2. Indeed, the world is undergoing a second Industrial Revolution. Information technology today touches every aspect of life, irrespective of location on the globe. Everyone's daily activities are affected in form, content and time by the computer. Businesses, Governments and individuals all receive the benefits of this Information Revolution. While providing tangible benefits in time and money, the computer has also had an impact on everyday< life, as computerized routines replace mundane human tasks. 2 More and more of out businesses, industries, economies, hospitals and Governments are becoming dependent on computers. Computers are not only used extensively to perform the industrial and economic functions of society but are also used to perform many functions upon which human life itself depends. medical treatment and air traffic control are but two examples. Computers are also used to store confidential data of a political, social, economic or personal nature. They assist in the improvement of economies and of living conditions in all countries. Communications, organizational functioning and scientific and industrial progress have developed so rapidly with computer technology that our form of living has changed irreversibly.
3. With the computer, the heretofore impossible has now become possible, The computer has allowed large volumes of data to be reduced to high-density, compact storage, nearly imperceptible to the human senses, It has allowed an exponential increase in speed, and even the most complex calculations can be completed in milliseconds. The miniaturization of processors has permitted worldwide connectivity and communication. Computer literacy continues o grow.
4. The burgeoning of the world of information technologies has, however, a negative side: it has opened the door to antisocial and criminal behavior in ways that would never have previously been possible. Computer systems offer some new and highly sophisticated opportunities for law-breaking, and they create the potential to commit traditional types of crimes in non-traditional ways. In addition to suffering the economic consequences of computer crime, society relies on computerized systems for almost everything in life, from air, train and bus traffic control to medical service coordination and national security. Even a small glitch in the operation of these systems con put human lives in danger. Society's dependence on computer systems, therefore, has a profound human dimension. The rapid transnational expansion of large-scale computer networks and the ability to access many systems through regular telephone lines increases the vulnerability of these systems and the opportunity for misuse or criminal activity. The consequences of computer crime may have serious economic costs as well as serious costs in terms of human security.
6. When the issue is elevated to the international scene, the problems and inadequacies are magnified. Computer crime is a new form of transnational crime and effectively addressing it requires concerted international cooperation. This can only happen, however, if there is a common framework for understanding what the problem is and what solutions there may be.
7. Some of the problems surrounding international cooperation in the area of computer crime and criminal law can be summarized as follows:
9. In 1983, OECD undertook a study of the possibility of an international application and harmonization of criminal laws to address the problem of computer crime or abuse. In 1986, it published Computer-Related Crime: Analysis of Legal Policy, a report that surveyed the existing laws and proposals for reform in a number of Member States and recommended a minimum list of abuses that countries should consider prohibiting and penalizing by criminal laws, for example, computer fraud and forgery, the alteration of computer programs and data and the copyright and interception of the communications or other functions of a computer or telecommunication system. A majority of members of the Committee on Information, Computer and Communications Policy also recommended that criminal protections should be developed for other types of abuse, including the theft of trade secrets and unauthorized access to, or use of, computer systems.
10. Following the completion of the OECD report, the Council of Europe initiated its own study of this issue with a view to developing guidelines to assist legislators in determining what conduct should be prohibited by the criminal law and how this should be achieved, having regard for the conflict of interest between civil liberties and the need for protection. The minimum list of OECD was expanded considerably by adding other types of abuses that were recommended as deserving of the application of the criminal law. The Select Committee of Experts on Computer-Related Crime of the Committee on Crime Problems examining these questions also addresses other areas, such as privacy protection, victims, prevention, procedural issues such as the international search and seizure of data banks, and international cooperation in the investigation and prosecution of computer crime. Recommendation R(89)9 of the Council of Europe on computer-related crime, which contains guidelines for national legislatures, was adopted by the Committee of Ministers of the Council of Europe on 13 September 1989.
11. In 1992, OECD developed a set of guidelines for the security of information systems, which is intended to provide a foundation on which States and the private sector may construct a framework for the security of information systems. In that same year, the Council of Europe began a study that will concentrate on procedural and international cooperation issues related to computer crime and information technology.
13. Ensuring the integrity of computer systems is a challenge facing both developed and developing countries. It is predicted that within the next decade, it will be necessary for developing nations to experience significant technological growth in order to become economically self-sufficient and more competitive in world markets. As dependence on computer technology grows in all nations, it will be crucial to ensure that the rate of technological dependence does not outstrip the rate at which the corresponding social, legal and political frameworks are developing. It is important to plan for security and crime prevention at the same time that computer technology is being implemented.
14. The participation of both developed and developing nations in international computer-crime initiatives is an encouraging trend. For example, the three associated conferences on computer crime at Würzburg in October 1992 were attended by delegates from Africa, Asia, eastern and western Europe, Latin America, the Middle East and North America. An adequate response to computer crime requires that both developed and developing nations should encourage regional and international organizations to examine the issue and promote crime prevention programs on a national level.
15. This strategy is necessary, both immediately and in the long term, to ensure international cooperation and to foster the political will to create a secure information community and the universal criminalization of computer crime.
17. In preparation for the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, the Asia and Pacific Regional Preparatory Meeting indicated concern with the effects of technological progress, as reflected in computer crimes (A/CONF.144)RPM.2).
18. At the 12th plenary meeting of the Eighth Congress, which took place in 1990, the representative of Canada introduced a draft resolution on computer-related crimes on behalf of the 21 sponsors. At its 13th plenary meeting, the Congress adopted the resolution, in which it, inter alia, called upon Member States to intensify their efforts to combat computer crime by considering, if necessary, the following measures:
21. There has been a great deal of debate among experts on just what constitutes a computer crime or a computer-related crime. Even after several years, there is no internationally recognized definition of those terms. Indeed, throughout this Manual the terms computer crime and computer-related crime will be used interchangeably. There is no doubt among the authors and experts who have attempted to arrive at definitions of computer crime that the phenomenon exists. However, the definitions that have been produced tend to relate to the study for which they were written. The intent of authors to be precise about the scope and use of particular definitions means, however, that using these definitions out of their intended context often creates inaccuracies. A global definition of computer crime has not been achieved; rather, functional definitions have been the norm.
22. Computer crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery and mischief, all of which are generally subject everywhere to criminal sanctions. The computer has also created a host of potentially new misuses or abuses that may, or should, be criminal as well.
23. In 1989, expanding on work that had been undertaken by OECD, the European Committee on Crime Problems of the Council of Europe produced a set of guidelines for national legislators that enumerated activities that should be subject to criminal sanction. By discussing the functional characteristics of target activities, the Committee did not attempt a formal definition of computer crime but left individual countries to adapt the functional classification to their particular legal systems and historical traditions.
24. The terms "computer misuse" and "computer abuse" are also used frequently, but they have significantly different implications. Criminal law recognizes the concepts of unlawful or fraudulent intent and of claim of right; thus, any criminal laws that relate to computer crime would need to distinguish between accidental misuse of a computer system, negligent misuse of a computer system and intended, unauthorized access to or misuse of a computer system, amounting to computer abuse. Annoying behavior must be distinguished from criminal behavior in law.
25. In relation to the issue of intent, the principle of claim of right also informs the determination of criminal behavior. For example, an employee who has received a password from an employer, without direction as to whether a particular database can be accessed, is unlikely to be considered guilty of a crime if he or she accesses that database. However, the principle of claim of right would not apply to the same employee who steals a password from a colleague to access that same database, knowing his or her access is unauthorized; this employee would be behaving in a criminal manner.
26. A distinction must be made between what is unethical and what is illegal; the legal response to the problem must be proportional to the activity that is alleged. It is only when the behavior is determined to be truly criminal that criminal prohibition and prosecution should be sought. The criminal law, therefore, should be employed and implemented with restraint.
28. The number of verifiable computer crimes is not, therefore, very high. This fact notwithstanding, authorities point out that the evidence of computer crime discernible from official statistical sources, studies and surveys indicates the phenomenon should be taken seriously.
29. The American Bar Association conducted a survey in 1987: of 300 corporations and government agencies, 72 claimed to have been the victim of computer-related crime in the 12-month period prior to the survey, sustaining losses estimated to range from $ 145 million to $ 730 million. In 1991, a survey of security incidents involving computer-related crime was conducted at 3,000 Virtual Address Extension (VAX) sites in Canada, Europe and the United States of America. Seventy-two per cent of the respondents said that a security incident had occurred within the previous 12-month period; 43 per cent indicated that the security incident they had sustained had been a criminal offence. A further 8 per cent were uncertain whether they had sustained a security incident. Similar surveys conducted around the world report significant and widespread abuse and loss.
30. Law enforcement officials indicate from their experience that recorded computer crime statistics do not represent the actual number of offences; the term "dark figure", used by criminologists to refer to unreported crime, has been applied to undiscovered computer crimes. The invisibility of computer crimes is based on several factors. First, sophisticated technology, that is, the immense, compact storage capacity of the computer and the speed with which computers function, ensures that computer crime is very difficult to detect. In contrast to most traditional areas of crime, unknowing victims are often informed after the fact by law enforcement officials that they have sustained a computer crime. Secondly, investigating officials often do not have sufficient training to deal with problems in the complex environment of data processing. Thirdly, many victims do not have a contingency plan for responding to incidents of computer crime, and they may even fail to acknowledge that a security problem exists.
31. An additional cause of the dark figure is the reluctance of victims to report computer offences once they have been discovered. In the business sector, this reluctance is related to two concerns. Some victims may be unwilling to divulge information about their operations for fear of adverse publicity, public embarrassment or loss of goodwill. Other victims fear the loss of investor or public confidence and the resulting economic consequences. Some experts have suggested that these factors have a significant impact on the detection of computer crime.
33. The typical skill level of the computer criminal is a topic of controversy. Some claim that skill level is not an indicator of a computer criminal, while others claim that potential computer criminals are bright, eager, highly motivated subjects willing to accept a technological challenge, characteristics that are also highly desirable in an employee in the data-processing field.
34. It is true that computer criminal behavior cuts across a wide spectrum of society, with the age of offenders ranging from 10 to 60 years and their skill level ranging from novice to professional. Computer criminals, therefore, are often otherwise average persons rather than supercriminals possessing unique abilities and talents. 8 Any person of any age with a modicum of skill, motivated by the technical challenge, by the potential for gain, notoriety or revenge, or by the promotion of ideological beliefs, is a potential computer criminal.
35. According to a number of studies, however, employees represent the largest threat, and indeed computer crime has often been referred to as an insider crime. One study estimated that 90 per cent of economic computer crimes were committed by employees of the victimized companies. A recent survey in North America and Europe indicated that 73 per cent of the risk to computer security was attributable to internal sources and only 23 per cent to external criminal activity.
36. As advances continue to be made in remote data processing, the threat from external sources will probably increase. With the increasing connectedness of systems and the adoption of more user-friendly software, the sociological profile of the computer offender may change.
37. Owing to the greater complexity of certain computer routines and augmented security measures, it is becoming increasingly unlikely that any one person will possess all the information needed to use a computer system for criminal purposes. Organized computer criminal groups, composed of members from all over the world, are beginning to emerge. Corresponding with this increasing cooperation in criminal activity, the escalating underground use of electronic bulletin boards for clandestine criminal communication has been detected around the world. Rapidly improving telecommunication technology has added to the threat from external sources. Computer-based voice mailbox systems, for example, are being used by the computer criminal community to exchange stolen access numbers, passwords and software.
38. The advent of viruses and similar mechanisms whereby computer software can be made to act almost on its own initiative poses a new and significant threat. Sophisticated viruses and devices such as "logic bombs" and "trojan horses", discussed below, can be targeted for specific objectives at specific industries to commit a variety of traditional criminal offences, from mere mischief of extortion. These crimes, furthermore, can be committed immediately or can be planted to spring at a future date.
39. Computer criminals have gained notoriety in the media and appear to have gained more social acceptability than traditional criminals. The suggestion that the computer criminal is a less harmful individual, however, ignores the obvious. The current threat is real. The future threat will be directly proportional to the advances made in computer technology.
41. Computer systems are particularly vulnerable to threats because of a number of interacting factors. The more significant of these are analysed briefly below.
43. At the same time, memory management techniques allow many independent processes to be supported concurrently within a single operating system. Independent data files can be combined to produce new and unforeseen relationships. Data items may be linked to produce a new item with a higher level of sensitivity than the original discrete data components. The centralization of information and processing functions provides an attractive target for the infiltrator or saboteur intent on attacking the functions or information assets of an organization.
44. The density of data stored on such media as tapes, diskettes, cassettes and microfilms means that the loss or theft of such items can be very significant.
46. Because of the desire to give system users maximum capability, unrestricted access privileges are often granted rather than allowing only the privileges necessary to perform an intended function. A transaction-oriented system permitting read-only or inquiry-only access offers a greater degree of protection than a system offering full programming capability.
47. Many systems in current use offer very limited ability to control user capabilities related to passive data and programs on a read-only, read-write or execute basis. This situation frequently necessitates operating on the assumption that every user has the capability to use the full computing potential of the operating system. A known penetration technique that utilizes this weakness involves disguising user instructions intended for clandestine purposes as a common utility, such as a file-copying routine, or inserting them into an existing routine. When the illicit code is activated, it performs functions more privileged than were intended for that user.
48. Finally, computer control functions are normally made accessible to numerous support and maintenance personnel. Tampering with software or hardware logic to obtain extended privilege or to disable protection features has been known to occur. The exposure provided through increasingly easy access to electronic data processing (EDP) resources is an important contributor to the vulnerability of modern computer systems.
51. Traditional forms of electronic eavesdropping can be readily adapted to exploit data-processing systems. They include wire-tapping and bugging, the analysis of electromagnetic radiations from equipment and monitoring of the cross-talk induced in adjacent electrical circuits. Interconnecting data communications circuits also suffer the same vulnerabilities, and communications on them can be subject to misrouting. A variation on wire-tapping involves the illegal use of a minicomputer to intercept data communications and to generate false commands or responses to other system components.
52. In the commission of a fraud, electronic technology has an advantage over manual data manipulation, which generally leaves behind an audit trail. Computer data, however, can be instantly changed or erased with minimal chance of detection, by, for example, a virus or logic bomb. The computer criminal can easily modify systems to perpetrate the fraud and then cover the evidence of the offence. It is suggested, moreover, that data processing is protected by only one tenth of the controls afforded to the same process in the manual environment, an insufficiency that facilitates the opportunity to commit crime without detection.
53. The performance of EDP systems may also be adversely affected by electromagnetic interference. Conducted or radiated electrical disturbances can interfere with the operation of electronic equipment. The system may suffer only very temporary and intermittent impairment, measurable in microseconds and from which recovery is possible, or it may suffer complete equipment failure, resulting in an inability to process.
54. All hardware is susceptible to failure through ageing, physical damage and environmental change. To ensure that error propagation is confined to non-sensitive functions, i.e., that the system fails safely, malfunctions must be detected immediately. Progress is being made towards this goal, but few designs in current use offer the desired level of reliability.
56. Because the contents of most EDP media are not visually evident, data-processing personnel are often required to handle sensitive files without being aware they are doing so. As a result, the control of data items becomes a problem. Scratched tapes, discarded core memories can all contain residual data that may demand special attention. Because identity and accountability have been lost, safeguards are frequently relaxed for these items even though the same information is protected elsewhere in the system. The ease with which such sources of information can be utilized has resulted in several well-publicized system penetrations.
58. A further complication is the tendency on the part of management to tolerate less stringent supervisory controls over EDP personnel. The premise is that the work is not only highly technical and specialized but difficult to understand and control. As an example systems software support is often entrusted to a single programmer who generates the version of the operating system in use, establishes password or other control lists and determines the logging and accounting features to be used. In addition, such personnel are often permitted, and sometimes encouraged, to perform these duties during non-prime shift periods, when demands on computer time are light. As a result, many of the most critical software development and maintenance functions are performed in an unsupervised environment. It is also clear that operators, librarians and technicians often enjoy a degree of freedom quite different from that which would be considered normal in a more traditional employment area.
59. There is another factor at play in the commission of computer crime. Criminological research has identified a variation of the Robin Hood syndrome: criminals tend to differentiate between doing harm to individual people, which they regard as highly immoral, and doing harm to a corporation, which they can more easily rationalize. Computer systems facilitate these kinds of crimes, as a computer does not show emotion when it is attached. 12
60. Situations in which personnel at junior levels are trusted implicitly and given a great deal of responsibility, without commensurate management control and accountability, occur frequently in the EDP environment. Whether the threat is from malicious or subversive activities or from honest errors on the part of staff members, the human aspect is perhaps the most vulnerable aspect of EDP systems.
63. Computer fraud by input manipulation is the most common computer crime, as it is easily perpetrated and difficult to detect. Often referred to as "data diddling", it does not require any sophisticated computer knowledge and can be committed by anyone having access to normal data-processing functions at the input stage.
64. Program manipulation, which is very difficult to discover and is frequently not recognized, requires the perpetrator to have computer-specific knowledge. It involves changing existing programs in the computer system or inserting new programs or routines. A common method used by persons with specialized knowledge of computer programming is the trojan horse, whereby computer instructions are covertly placed in a computer program so that it will perform an unauthorized function concurrent with its normal function. A trojan horse can be programmed to self-destruct, leaving no evidence of its existence except the damage that it caused. 13 Remote access capabilities today also allow the criminal to easily run modified routines concurrently with legitimate programs.
65. Output manipulation is effected by targeting the output of the computer system. The obvious example is cash dispenser fraud, achieved by falsifying instructions to the computer in the input stage. Traditionally, such fraud involved the use of stolen bank cards. However, specialized computer hardware and software is now being widely used to encode falsified electronic information on the magnetic strips of bank cards and credit cards.
66. There is a particular species of fraud conducted by computer manipulation that takes advantage of the automatic repetitions of computer processes. Such manipulation is characteristic of the specialized "salami technique", whereby nearly unnoticeable, "thin slices" of financial transactions are repeatedly removed and transferred to another account. 10
69. A virus is a series of program codes that has the ability to attach itself to legitimate programs and propagate itself to other computer programs. A virus can be introduced to a system by a legitimate piece of software that has been infected, as well as by the trojan horse method discussed above.
70. The potential purposes of viruses are many, ranging from the display of harmless messages on several computer terminals to the irreversible destruction of all data on a computer system. In 1990, Europe first experienced a computer virus, used to commit extortion in the medical research community. The virus threatened to destroy increasing amounts of data if no ransom was paid for the "cure". A significant amount of valuable medical research data was lost as a result.
71. A worm is similarly constructed to infiltrate legitimate data-processing programs and to alter or destroy the data, but it differs from a virus in that it does not have the ability to replicate itself. In a medical analogy, the worm can be compared to a benign tumor, the virus to a malignant one. However, the consequences of a worm attack can be just as serious as those of a virus attack: for example, a bank computer can be instructed, by a worm program that subsequently destroys itself, to continually transfer money to an illicit account.
72. A logic bomb, also known as a "time bomb", is another technique by which computer sabotage can be perpetrated. The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future. Unlike viruses or worms, however, logic bombs are very difficult to detect before they blow up; thus, of all these computer crime schemes, they have the greatest potential for damage. Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator. The logic bomb may also be used as a tool of extortion, with a ransom being demanded in exchange for disclosure of the location of the bomb.
73. Irrespective of motive, the fact remains that the use of viruses, worms and logic bombs constitutes unauthorized modification of legitimate computer data or programs and thus fall under the rubric computer sabotage, although the motive of the sabotage may be circumstantial to the alteration of the data.
75. Access is often accomplished from a remote location along a telecommunication network, by one of several means. The perpetrator may be able to take advantage of lax security measures to gain access or may find loopholes in existing security measures or system procedures. Frequently, hackers impersonate legitimate system users; this is especially common in systems where users can employ common passwords or maintenance passwords found in the system itself.
76. Password protection is often mischaracterized as a protective device against unauthorized access. However, the modern hacker can easily circumvent this protection using one of three common methods. If a hacker is able to discover a password allowing access, then a trojan horse program can be placed to capture the other passwords of legitimate users. This type of program can operate concurrently with the normal security function and is difficult to detect. The hacker can later retrieve the program containing the stolen passwords by remote access.
77. Password protection can also be bypassed successfully by utilizing password cracking routines. Most modern software effects password security by a process that converts a user's selected password into a mathematical series, a process known as encryption. Encryption disguises the actual password, which is then almost impossible to decrypt. Furthermore, legitimate security software has been developed that allows access to data only after it checks encrypted passwords against a dictionary of common passwords so as to alert system administrators of potential weakness in security. However, this same security process can be imitated for illegitimate purposes. Known as a "cracker" program when used for illegitimate purposes, these tools encrypt some or all of the data of the system. This creates a dictionary of data to compare with cracker software, for the purpose of identifying common passwords and gaining access to the system. A variety of these system-specific encryption routines can be obtained from hacker bulletin boards around the world and are regularly updated by the criminal community as security technology develops.
78. The third method commonly used to access a system is the "trapdoor" method, whereby unauthorized access is achieved through access points, or trapdoors, created for legitimate purposes, such as maintenance of the system.
79. The international criminal hacker community uses electronic bulletin boards to communicate system infiltration incidents and methods. In one case, details of a Canadian attempt to access a system were found on suspects in an unrelated matter in England; they had removed the material from a bulletin board in Germany. This sharing of information can facilitate multiple unauthorized infiltrations of a system from around the globe, resulting in staggering telecommunication charges to the victim.
80. With the development of modern telecommunications system, a new field for unauthorized infiltration was created. Personal telecommunications have been expanded with the advent of portable, cellular telecommunication devices. The criminal community has responded to these advances by duplicating the microchip technology.
81. Modern telecommunications systems are equally vulnerable to criminal activity. Office automation systems such as voice mail boxes and private business exchanges are, in effect, computer systems, designed for the convenience of users. However, convenience features such as remote access and maintenance capabilities, call-forwarding and voice-messaging are easily infiltrated by computer criminals.
82. Modern telecommunications systems, like other computer systems, are also susceptible to abuse by remote access. The integration of telecommunications systems means that once one system is accessed, a computer operator with sufficient skill could infiltrate the entire telecommunications network of a city. The usual motive for telecommunications crime is to obtain free telecommunications services. However, more innovative telecommunications fraud has also been uncovered, and telecommunications systems have been used to disguise other forms of criminal activity.
85. A new doctrine of criminal information is emerging in the area of al legal science, founded on the still-developing concepts of information law and the law of information technology. In accordance with modern cybernetics and informatics, information law now recognizes information as a third fundamental factor in addition to matter and energy. Based on empirical analysis, this concept evaluates information both as a new economic, cultural and political asset and as being specifically vulnerable to unique forms of crime.
86. It is obvious in the new approach that the legal evaluation of corporal objects differs considerably from the evaluation of incorporeal (information) objects. First, there is an important conceptual distinction between information and data that is both technologically and legally relevant. Information is a process or relationship that occurs between a person's mind and a stimulus. Data, whether in corporeal or incorporeal (e.g. electromagnetic impulse) form, constitute a stimulus. Data are merely a representation of information or of some concept. Information is the interpretation that an observer applies to the data. Different information may be received from the same data, depending on their interpretation. Thus, when data are destroyed or appropriated, it is the representation that is destroyed or appropriated and not the actual information, idea or knowledge. The latter may still subsist in a person's mind or in another copy of the data.
87. The second difference concerns the protection of the proprietor or holder of corporeal and incorporeal objects. Whereas corporeal objects are more exclusively attributed good that flows freely in a free society. It is not itself subject, therefore, to exclusive protection in the same way as tangible property. A third difference between the legal regimes of tangibles and intangibles is that, in protecting information, not only must one consider the economic interests of its proprietor or holder, but one must also preserve the interests of those persons concerned with the contents of the information. This aspect results in new issues of privacy protection, which is dealt with in chapter III.
88. Paragraphs 89-115 investigate how far the various national systems protect the holder of information and paragraphs 116-126 examine activities undertaken in this field of law on the international level.
91. To clarify the situation, new legislation has been enacted in many countries. Some countries amended the traditional statues on mischief, vandalism or damage to tangible property; others created specific provisions. The legislation of a few countries covers all kind of documents, not only computer-stored data. In the United States, a number of state laws contain more specific sanctions for the insertion or intrusion of a computer virus, and on the federal level, a provision sanctions the reckless causing of damage when a federal computer system is intentionally accessed without authorization. Some legal systems also include specific qualifications for computer sabotage that leads to the obstruction of business or of national security.
93. Some of the most important criminal law provisions covering the integrity, as well as he correctness, of specific data are provisions on forgery, which guarantee the authenticity of a document for the statement that it contains. In some countries, the provisions on forgery require visual readability of statements embodied in a document and, for this reason, do not cover electronically stored data. With the intention of giving electronically based documents the same legal protection as paper-based declarations, some enacted or proposed new statues on forgery that relinquish visual perceptibility. De lege lata, courts in other countries came to the same result.
95. In the area of financial manipulations the situation is different. In many legal systems the statutory definitions of theft, larceny and embezzlement require that the offender take an "item of another person's property". In such systems, the provisions are not applicable if the perpetrator appropriates deposit money. In many countries, these provisions also cause difficulties in regard to the manipulation of financial transactions through automated cash dispensers. The statutory provisions on fraud in some legal systems demand the deception of a person. They cannot be used when a computer is deceived. Statutory definitions of breach of trust or abus de confiance, which exist in several countries, sometimes apply only to offenders in high positions and not to punchers, operators or programmers; some provisions also have restrictions on which objects may be protected. Consequently, many legal systems have looked for solution de lege data without overstretching the wording of existing provisions, and new laws on computer fraud have been enacted in many countries. Such clarifications or amendments should be considered, if necessary.
98. As far as wire-tapping and the interception of data communications are concerned, the traditional wire-tap statutes of most legal systems refer only to the interception of communications. Therefore, legislative proposals that cover wire-tapping and other forms of electronic surveillance or the interception of computer system functions or communications have been put forth in many countries. When enacting legislation in this area, it is important that the new law should address interception in all of its possible forms, whether of communications to, from or within a computer system, or of inadvertent or advertent emissions of radiation.
99. Similarly, traditional provisions on trespassing and forgery often cannot be used. In all countries, the applicability of traditional penal provisions to unauthorized access to data-processing and storage systems is generally difficult. Therefore, new legislative provisions concerning such access have been enacted in many countries. These provisions demonstrate various approaches. Some criminalize "mere" access to EDP systems; other punish access only in cases where the accessed system is protected by security measures or where the perpetrator has harmful intentions or where data obtained, modified or damaged. Some countries combine several of these approaches in a single provision covering both "mere" access (in the form of a basic hacking offence) and qualified forms of access (in the form of a more serious ulterior offence with more severe sanctions).
100. One problem concerns the circumstances under which an initially authorized access may become unauthorized or may otherwise turn into a criminal action. In most countries, the new provisions deal only with the initial unauthorized access, thus criminalizing only the acts of outsiders; other countries also proscribe unauthorized use of or presence in systems, thus also criminalizing use or "time theft" by both outsiders and employees. A special solution to protect employees can be found in the California state law, which does not apply to employees if their use is within the scope of their employment or, in the case of uses outside the scope of employment, the use does not result in any injury or the value of the used services does not exceed $100.
101. The discussion about initially authorized access demonstrates that illegal access to computer systems is closely connected to, and partly overlaps with, the criminalization of unauthorized use of computers (i.e. both use without authority and time theft), although up to the present this close relationship has not yet been generally realized by all countries. De lege ferenda in most civil law countries the problem of illegal use of computers is reduced to the illegal use of computer hardware and discussed within the context of furtum usus of corporeal property. In this context many civil law countries reject a general criminalization of furtum usus of tangibles (with some exceptions, such as for moto vehicle joyriding) and consequently do not incorporate a provision against the illegal use of computers or time theft in their new computer crime laws. However, there are (mainly Nordic) countries that have a legal tradition of criminalizing the unauthorized use of corporeal property, so that the new reform proposals of these countries also criminalize the unauthorized use of computer systems. Many common law countries or parts thereof (e.g. Canada and many States of the United States) have recognized the relationship between access and use, and in statutory definitions subsume either "access" or "use" into the other concept, thereby creating a single legal concept that address both situations for the purposes of the new penal provisions. Since the unauthorized use of computer systems generally presupposes unauthorized access to that system, an adequate access or use provision could at the same time cover the other delict as well.
102. A further distinction that is sometimes recognized is one between (a) the unauthorized obtaining of computer services or time that is ordinarily provided for a fee and (b) the unauthorized use of computer systems in general. The delict in respect of the former is the unauthorized obtaining of computer services without payment of the requisite fee, thereby causing the owner of the system to suffer a financial loss. In some countries, such abuse is covered by general theft of service laws. The statutes of other countries, however, are limited to the unlawful use, waste or withdrawal of electricity. General theft and fraud statutes may be applicable in some countries, while in other countries specific provisions have had to be enacted to deal with this type of theft of service.
103. The delict in respect of the mere unauthorized use of the computer is the violation of the exclusive use rights of the owner. Addressing this problem raises all of the issues previously discussed in relation to the issues of unauthorized access and unauthorized use.
106. In recent years, many countries have debated the scope of copyright law, given that patent law can protect only a small number of programs, such as those that include a technical invention. With the aim of avoiding legal uncertainty, many countries have expressly provided copyright protection for computer programs by way of legislative amendments. This fundamental recognition of the need to copyright computer programs can, however, only be regarded as a first step. The creation of effective copyright protection for computer programs raises explicitly the question of the appropriate scope of copyright protection, as well as some additional problems. Until now, these questions have been solved in disparate and often unsatisfactory ways in many countries.
107. The role op penal copyright protection has also been evaluated differently in various countries. In the past, copyright law in common law systems rarely, if ever, resorted to penal sanctions; civil law systems, in contrast, have traditionally punished infringements of copyright by lenient criminal sanctions. The increase in audio- and videotape piracy in recent years, however, has necessitated more stringent criminal sanctions in both systems; thus the distinction between civil and common law systems has been effectively removed.
108. Although some of the new laws are still confined to phonographic products, many are of a more general nature. Reform proposals providing more severe criminal sanctions for copyright infringements have been enacted in many countries. These efforts to achieve more effective copyright protection are justified, since attacks against intellectual property deserve a criminal law response as much as do the more conventional attacks on corporeal property. The reluctance to criminalize copyright infringements, still evident in some countries, could be counteracted by adequate civil law provisions. The law can be structured to differentiate between less objectionable activities, such as private back-up copying, and more clearly criminal behaviour, which either causes economic damage or is regularly committed for gain.
110. In most countries, it remains unclear to what extent the topography of semiconductor products is protected against reproductions by patent law, copyright law, registered designs, trade secret law and competition law. In the United States, special protection for computer chips was provided by the Semiconductor Chip Protection Act of 1984. 8 Many states followed this sui generis approach by enacting similar legislation.
111. However, criminal sanctions provided under this type of legislation differ from country to country. In contrast to the laws of Canada, Italy and the United States, the new Finnish, German, Japanese, Netherlands and Swedish laws include criminal sanctions, which among other things punish the infringement of a circuit layout right. Civil and penal sanctions for egregious infringements of circuit layout rights require serious consideration.
113. Additionally, in many countries the traditional laws of theft also require that the thing that is taken constitute property. However, legislators and the judiciary in many of these countries are reluctant to ascribe a property status to information, even confidential information. The issue of misappropriation of information raises a number of broader legal, social and economic issues. The conflict of interest between the free flow of information and the right to confidentiality must be taken into account, as must be the economic interests in certain kinds of information. Just as in the area of intellectual property law solutions in this area must also provide for an appropriate degree of flexibility to balance these competing interests. Traditional property law, with its emphasis on exclusivity to one owner, does not adequately account for the dynamics of information in an information society. Rather than relying on traditional theft provisions, special laws may need to be enacted. 2
114. As a result of problems in applying the general property law to cover trade secrets, in many countries the misappropriation of someone else's secret information is covered by special provisions on trade secrets law. These provisions protect trade secrets by prohibiting only certain condemnable acts of obtaining information, either by provisions of the penal code or by penal or civil provisions of statutes against unfair competition. These laws generally attempt to balance the competing interests.
115. Generally speaking, it can be said that criminal trade secret law and civil unfair competition law are less developed in common law countries, at least statutorily, and in Asian countries than in continental Europe. As far as future policy-making is concerned, the international trend towards trade secret protection should be encouraged. To achieve an international consensus, all legal systems could, either in their penal codes or in statutes against unfair competition, establish penal trade secret protection reinforced by adequate civil provisions on unfair competition.
118. In 1986, based on a comparative analysis of substantive law, OECD suggested that the following list of acts could constitute a common denominator for the different approaches being taken by member countries:
120. This document "recommends the Governments of Member States to take into account, when reviewing their legislation or initiating new legislation, the report on computer-related crime... and in particular the guidelines for the national legislatures". The guidelines for national legislatures include a minimum list, which reflects the general consensus of the Committee regarding certain computer-related abuses that should be dealt with by criminal law, as well as an optional list, which describes acts that have already been penalized in some States, but on which an international consensus for criminalization could not be reached.
121. The minimum list of offences for which uniform criminal policy on legislation concerning computer-related crime had been achieved enumerates the following offences:
"3. To the extent that traditional criminal law is not sufficient, modification of existing, or the creation of new offences should be supported of other measures are not sufficient (principle of subsidiarity).
4. In the enactment of amendments and new provisions, emphasis should be put on precision and clarity. In areas where criminal law is only an annex to other areas of law (as in the area of copyright law), this requirement should also be applied to the substantive material or that other law.
5. In order to avoid overcriminalization, regard should be given to the scope to which criminal law extends in related areas. Extensions that range beyond these limits require careful examination and justification. In this respect, one important criterion in defining or restricting criminal liability is that offences in this area be limited primarily to intentional acts.
...
7. Having regard to the advances in information technology, the increase in related crime since the adoption of the 1989 recommendation of the Council of Europe, the significant value of intangibles in the information age, the desirability to promote further research and technological development and the high potential for harm, it is recommended that States should also consider, in accord with their legal traditions and culture and with reference to the applicability of their existing laws, punishing as crimes the conduct described in the ´optional list´, especially the alteration of computer data and computer espionage.
8. Furthermore, it is suggested that some of the definitions in the Council of Europe lists - such as the offence of unauthorized access - may need further clarification and refinement in the light of advances in information technology and changing perceptions of criminality. For the same reasons, other types of abuses that are not included expressly in the lists, such as trafficking in wrongfully obtained computer passwords and other information about means of obtaining unauthorized access to computer systems, and the distribution or viruses or similar programs, should also be considered as candidates for criminalization, in accord with national legal traditions and culture and with reference to the applicability of existing laws. In light of the high potential damage that can be caused by viruses, worms and other such programs that are meant, or are likely, to propagate into and damage, or otherwise interfere with, data, programs or the functioning of computer systems, it is recommended that more scientific discussion and research be devoted to this area. Special attention should be given to the use of criminal norms that penalize recklessness or the creation of dangerous risks, and to practical problems of enforcement. Consideration might also be given as to whether the resulting crime should be regarded as a form of sabotage offence.
9. In regard to the preceding recommendations, it is recognized that different legal cultures and traditions may resolve some of these issues in different ways while, nevertheless, still penalizing the essence of the particular abuse. States should be conscious of alternative approaches in other legal systems." 13
126. The draft resolution acknowledges the work of OECD and the Council of Europe and welcomes the guidelines adopted by the latter, which create a minimum list of criminal acts as well as an optional list of acts that should be penalized by national law. The draft resolution is expected to be adopted, with or without revisions, at a conference of AIDP to be held at Rio de Janeiro in 1994.
130. The differences among the general administrative regulations are not only relevant for administrative law but to a significant extent also determine the existence of differences between criminal law provisions, which largely refer to these regulations. For example, one difference among criminal offences in various national privacy laws is found in the prohibition of the use of various types of data.
132. The most important differences among the crimes against privacy in the various data protection laws emerge when the penal provisions are analysed in detail. Such a comparative analysis should differentiate four main categories of criminal privacy infringements, which are to be found particularly in European privacy laws:
136. Further initiatives were undertaken by the Committee of Experts on Data Protection of the Council of Europe. Since the opening for signature of the Convention, the Committee has pursued a sectoral approach to data protection issues aimed at elaborating guidelines, in the form of non-binding recommendations, addressed to the Governments of the member States.
140. Further studies to harmonize criminal privacy law were undertaken in the course of the work of the Select Committee of Experts on Computer-Related Crime of the Council of Europe, mentioned in paragraphs 119-122. The Committee recommended six basic principles that should be taken into account by member States when enacting legislation in the field of computer-related criminal privacy:
142. The issue of privacy protection was also discussed at the AIDP Colloquium on Computer Crime and Other Crimes against Information Technology (see paragraphs 116-126). The discussion demonstrated significant differences of opinion as to the means by which and the degree to which protection should be afforded by administrative , civil, regulatory and criminal law. The draft resolution of the colloquium recommended, therefore, that "non-penal measures should be given priority, especially where the relations between the parties are governed by contract" and that criminal provisions "should only be used where civil law or data protection law do not provide adequate legal remedies".
143. The Colloquium noted the basic principles, as advanced by the Council of Europe, that should be taken into account by States when enacting criminal legislation in this field. The draft resolution of the Colloquium proposes further that criminal provisions in the privacy area should in particular:
"The significance of protecting privacy interests in the transformed information age should be recognized, but also balanced by the legitimate interests in the free flow and distribution of information within society. These interests include the right of citizens to access, by legal means consistent with international human rights, information about themselves which is held by others."
145. The Colloquium concluded that further study of this issue should be undertaken.
147. The resulting replacement of visible and corporeal objects of proof by invisible and intangible evidence in the field of information technology not only creates practical problems but also opens up new legal issues: the coercive powers of prosecuting authorities, discussed in paragraphs 148-165; specific problems with personal data, discussed in paragraphs 166-170; and the admissibility of computer-generated evidence, discussed in paragraphs 171-175. The relevant problems are dealt with not only at the national level but also by various international organizations, as discussed in paragraphs 176-185.
150. With respect to the investigation of computer data permanently stored on a corporeal data carrier, the general limitation of the powers of search and seizure to the search and seizure of (corporeal) objects relevant to the proceedings or to finding the truth does not, in most countries, pose serious problems, since the right to seize and to inspect the corporeal data carrier or, in case of internal memories, the central processing unit also includes the right to inspect the data. In other words, there is no difference whether the data are fixed with ink on paper or by magnetic impulses in electronic data carriers. This conclusion is even more evident for provisions in which the powers of search and/or the powers of seizure are directed towards "anything" that would be admissible as evidence at a trial. The same evaluation also applies mutatis mutandis for powers of confiscation.
151. Application of the traditional powers of search and seizure might, however, cause problems in cases where data are not permanently stored in a corporeal data carrier. In these instances, it is questionable whether pure data or information can be regarded as an object in the sense of criminal procedural law. The same holds true if the legal principle of minimum coercion or of proportionality makes it unlawful to seize comprehensive data carriers, or complete computer installations, in order to gather only a small amount of data. Similarly, search and seizure of comprehensive data carriers could cause serious prejudice to business activities or infringe the privacy rights of third parties. Uncertainties may also arise in cases in which data carriers (such as core-storage, fixed-disk devices or chips) cannot be taken away to be evaluated on a police computer but must be analysed using the computer system in question. In all these cases one might consider applying the powers of search not only to detect a computer installation and data but also to fix (especially to print) the relevant data on a separate data carrier and then seize this new object, which might be a diskette or a printout.
152. However, such a construction depends on the question of whether and to what degree the powers of search and seizure include the power to use technical equipment and (copyrightable) programs belonging to a witness or to an accused, in order to search and/or fix computer data. Only a few laws state that in the execution of search and seizure all necessary measures may be taken. Consequently, in many legal systems an effective search for pure data or information is not provided for by the law.
153. Special problems also arise with respect to search and seizure in computer networks. Here, it is questionable whether and to what extent the right to search and seize a specific computer installation includes the right to search databases that are accessible by this installation but that are situated in other premises. This question is of great practical importance since perpetrators increasingly store their data in computer systems located elsewhere in order to hinder prosecution. Specific problems of public international law arise with respect to search and seizure of foreign databases via international telecommunication systems. In these international systems, the direct penetration by prosecuting authorities of foreign data banks generally constitutes an infringement of the sovereignty of the State of storage (and often in a punishable offence); however, there might be some specific exceptions that could be developed internationally in which direct access to foreign data banks via telecommunication networks could be permissible and the lengthy procedure of mutual assistance avoided.
154. Problems of interpretation also arise with respect to extra safeguards for specific information. This is not only an issue with respect to the materials of professional legal advisers, doctors, journalists and other people who may , in some legal systems, be exempt from giving evidence. One of the latest disputes in this area is the question of how far the privileges of the press should also be applicable to electronic bulletin boards. Even more intricate questions arise with the application of safeguards and specific provisions to papers , documents and letters, especially in the fields of electronic mail and telecommunication systems. Owing to the rationale of these privileges , they should generally apply equally to paper-based and computer-stored material , especially as between traditional mail and electronic mail.
156. Such sui generis provisions for gathering data not only provide legal certainty and a basis for efficient investigations in an EDP environment but, with respect to legal policy, can also be based on the argument that copying data is often a less severe inhibition than the seizure of data carriers. Moreover, sui generis provisions have the advantage of being able to solve specific questions of search and seizure of data, such as compensation of costs for the use of EDP systems, subsequent erasure of copied data that are no longer required for the prosecution, or search and seizure in telecommunication networks.
158. The traditional legal systems of most countries include two instruments that might be used to achieve the cooperation necessary for gathering evidence in a computerized environment: the duty to surrender seizable objects of evidence and the duty to testify. In some countries, additional and more extensive provisions or reform proposals have been enacted or suggested.
162. The question whether or not such duties to produce and hand over computer printouts should be recommended de lege ferenda is difficult to judge and requires a differentiation between the duties of witnesses and the duties of defendants or suspected persons. With respect to (innocent) witnesses, there are good arguments for the introduction of such a duty. However, with respect to the defendant or suspect, there are equally good arguments that a duty of active cooperation should be rejected since this duty could impede the accused's right to remain silent and could infringe upon the privilege against self-incrimination. It is true that the wording of article 14(3)g of the International Covenant on Civil and Political Rights only guarantees that, in the determination of any criminal charge against a person, everyone shall be entitled to the minimum guarantee of "not to be compelled to testify against himself or to confess guilt". However, the reasons underlying this guarantee could justify a general privilege against any active self-incrimination.
164. The question whether the traditional powers of wire-tapping can be applied to tapping other telecommunication services and computer systems is answered differently in various countries. No computer-specific issues arise in legal systems in which the statutory law permits, for example, "surveillance of the telecommunication traffic including the recording of its content". On the other hand, computer-specific problems of interpretation exist, especially in countries that permit only "monitoring of conversations" or "surveillance and tapping of the telecommunication traffic on sound carriers". Such clauses are particularly problematic if an analogous application of coercive powers in criminal procedural law is not jurisprudentially permissible.
167. An extensive discussion of the underlying constitutional implications regarding the gathering, storing and