Divisions decided the case in the sense that the behavior was not defined in the Argentine Law since the software did not fit into the definition of copyrightable material stated in the Copyrights Law.
This case reached the Argentine’s Supreme Court of Justice who dismissed the remedy for issues that were not relevant to the substance of the matter; this is to say, that the Court had not affirmed, as was said by some mass media, that the illegal copy of software was not one of the behaviors defined in the Copyrights Law.
As a conclusion of this prospect, it could be said that, regarding the illegal copy of software, the Courts’ decisions are not consistent , since the decision adopted in the case Autodesk has been decided by one of the Divisions of the Court of Criminal Annulment, but the other Divisions have not yet decided on the matter.
All this shows the urgent need to resolve the matter legislatively, in order to protect different interpretative criteria.
4.- Third issue: the need to use non-criminal measures.
As we all know, the criminal law must be considered as the “ultima ratio” of use against deviated behaviors. In accordance with this principle, typical of the liberal traditional criminal law, it is convenient to evaluate some non-criminal devices that protect, for instance, the software.
Thus, I understand that the criminal protection of the software may be dealt either from a criminal perspective, as well as from a civil or mercantile perspective, or even from administrative law. I am of the opinion that all these protective measures may not be exculpatory between them but complementary.
Finally, not only the solution by means of the criminal law would have to be discussed, but also changes in the non-criminal legislation related to the copyrights, literary and patents Law analyzed.
Answers to the questions posed in the tentative discussion guide.
- What kind of procedures are necessary to obtain a data in a computer system or on a computer network?
The answer to this question is not only related with the subject of the cyber crimes. It is evident that several other illegal behaviors can leave its “traces”, for instance, in a database, without meaning that they are helped by a computer system as a means, nor meaning that the computer system be the target of the illegal act. In other words, in any investigation of crimes, we may find ourselves facing the need to examine as evidence data that is inside the computer systems.
It could be thought about crimes such as tax avoidance; it is common that companies that usually don’t pay their taxes, have a parallel accountability that reveals the real condition of their finances. For the investigator, it would be very useful to obtain these data, and, it is clear that this is not a cyber crime.
For the above stated, I consider that the procedures for obtaining data in computer networks or in computers must be ruled by the general principles that are related to the collection of evidence in a criminal procedure:
If the computers are in a private residence, in Argentina it will be required a search warrant with the exact instruction of the target of the measure. The judge can also state the name of the person who will be in charge of executing the measure.
Regarding this last matter (person in charge of executing the measure) it is important to take into account that it should be a person having advanced training in computing. If this is not the case, data will be easily hidden through parallel systems, or else those parallel systems could be quickly destroyed through programs conceived to such purposes.
Consequently, I think that the success of any search measure or attachment will be obtained through the capability of the personnel in charge of executing the measure.
- What would be the target of such compulsory measures?
I understand that the question is very vast and there is no general answer for all the cases.
What I want to say is that in some cases, for instance the case of illegal copy of software, we can find out that it was carried out for the benefit of a small office having few personal computers; in this case, the “back up” of the hard disks, will not take long.
So, it is possible that in each case, the judge, before ordering the measure, must have a close notion of what he will be facing, being able to order the attachment of the complete personal computers, as well as of the hard disks and floppy disks.
It is important to be cautious with the protection of the attached goods, since a hard disk can be easily erased or damaged, and the same happens with the floppy disks. The protection must also tend to guarantee that the evidence material won’t be invalidated because of an inadequate protection: in a case that happened in Buenos Aires where a case of tax avoidance was investigated, all the computers from a company area were attached; the person who executed the measure didn’t protect the computers in sealed and closed boxes, for which, the defense, at the moment of wanting to obtain data from those computers, requested the invalidity of the investigation since it could not be guaranteed that the data of the computers was the same as the data that was in the computers before the attachment, due precisely to the fact that anyone could have had access to the computers.
- How and to what extent should the target and place to execute the compulsory measures be identified specifically and distinguished from other objects to obtain the warrant/permission from the judicial officer?
In order to protect the individual rights of the accused persons who committed a crime, any evidence measure against them must have a clear and specific reason. In doing so, I want to say that the judge, or the person in charge to order the measure, must be precise as regards to the target of the measure.
An interesting matter to take into account is that it could be ordered that from the moment the measure begins, no employee can have access to or operate the computers: this is with the purpose of preventing the switching on of self-destruction processes. Nevertheless, these processes can be switch on automatically if the person in charge of the inspection does not know about the subject. Thus, I highlight again the need that the measure be executed by qualified persons.
- What kind of data is covered by the warrant/permission for compulsory measures?
I believe that the search warrant, attachment or inspection could be specific as regards to the target of the measure, but more extensive as regards to the data that will be specifically collected in order to fulfil the measure. This allows that if there is data that is received during the execution of the measure, if it is related to the purpose of the investigation, it can be examined.
- If during the execution of a specific compulsory measure, the investigative authority finds data, which is not targeted for the compulsory measure, but which turns out to be very important as evidence for the criminal case, what can the authority do?
Regarding this question, it could be also said that the problem is not new for the criminal-procedural Law. For instance, if a judge orders a search warrant with the purpose of attaching a firearm which was supposedly used to commit “A’s” homicide, and during the search, another gun is found which was supposedly used for “B’s” homicide, this latter should be seized, for instance, by closing the domicile, until an extension of the search warrant is obtained.
It is true that when investigating cyber crimes the matter may not be so easy, because even with a closed domicile, the computer programs and its inside data may be altered by teleprocessing devices through telephonic access. For all this, it could be considered that in the search warrant be stated, for instance, the interruption of the telephonic service during the execution of the entire measure.
Nevertheless, I believe again, that the qualification of the person in charge of executing the measure is an essential requirement for securing the evidence.
- What kinds of compulsory measures are available for obtaining encrypted data?
I don’t have a very clear answer regarding the matter. Possibly, it could be thought that when encrypted information is needed, it is convenient to order directly the attachment of the computers or of the hard disks, so as to be analyzed afterwards by specialists.
Obviously, what could never have been done is to obtain the access codes in order to have access to the information through illegal means, or even establishing an obligation for the investigated person. I emphasize that in countries like Argentina, the deposition of the accused is always a means of defense, and he never could be obliged to testify data that could be used against him. (“nemo tenetur”)
- When the computer system or the data exists in a foreign country, the enforcement of compulsory measures may infringe national sovereignty. Are any judicial officers empowered to issue a warrant/permission targeting a computer network beyond national borders?
This matter is related with the international judicial cooperation. I consider that for the investigation of these crimes it is essential the existence of quick devices that allow the investigators of different countries to interact in a legal way. In the international scope, there are already some examples of the ONU referred to the cooperation and international judicial assistance.
- Are there possible answers to such problems within the framework of mutual assistance?
In this point I refer to what is stated in the above answer.
- Is it possible to establish a new type of jurisdiction for computer networks different from the conventional territorial recognition of sovereignty?
Generally, the states have different judicial systems regarding the establishment and exercise of the jurisdiction. Thus, I want to say that the principle of territoriality is not the only principle.
It is true that the special nature and the complexity of the cyber crime, demand that the states join their juridical ideas in order to find means in the international context so as to prevent that those differences impede an effective action.
For such purpose, it could be thought about the establishment of jurisdiction not only based in the principle of territoriality but also in the principle of nationality of the victim or of the alleged criminal. This is the system which is suggested in most of the international conventions that deal with complex crimes.
- Which legal system is applied between the enforcing and the enforced country?
The answer is similar to the previous one.
- Which criminal procedure laws will be applied to secure the rights of such person?
In order to secure the rights of the accused person in criminal cases, I consider that the total respect of the individual rights stated in several international treaties is the best way to secure the rights: International Treaty of Civil and Political Rights; European Convention about Human Rights; American Convention about Human Rights, etc.
- How are the remedies, such as appeal, monetary compensation by the government, given in the case of the illegal execution of compulsory measures?
The answer to this question is similar to other cases of judicial error. I consider that the rights of the accused person to claim damages caused by the errors in the administration of justice should be secured. I believe that is not convenient to avoid the general rules about compensation for damages in any case.