Computer Crime Research Center

staff/mohamed.jpg

Cybercrime in France: An Overview

Date: December 07, 2005
Source: Computer Crime Research Center
By: Mohamed Chawki

...

2.3.4 Malicious Code

In March 2005, the Tribunal correctionnel de Paris has ruled in (Tegam v. Tena Guillaume) that security researcher Guillaume Tena acted unlawfully in publishing proof of concept code to highlight security flaws in ViGuard, an antivirus product, from French company Tegam. Tena was given a suspended fine of 5,000 ($6,700 or 3,480) in a case that could have big implications for security research in France. Four years ago Tena (AKA Guillermito) released proof of concept code to highlight security bypass and worm evasion flaws in ViGuard. He produced exploits showing that Tegam’s generic anti-virus failed to stop "100 per cent of known and unknown viruses" as claimed. Tena posted his findings to a French Usenet newsgroup in the summer of 2001 before re-publishing the research on a website in March 2002. Tegamd denounced Tena as a “terrorist”, and sent in the lawyers. In June 2002, Tena was prosecuted over alleged violations of French copyright law. Tegam argued a warez version of its software was used in Tena’s tests and claimed that he decompiled or disassembled ViGuard and distributed part of its source code on his website. Tena denies these accusations. Tegam claims tens of thousands of ViGuard users in France. However, the product is little used outside the country. The case against Tena came to trial at a Tribunal correctionnel in Paris in January. A verdict - returned in March 2005 - found against the security researcher, who will be fined 5,000 if he re-offends within the next five years.

2.3.5 Online Defamation

In LICRA and UEJF v. Yahoo! Inc, Yahoo! was sued in France for violating a French law that prohibits the exhibition of Nazi memorabilia. The Tribunal de Grande Instance de Paris ordered Yahoo! to limit the display of Nazi memorabilia and images on Yahoo!-hosted auction sites in the U.S. Such displays, while illegal in France, are protected by the First Amendment in the United States . The French court reasoned that because the offensive materials were accessible in France – and hence caused harm to French citizens – the court had the power to penalize Yahoo! in the U.S. for non-compliance with its domestic hate speech statutes. Because enforcement of the French order would require action against Yahoo! and its assets in the United States, Yahoo! in turn sought relief from the order in the form a declaratory judgment making the order unenforceable stateside. Before a California district court, Yahoo! sought a declaration that the French court has no jurisdiction over Yahoo’s U.S.-based operations, and that the French court's order violates rights guaranteed by the U.S. Constitution. Yahoo! argued that only a U.S. court has jurisdiction to determine if the French order is enforceable in the United States. The California court agreed, and on First Amendment grounds invalided enforcement of the French order in the U.S. The court concluded that :
“The French order’s content and viewpoint-based regulation, while entitled to great deference as an articulation of French law, clearly would be inconsistent with the First Amendment if mandated by a court in the United States. What makes this case uniquely challenging is that the Internet in effect allows one to speak in more than one place at a time. Although France has the sovereign right to regulate what speech is permissible in France, this Court may not enforce a foreign order that violates the protections of the United States Constitution by chilling protected speech that occurs simultaneously within our borders”.

The decision in Yahoo! is important for another reason: the French court’s focus on Yahoo’s ability to discern where its content was received. Based on the testimony of expert witnesses, the French court concluded that Yahoo! had the technological capacity to know with 90% accuracy where it was distributing its online content. In the Third Circuit decision in COPA discussed above, we saw the court imagining the next stage of online regulation: a net that is zoned so as to permit prohibitions of content based on community norms. In effect, the French court in Yahoo! sought to actualize that vision. Whereas geographic-location technologies may not be readily available and cost-efficient at present, an increasingly important question for net regulation in the future will be the ability to control not merely types of content but the flow of information.

2.3.6 Skype Banned in Research Institutions

In Sep. 2005 the French government banned the use of Skype at research institutes and universities in France. Skype is a popular voice-over-Internet protocol (VoIP) that allows users on its network to speak to each other over the Internet for free. Skype can also be used to make and receive calls through standard phone lines for a fee, and to receive voicemail messages. French authorities have cited concerns over Skype’s “network security” as the main reason for the ban. Critics, however, contend that communications through Skype are sufficiently protected with the use of encryption technology. They argue that one reason for banning Skype may be the loss of revenue suffered by French competitors in the VoIP market.

2.3.7 Spam

In June 2005, The Paris commercial court in (AOL and Microsoft v. K-Foot) has ordered a French entrepreneur to pay EUR 22,000 (USD 27,000) in damages and interest for having sent out a flood of unsolicited e-mail messages, or spam, the US online service provider AOL. The court also said he would have to pay EUR 1,000 for any spam message sent out following the ruling, according to AOL, which lodged the complaint in conjunction with software giant Microsoft. The sender, a direct marketing specialist, was an AOL subscriber and was alleged to have created electronic addresses with Microsoft’s free e-mail service Hotmail, using a false identity.

2.3.8 Cybertrespass

According to the AFP, a 17-year-old French hacker who defaced websites in Australia, Britain, and the United States with political messages has been arrested in Paris in July 2003 and ordered to stay away from the internet while on parole. The teenager, who cannot be named for legal reasons but who was known on the web under the nickname DKD, plastered home pages with messages for example in favour of the Palestinians or against the US government , a police chief for the northern city of Lille, Eric Voulleminot, said. The hacker was arrested on June 23 at home in a western Paris suburb, where he was living with his parents while he completed his last year of high school. He was tracked down by French police specialised in computer crime investigating the case of a police station website that had been altered. Technical investigations and confessions from the young man have established that around 2000 websites were attacked: around 20 in France, between 20 and 30 in Britain, and the rest in Australia and the United States, including the (US) Navy site. The teenager was released on parole because his hacking didn’t have major consequences, but he has to check in regularly with police and is banned from connecting to the Internet, he said.

3. LEGISLATION APPROACH

There is no uniform law that regulates all kinds of cybercrime in France. In addition to the independent and specialized laws in IT and Telecommunications, provisions which regulate cybercrimes are scattered throughout many legislations:

3.1 Criminal Law (Penal Code)

Categories

Unauthorised Access to Automated Data Processing Systems

Codification
Article 323-1
Fraudulently accessing or remaining within all or part of an automated data processing system

Punishment
One year’s imprisonment and a fine of 15,000.
Where this behaviour causes the suppression or modification of data contained in that system, or any alteration of the functioning of that system, the sentence is two years’ imprisonment and a fine of 30,000.

Codification
Article 323-2
The fraudulent introduction of data into an automated data processing system or the fraudulent suppression or modification of the data that it contains

Punishment
Three years’ imprisonment and a fine of 45,000.

Article 323-3
Use of counterfeited or altered public electronic data

Three years’ imprisonment and a fine of 45,000.

Article 323-4
The participation in a group or conspiracy established with a view to the preparation of one or more offences set out under articles 323-1 to 323-3, and demonstrated by one or more material actions

Punished by the penalties prescribed for offence in preparation or the one that carries the heaviest penalty.

Article 323-7
Attempt to commit the misdemeanours referred to under articles 323-1 to 323-3

Subject to the same penalties

Violations of Personal Rights Resulting from Computer Files or Processes

Article 226-16
To carry out, or to cause to be carried out, the automated processing of data containing names without having observed, prior to the operation, the preliminary formalities laid down by law

Three years’ imprisonment and a fine of 45,000, even where committed by negligence.

Article 226-17
To carry out, or to cause to be carried out, the automated processing of data containing names without taking all useful precautions to preserve the confidentiality of such...


Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-03-05 03:23:42 - thank for ur website..i have read ur... Tuaman Manurung
2007-02-26 03:13:19 - The information I found here was rather... uomo
2007-02-22 10:53:27 - Nice site you have!... dizionario
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo