Improvement of Ukrainian Criminal Law in Fighting Cybercrime
Date: October 15, 2003Source: Computer Crime Research Center
By:
The damage inflicted by computer crimes in Ukraine makes now dozen million Ukrainian Hrivnas. Computer crimes repeatedly created different prerequisites for causing emergencies in Ukraine including on objects of life support. Verhovna Rada discusses the bill “Changes in Ukraine’s Criminal Code and Code of Criminal Procedure”, in accordance with which Security Service’s possibilities in cybercrimes investigation will be widened. It is an actual, well-timed legal step, which raises some questions requiring detailed consideration at the same time.
Thus, Ukraine’s current Criminal Code contains three articles providing for criminal liability for computer crimes: “Illegal interference with the work of electronic computers, systems and computer networks” (361); “Theft, misappropriation and extortion of computer information or its possession by means of fraud or official position abuse” (362); “Infringement of operating rules of automated electronic computer systems” (363). According to experts, these articles have not been widely used in Ukraine yet and Ukraine practically has no precedents of court’s accusatory sentences on penalty for described crimes except for some quite unsuccessful attempts. Nevertheless, Security Service representatives note that computer crimes have livened up recently in Ukraine.
Part 1, Article 361, Criminal Code of Ukraine, provides for criminal liability for intrusion and spread of computer virus. However, according to juridical practice, these crimes do not cover the whole complex of possible interference with the work of information system. Thus, Russian law enforcement agencies managed to capture electronic breakers copying virtual information to use further in a criminal way. It is expensive to watch, for example, Chicago Stock Exchange bids from Moscow. When watching changes of exchange quotations on several international Stock Exchanges at the same time, information becomes more expensive and valuable. The criminals hunt for this information. Having obtained an unauthorized access to data traffic of Transnational Stock-exchange Company, they made on-line copies of all changes taking place during bids at the largest world Stock Exchanges. There are large companies of world scale for which this information is very important in the on-line mode. That is information on transactions at the Stock Exchange all over the world, changes of quotation rate, as well as currency coefficient that influences a cornering of definite shares and changing of economic policy of large world companies. Department “K” at Russia’s Ministry of Internal Affairs brought itself to carry out an experiment in order to prove that the company information traffic is copied. Militia gave way to civil experts in stock-exchange bids. These civil experts had to fix the fact that changes in the legal traffic of quotation data were copied by electronic breakers. To make it evident two computers were used: one displayed information traffic of Stock-Exchange Company and the other – quotation data, which were transmitted by criminals through their Internet site. During the experiment, civil experts changed at their own discretion some quotations in the legal data traffic and it was obvious that criminals immediately copied introduced changes.
Illegal interference with the work of automated systems is a crime with material corpus delicti because its objective side is also an intercepting, copying or destroying of computer information, i.e. disintegration, modification and falsification. The generalization of juridical practice in revealing the objective side of a crime allows the lawmaker to introduce articles on interception and copying. In our opinion, such wording is more complete.
The spread of computer virus by using software and hardware designed for illegal penetration into automated systems is a crime with formal corpus delicti because the objective side of a crime is expressed in actions themselves independently of that whether they resulted in falsifying or destroying information.
One of the qualificatory characteristics of Part 2, CC Article 361, is an essential damage. According to the current legislation, the acknowledgement of inflicted loss depends on many circumstances: value of computer information or its carriers destroyed or falsified; damage caused by impossibility of using destroyed or falsified computer information or its carrier; costs on regenerating destroyed or falsified information; losses inflicted by using illegally obtained computer information. The draft provides for accurately establishing essential damage and acknowledges material losses, which exceed people’s free of tax minimum incomes by one hundred times or more – 17 UAH x 100 = 1700 UAH and more (approximately $300).
The responsibility for these crimes provides for a pecuniary penalty from 100-200 people’s free of tax minimum revenues (that practically is equal to the caused damage) or freedom limitation until three years or imprisonment for the same term. This article sanction reveals an offensive character of the lawmaker because here reformatory works are substituted for punishment that is more drastic - freedom limitation when a person is kept in the public criminal and executive institutions non-isolated from society but under surveillance and enlisted the services without fail. This lawmaker’s decision is considered sound for some reasons: reformatory works should not be set to non-workers because crimes in the sphere of information technologies are often committed by persons having no permanent official job. Therefore, it was impossible to institute criminal proceedings against them with settling this punishment: freedom limitation entitles the corresponding bodies to put a criminal under supervision thereby acting as private prevention.
When conducting a search of persons suspected in committing those crimes, the equipment, which helped copying, intercepting, falsifying information, is withdrawn. As a rule, it is a unique hardware specially designed for obtaining unauthorized access to information (e.x. stock-exchange one) through the channels of satellite communication links. Taking it into account this circumstance can be viewed as a way of preparing the crime commitment. Using the analogy of criminal liability for manufacturing, storing and selling guns, the lawmaker suggests to introduce criminal liability for manufacturing (with the marketing purpose), selling software and hardware designed to illegally penetrate into electronic computers, their systems and computer lines. To our mind, this article is logically necessary but it requires to be adjusted with current CC Article 359, which provides for the criminal liability for illegal use of special hardware to privately obtain information. The difference only consists in the sphere of application. This ambiguous interpretation of hardware application can make problems when qualifying actions of suspected persons. Moreover, the non-adequacy of sanctions favors it: the legislation provides for a fine from 100-200 people’s free of tax minimum incomes, freedom limitation until four years or the same term imprisonment for illegal use of special hardware to privately obtain information. However, the pecuniary penalty from 500 to 1000 people’s free of tax minimum revenues; reformatory works until two years or the same term imprisonment are provided for obtaining information in the computer systems. It is difficult to understand the position of lawmakers establishing the criminal liability for actions provided by Ukraine’s CC Article 359 without confiscation whereas for crimes in the sphere of information systems Part 1 and 2, Ukraine’s CC Article 3611 provides for confiscation of software and hardware designed to illegally penetrate into electronic computers.
After signing Convention and considering Ukraine’s Law “Protection of personal data” (prepared by O.Baranov, V.Brizhko, and Y.Bazanov), the proposal of criminalizing illegal copying and selling of electronic databases with personal information was put forward. Personal data is individual or total information on a physical person, which can allow establishing his identity. The owner of personal data is a physical person having a sole property right to personal information on him. The possessor of personal data is a subject of relations connected with personal data who has a full or partial right to using information on an owner of personal data. The manager of automated system is a physical or juridical person who has a right to managing the automated system in consent with its owner or on his behalf. The subjects of relations connected with personal data are physical or juridical persons, State run public authorities and local autonomous bodies, organizations, enterprises and institutions of all property forms. However, Ukraine’s CC Article 3612 provides for the criminal liability for illegal copying (with the purpose of marketing) or selling of electronic databases created by only organs of government in the law established order and containing personal data. It appears that such wording is imperfect because it does not protect rights of non-governmental subjects of relations. In our opinion, it should be pointed in the article comments that the disclosure of personal information can cause essential damage (material, moral one).
Modern practice in revealing and investigating crimes is characterized by the increase of delinquent actions in the sphere of computer information including offences committed and concealed by using electronic computers or their network. The important aspect of investigating those crimes lies in that...
Next
Add comment
Email to a Friend
