Natalia Akhtyrskaja , Ph.D.
Improvement of Ukrainian Criminal Law in Fighting Cybercrime
The damage inflicted by computer crimes in Ukraine makes now dozen million Ukrainian Hrivnas. Computer crimes repeatedly created different prerequisites for causing emergencies in Ukraine including on objects of life support. Verhovna Rada discusses the bill “Changes in Ukraine’s Criminal Code and Code of Criminal Procedure”, in accordance with which Security Service’s possibilities in cybercrimes investigation will be widened. It is an actual, well-timed legal step, which raises some questions requiring detailed consideration at the same time.
Thus, Ukraine’s current Criminal Code contains three articles providing for criminal liability for computer crimes: “Illegal interference with the work of electronic computers, systems and computer networks” (361)^; “Theft, misappropriation and extortion of computer information or its possession by means of fraud or official position abuse” (362)^; “Infringement of operating rules of automated electronic computer systems” (363). According to experts, these articles have not been widely used in Ukraine yet and Ukraine practically has no precedents of court’s accusatory sentences on penalty for described crimes except for some quite unsuccessful attempts. Nevertheless, Security Service representatives note that computer crimes have livened up recently in Ukraine.
Part 1, Article 361, Criminal Code of Ukraine, provides for criminal liability for intrusion and spread of computer virus. However, according to juridical practice, these crimes do not cover the whole complex of possible interference with the work of information system. Thus, Russian law enforcement agencies managed to capture electronic breakers copying virtual information to use further in a criminal way. It is expensive to watch, for example, Chicago Stock Exchange bids from Moscow. When watching changes of exchange quotations on several international Stock Exchanges at the same time, information becomes more expensive and valuable. The criminals hunt for this information. Having obtained an unauthorized access to data traffic of Transnational Stock-exchange Company, they made on-line copies of all changes taking place during bids at the largest world Stock Exchanges. There are large companies of world scale for which this information is very important in the on-line mode. That is information on transactions at the Stock Exchange all over the world, changes of quotation rate, as well as currency coefficient that influences a cornering of definite shares and changing of economic policy of large world companies. Department “K” at Russia’s Ministry of Internal Affairs brought itself to carry out an experiment in order to prove that the company information traffic is copied. Militia gave way to civil experts in stock-exchange bids. These civil experts had to fix the fact that changes in the legal traffic of quotation data were copied by electronic breakers. To make it evident two computers were used: one displayed information traffic of Stock-Exchange Company and the other – quotation data, which were transmitted by criminals through their Internet site. During the experiment, civil experts changed at their own discretion some quotations in the legal data traffic and it was obvious that criminals immediately copied introduced changes.
Illegal interference with the work of automated systems is a crime with material corpus delicti because its objective side is also an intercepting, copying or destroying of computer information, i.e. disintegration, modification and falsification. The generalization of juridical practice in revealing the objective side of a crime allows the lawmaker to introduce articles on interception and copying. In our opinion, such wording is more complete.
The spread of computer virus by using software and hardware designed for illegal penetration into automated systems is a crime with formal corpus delicti because the objective side of a crime is expressed in actions themselves independently of that whether they resulted in falsifying or destroying information.
One of the qualificatory characteristics of Part 2, CC Article 361, is an essential damage. According to the current legislation, the acknowledgement of inflicted loss depends on many circumstances: value of computer information or its carriers destroyed or falsified^; damage caused by impossibility of using destroyed or falsified computer information or its carrier^; costs on regenerating destroyed or falsified information^; losses inflicted by using illegally obtained computer information. The draft provides for accurately establishing essential damage and acknowledges material losses, which exceed people’s free of tax minimum incomes by one hundred times or more – 17 UAH x 100 = 1700 UAH and more (approximately $300).
The responsibility for these crimes provides for a pecuniary penalty from 100-200 people’s free of tax minimum revenues (that practically is equal to the caused damage) or freedom limitation until three years or imprisonment for the same term. This article sanction reveals an offensive character of the lawmaker because here reformatory works are substituted for punishment that is more drastic - freedom limitation when a person is kept in the public criminal and executive institutions non-isolated from society but under surveillance and enlisted the services without fail. This lawmaker’s decision is considered sound for some reasons: reformatory works should not be set to non-workers because crimes in the sphere of information technologies are often committed by persons having no permanent official job. Therefore, it was impossible to institute criminal proceedings against them with settling this punishment: freedom limitation entitles the corresponding bodies to put a criminal under supervision thereby acting as private prevention.
When conducting a search of persons suspected in committing those crimes, the equipment, which helped copying, intercepting, falsifying information, is withdrawn. As a rule, it is a unique hardware specially designed for obtaining unauthorized access to information (e.x. stock-exchange one) through the channels of satellite communication links. Taking it into account this circumstance can be viewed as a way of preparing the crime commitment. Using the analogy of criminal liability for manufacturing, storing and selling guns, the lawmaker suggests to introduce criminal liability for manufacturing (with the marketing purpose), selling software and hardware designed to illegally penetrate into electronic computers, their systems and computer lines. To our mind, this article is logically necessary but it requires to be adjusted with current CC Article 359, which provides for the criminal liability for illegal use of special hardware to privately obtain information. The difference only consists in the sphere of application. This ambiguous interpretation of hardware application can make problems when qualifying actions of suspected persons. Moreover, the non-adequacy of sanctions favors it: the legislation provides for a fine from 100-200 people’s free of tax minimum incomes, freedom limitation until four years or the same term imprisonment for illegal use of special hardware to privately obtain information. However, the pecuniary penalty from 500 to 1000 people’s free of tax minimum revenues^; reformatory works until two years or the same term imprisonment are provided for obtaining information in the computer systems. It is difficult to understand the position of lawmakers establishing the criminal liability for actions provided by Ukraine’s CC Article 359 without confiscation whereas for crimes in the sphere of information systems Part 1 and 2, Ukraine’s CC Article 3611 provides for confiscation of software and hardware designed to illegally penetrate into electronic computers.
After signing Convention and considering Ukraine’s Law “Protection of personal data” (prepared by O.Baranov, V.Brizhko, and Y.Bazanov), the proposal of criminalizing illegal copying and selling of electronic databases with personal information was put forward. Personal data is individual or total information on a physical person, which can allow establishing his identity. The owner of personal data is a physical person having a sole property right to personal information on him. The possessor of personal data is a subject of relations connected with personal data who has a full or partial right to using information on an owner of personal data. The manager of automated system is a physical or juridical person who has a right to managing the automated system in consent with its owner or on his behalf. The subjects of relations connected with personal data are physical or juridical persons, State run public authorities and local autonomous bodies, organizations, enterprises and institutions of all property forms. However, Ukraine’s CC Article 3612 provides for the criminal liability for illegal copying (with the purpose of marketing) or selling of electronic databases created by only organs of government in the law established order and containing personal data. It appears that such wording is imperfect because it does not protect rights of non-governmental subjects of relations. In our opinion, it should be pointed in the article comments that the disclosure of personal information can cause essential damage (material, moral one).
Modern practice in revealing and investigating crimes is characterized by the increase of delinquent actions in the sphere of computer information including offences committed and concealed by using electronic computers or their network. The important aspect of investigating those crimes lies in that the process of collecting and examining evidences cannot be realized without using special knowledge in the field of up-to-date information technologies.
Peculiarities of revealing and researching criminalistically important computer information are connected with that this field consists of some quite heterogeneous scientific directions: electro-technique, information systems and processors, radio-technique and linkage, electronic technique (within the framework of programming) and automation. Such crimes are of a latent character because they do not leave visible evidences and are difficult to reveal and collect evidentiary information because of the wide use of remote access means. If the inspector possesses special knowledge and corresponding scientific-technical means, in principle he can successfully investigate but cannot do without expert’s help because even the least unqualified actions with computer system often result in the irretrievable loss of valuable search and evidentiary information and those consequences can threaten the state national security.
On February 6, 2003, Ukraine’s President L.Kuchma signed Decree “Urgent additional measures on intensifying fight against organized crimes and corruption”. This step aims at considerably strengthening struggle against organized delinquency and corruption, which continue inflicting significant damage to the protection of persons’ rights and freedoms, impede the development of economy and establishment of market relationships, undermine Ukraine’s international authority, and eliminating defects in the law enforcement body activity. This normative act points that in March 2003 Ukraine’s Ministry of Internal Affairs and Security Service need to introduce a motion concerning the improvement of establishment-organizational structure, forms and methods of professional activity of special subdivisions fighting against organized crimes and corruption, as well as the differentiation of their functions and competences (Item 6). One of the tasks of Ukraine’s Ministry of Internal Affairs is to perfect the interaction between law enforcement agencies and International criminal police organization (Interpol) in their fight against organized offences, intensify the role and responsibility of Interpol national bureau’s officers for discharging their obligations (Item 9).
During the process of revealing and investigating crimes in the field of high technologies law enforcement bodies send through Interpol channels requests on the following delinquent actions of an international character:
- unauthorized access or connection with electronic computers, their system or network^;
- violation of computer and telecommunication system operation rules in order to avoid paying obtained services^;
- introduction of changes into computer software and hardware that result in destroying, blocking or modifying information (computer “bombs” and viruses)^;
- computer frauds and falsifications with cash dispenser, payment means and playing machines^;
- computer swindle databases, computers and telecommunication systems^;
- unauthorized reproduction of computing technique elements, software and computer games^;
- official’s conscious non-execution of his obligations, rules of computer system software and hardware operation^;
- illegal use of electronic computers, their systems and networks (including Internet) to place or exchange unlicensed software, hacking information and child’s pornography^;
- theft of professional and industrial secrets (industrial espionage)^;
Following information can be received on:
- site addresses, names of organization or user servers and domains^;
- contents of records, tracings and logical files^;
- electronic information blocked in the order of operative interaction of law enforcement bodies when suppressing trans-boundary offences^;
- providers and distributors of network and telecommunication services^;
- physical and juridical persons concerning crimes in the sphere of high technologies^;
- software, procedures and tactics of struggling against computer and telecommunication crimes, special periodicals, statistic reviews, materials on multinational special service activities in this field.
Following information can be indicated in those requests:
- reasons of inspection^;
- sort of crime, place and time of its commitment (if known)^;
- physical and juridical persons concerning a crime^;
- victim (physical or juridical person), character and size of inflicted loss^;
- way of committing a crime^;
- special information of a technical character on a way of committing a crime (technical means, software, time and duration of unauthorized access)^;
-any other information that can facilitate the fulfillment of requests (1).
The problem of information security has been recently researched in details by corresponding institutions and organizations from many countries in the world. Ukraine is engaged in solving this problem as well. In particular, “Conception of Ukraine’s national security” defines information security as one of the state national security integral parts. To protect state interests in the information sphere protecting system was created, functions and is constantly improved with regard for the emergence of new threats. According to the President Decree ¹1120 from October 6, 2000, Ukraine’s Security Service Special Telecommunication System and Information Protecting Department realizes state policy in the field of protecting information resources in the data network, crypto-graphical and technical protection.
The protection of information resources including those with access through Internet should be viewed as one of the main tasks of all participants in information exchange. The compulsory condition for assuring security of the mentioned resources is to obtain an objective appraisal of information security level in the data networks, i.e. formally demonstrative guarantees of definitely probable reliability of network protection. This assessment can be gained by conducting corresponding expertise. Only at the availability of positive results, information-telecommunication systems should be put into operation and data belonging to the State should be processed in them. Many countries use this approach, for example, the USA created Computer Security Center that works on examining and certifying produced information systems to determine and reach the required security level. The work starts with analyzing the project. Further, the analysis has been conducting for the whole life cycle of system with regard for its modernization and change of functioning conditions.
Safe use of state information resources requires developing and introducing the order of their protection into information-telecommunication systems and controlling the maintenance of this order. According to Ukraine’s President Decree ¹891 from September 24, 2001, its development is committed to Ukraine’s Security Service.
Computer crimes go beyond national borders. Under conditions of computer offence extension there appeared a need in legislatively determining these crimes, developing mechanisms of fight against them and establishing the responsibility for their commitment on the territory of any state. Thus, in Singapore local police arrested five our compatriots who were charged with using forged credit cards to pay for goods and services. Acting from abroad, they committed several unauthorized payments through CB “Finances and credit” by using Ukrainian credit cards. The interaction between officers from Ukrainian and Singaporean law enforcement bodies allowed arresting these swindlers. The facts show that there are some organized hacking groups in Ukraine. According to US FBI, Ukraine has several organized hacking groups, which penetrated through Internet into computer systems of some American companies. Computer terrorism has been criminalized in the USA and Great Britain.
State Security Service is a law enforcement agency of special purpose that assures Ukraine’s State security. Taking into account this definition it can be logically supposed that Ukraine’s Security Service is to investigate crimes committed in the sphere of information technologies. Within the framework of law established competence Security Service is entrusted with protecting state sovereignty, constitutional system, territorial integrity, Ukraine’s economic, scientific-technical and defensive potential, state lawful interests and persons’ rights from intelligence-undermining activity of foreign special services and encroachments on the part of individual organizations, groups or persons. Ukraine’s Security Service also deals with preventing, revealing, suppressing, disclosing crimes against peace and security of humankind, as well as terrorism, corruption and organized crimes (2).
According to the draft on changes in the legislation of criminal procedure, Ukraine’s Security Service inspectors should conduct primary inquests (Part 3, Ukraine’s CPC Article 112). They cover crimes provided by Ukraine’s CC Article 3611 “Manufacture (with the purpose of marketing) or selling of software and hardware designed to illegally penetrate into electronic computes, their systems, computer lines or blocking of their work”, as well as UCC Article 3612 “Illegal copying or selling of electronic databases with personal information”. When under age persons commit these crimes, MIA inspectors will conduct primary inquests (Part 2, UCPC Article 112). Other countries have successfully and validly approved such a change in the order of holding inquests. The international experience proves the necessity of special service’s participation in counteracting computer crimes. For example, in the USA except FBI these problems are also resolved by National Security Agency and its Compute Security Center. In France in addition to Single Police Brigade, these crimes are investigated also by counterespionage. Officers from Ukraine’s Special Services note that the acceptance of this amendment will allow coordinating and consolidating the activity of law enforcement bodies in fighting against computer crimes.
Some CIS countries have solved the problem of primary investigation in such a way. Thus, in Kirgizstan the criminal liability is provided for unauthorized access to computer information (KCC Article 289), manufacture, use and distribution of detrimental programs for electronic computers (KCC Article 290), violation of electronic computer, computer system or their network operation rules (KCC Article 291). According to Part 7, KCC Article 163, inspectors of National security bodies hold inquests on these criminal cases and those concerning thefts at the especially large rates, offences in the sphere of economic activity or against social security.
The presented draft will allow Ukraine’s Security Service to accomplish more effectively their tasks provided by Article 24 “Ukraine’s Security Service”.
1. V. Ovchinsky Interpol: questions and responses. M., INFRA-M, 2001. P.135-136.
2. Law of Ukraine “Security Service of Ukraine”^; March 25, 1992
^macro[showdigestcomments;^uri;Improvement of Ukrainian Criminal Law in Fighting Cybercrimes]