New laws passed to combat cybercrime
by Brian Kennedy
Date: December 25, 2003
Cyberspace has become recognized as a major new frontier of law enforcement, as businesses and individuals alike sustain increasingly heavy losses from "cyberburglars," unrestrained spammers, and those who take delight in unleashing computer viruses on the world. Taipei-based attorney Brian Kennedy examines recent developments in the fight against cybercrime in Taiwan.
Almost 40 percent of Taiwanese households are hooked up to the Internet. This rate is among the highest in the world, a testament to Taiwan's presence in cyberspace. Regrettably, the expansion of Internet access has been paralleled by an expansion of Internet crime. Due to the elusive nature of cybercrime, it is difficult to give solid numbers regarding its seriousness in Taiwan. Perhaps the best answer to the question "How big is the cybercrime problem in Taiwan?" is simply "big." Recognizing cyberspace as an important new frontier in law enforcement, Taiwanese authorities are taking positive action to fight cybercrime.
In attendance at a three-day seminar in November sponsored by the Ministry of Justice (MOJ) were police officials and prosecutors from all over Taiwan, gathered to share information and strategies for fighting cybercrime. The seminar--the first in an ongoing series focusing on the subject--was rated a great success by all participants.
Cybercrime is crime carried out using computers and either local-area networks, as within a single company, or wide-area networks, such as the Internet. It commonly involves such economic crimes as identity theft, credit-card fraud and bank fraud and usually requires "hacking"--unauthorized access to a computer system. Some hackers have as their goal nothing other than the creation of computer disasters by implanting computer viruses. Such infections and measures to guard against them have cost businesses and individuals billions of dollars.
Most types of cybercrime involve unauthorized access to computer systems. Countering such intrusion in Taiwan took a major step forward in June of this year with the passage of a number of amendments, and the addition of an entirely new chapter, to Taiwan's Criminal Code.
Unauthorized access frequently starts with discovery of software loopholes. Prior to June, there were also plenty of legal loopholes in the Criminal Code. The code's new Chapter 36--"Offenses Relating to the Use of Computers"--closes most of those loopholes, at least as far as the statutory framework is concerned. Its passage, the culmination of a long-term effort by the MOJ, considerably enhances the protection of computers and computer systems in Taiwan.
All agree that deterring crime is superior to waiting until the damage is done. Chapter 36 gives prosecutors and police greater latitude to take action as soon as criminals make unauthorized access into computer systems, without having to wait for them to proceed.
While it is true that certain forms of unauthorized access were criminalized in earlier laws, those laws suffered from a number of problems, including being too limited in scope. From the standpoint of law enforcement, it is better to have laws that are widely applicable rather than laws that focus on narrowly defined types of criminal behavior. This is particularly true in the realm of cybercrime, where perpetrators are constantly thinking up new stratagems to defeat security measures. Chapter 36 is designed to cover a wider range of conditions and provide the flexibility necessary to deal with future cybercrime variations.
Prosecutors' discretion In examining the articles of Chapter 36, it should be kept in mind that although the English versions appearing below are official translations, in cases of discrepancy between them and the Chinese, the latter is legally recognized as authoritative.
Before the advent of computers, cyberspace and virtual assets, criminals had to limit their crimes to physical objects, and the first step of burglars was breaking and entering into buildings. Similarly, the first step of "cyberburglars" is to break and enter into computer systems. Seeking to deter this, Article 358 states, "Unauthorized access to another's computer or related equipment by means of the use of another's confidential account number code, or by circumventing protective measures, or the act of discovering and exploiting loopholes in a computer system shall be punished by up to three years in prison, jail or fines of up to NT$100,000, or both." "Jail" refers to short-term sentences, "prison" to longer-term incarceration. The present exchange rate is about 34 new Taiwan dollars per U.S. dollar.
Article 358 does not, however, criminalize all forms of unauthorized access, but is limited to three general situations. As the official commentary to the article explains, "In foreign criminal laws, it is common to criminalize all unauthorized use of another's computer E but if this precedent is followed, it may lead to criminal sanctions for persons using another's computer without authorization even if there is no actual resulting damage. Such outcome would be viewed as excessive and is not compatible with society's general view. For this reason, the scope of this article is limited to certain specific forms of unauthorized access to computers." A critic might wonder, why limit the law in this way? Why not just make unauthorized access a crime and keep it simple? The answer lies in the fact that whereas American prosecutors have basically unlimited discretion in deciding whether or not to hand down indictments, Taiwanese prosecutors, as a rule, are obliged to indict suspects in any and all cases in which there appears to be a violation of criminal law.
The Taiwanese public knows this and expects court investigators and prosecutors to "hop to it" when complaints are filed. As a result, a lot of prosecutor man-hours are wasted on de minimus violations--known derisively among American prosecutors as "chicken feed" cases--simply because someone demanded that they do something. In view of this situation criminal statutes in Taiwan are usually narrower in scope than those in the United States, which rely on prosecutors' discretion to know when to file charges and when not to.
According to Chapter 36, it is illegal to manipulate others' computerized records without authorization. As Article 359 puts it, "Unauthorized acquisition, deletion, or alteration of the electromagnetic records of other's computer or related equipment resulting in damage to the public interest or the interest of an individual person is punishable by up to five years in prison, jail or fines of up to NT$200,000, or both." The "damage" proviso complicates this section in that prosecutors cannot make their case stick unless they can prove damage was done. As defined in Taiwan's criminal law, damage is not necessarily limited to physical or monetary damage, but can include the less tangible sense of the American tort concept of mental pain and suffering. It remains to be seen what evidence Taiwan's courts will judge to be damaging enough to merit a guilty verdict.
Judgment, penalty criteria Computer viruses and bugs are often in the news and are a constant concern to both businesses and the public. Article 360 addresses these legitimate concerns, stating, "Unauthorized use of a computer program or other electromagnetic means to interfere with another's computer or related equipment thereby resulting in losses to either the public interest or the interest of an individual person shall be punished by up to three years in prison, jail or fines of up to NT$100,000, or both." In certain instances, the maximum penalties prescribed by Articles 358, 359 and 360 may be increased. According to Article 361, "The punishments for these violations of the foregoing three articles shall be increased by half more in cases of violations carried out against computers and related equipment of a public-service organization.
In this connection, it should be noted that the Chapter 36 articles specify no minimum sentences, and that sentences for white-collar crimes are notoriously light in Taiwan. There are a number of reasons for this. First of all, the reality is that white-collar criminals anywhere in the world tend to be treated more leniently than street criminals because they look "cleaner," and because they have more in common with judges--typically having attended university, having steady jobs and living in middle-class neighborhoods.
Furthermore, judges generally have little knowledge of business realities and are not very computer savvy. Consequently, they tend to view most forms of computer crime as rather innocuous, and it is hard for prosecutors to convince them of the necessity for harsh punishment.
In the case of physical burglary, the burglar must have tools to break into a building--lock picks, "jimmies," wire cutters and the like. Cyberburglars likewise need tools. Article 362 addresses this reality, stating, "Creating computer programs specifically for the perpetration, by himself or by others, of a crime set forth in this chapter shall be punished by up to five years in prison, jail, or fines of up to NT$200,000, or both, if this act has resulted in damage to the public interest or the private interest of individuals." Prosecutions in Taiwan fall into two categories: those which require a plaintiff and those which do not. A plaintiff is someone willing to press charges and cooperate with the prosecutor's investigation. Whether prosecution of an alleged offense requires a plaintiff or not is specified in the criminal code on a crime-by-crime basis. In the case of Chapter 36, Article 363 states, "The provisions of Articles 358 to 360 shall apply only after a prosecution is instituted upon complaint." If a plaintiff is required but no one is willing to "step forward" and file charges, then the prosecutor cannot take action. This differs from cases of violation of criminal laws in the United States, where the wishes of the victim are irrelevant and suspects may be prosecuted based exclusively on the prosecutor's decision.
There is a definite logic to Article 363, however. As the official commentary points out, "If the victim has no intention to make a complaint and does not cooperate in the investigation, the investigation cannot be expected to proceed effectively. Therefore, the system of 'prosecution upon complaint' is adopted to resolve these kinds of disputes and reduce the sources of lawsuits. In addition, adopting this approach will enable the nation to concentrate its limited investigation and judicial resources on serious computer offenses." The mention of "limited resources" in the commentary serves as a reminder that although the passage of the new legislation is an important, positive step, in order for it to have much meaning, prosecutors and police must be supported with resources sufficient to enable them to fight cybercrime. As the official commentary correctly remarks, "Criminal laws are not all-powerful." Enforcement needs to be made a priority, and it is indeed being made a priority in Taiwan, much to its credit.
^macro[showdigestcomments;^uri;New laws passed to combat cybercrime]