Lector.univ.dr. Maxim DOBRINOIU
Article published in the Penal Law Review - Romania - no.3, year XV, July - September 2008
There is no news for the legal specialists that, nowadays, we confront a brand new criminal phenomenum – computer-related crime – a subject barely revealed in the IT or Law magazines.
Although coming into force of the Law 161 of 2003 (regarding the assurance of transparency in running high level public positions, public functions and business area, the prevention and sanctioning the corruption, by Title III – prevention and combatting cybercrime) meant Romania’s line up to the aquis communautaire in this respect, much of the crimes committed against computer systems or with the mean of computer systems are still hardly investigated and prosecuted mainly because of the lack of IT knowledge among the authorities and the existance of a rather ambigous legal framework, cut&paste-ed from the 2001 Council of Europe Cybercrime Convention and not entirely adapted to the local social and technological realities.
This material aims at realizing a comprehensive legal analysis of the illegal access of a computer system (within the provisions of the art. 42 of Law 161 of 2003), with regard to the access of someone else’s electronic mail (email)
For the beginning, it is worthing to be reminded the definitions of the Law 161 of 2003 in order to have a understanding of the technical premises.
Therefore, according to art. 35 , 1st alignment:
„computer system” means any device or assembly of interconected devices or that are in a operational relation, out of which one or more provide the automated data processing by means of a computer program.
„automated data processing” is the process by means of which the data in a computer system are processed by means of a computer program.
„computer program” means a set of instructions that can be performed by a computer system in order to obtain a determined result.
„computer data” are any representation of facts, information or concepts in a form that can be processed by a computer system. This category includes any computer program that can cause a computer system to perform a function.
It is also well-known that in order to protect the (use of the) computer systems, and moreover, of the computer data (stored or transmitted) different security measures are to be considerred.
The provisions of the Law 161 refers the security measures as the use of certain procedures, devices or specialized computer programs by means of which the access to a computer system is restricted or forbidden for certain categories of users.
Under the name of „illegal access to a computer system”, art 42 of Law 161 presents three legal situations, as follows:
(1st paragraph) the access without right of a computer system is a criminal offence and is punished with 3 months to 3 years imprisonment or a fine.
(2nd paragraph) where the act provided in paragraph 1 is committed with the intent of obtaining computer data, the punishment is 6 months to 5 years imprisonment.
(3rd paragraph) where the act provided in paragraphs 1 – 2 is committed by infringing the security measures, the punishment is imprisonment from 3 to 12 years.
The act incriminated by the art. 42 makes a clear distinction between the 3 stages of the access of a computer system: simple access (merely or most probable accidental), the access with the intent of obtaining data or information (more likely to be committed) and the access by infringing the security measures (which necesitates of strong IT-based knowledge and even hard to be carried out).
Although provocative, an interesting approach arrises from the expression „without right”, which provide with the sense of legitimacy when an individual uses a computer system.
As being a common feature of all the computer-related offences, the special request that the act should be committed „without right” logically reflects the possibility of a act (action) in connection to a computer system not to be always considerred as a per se criminal offence, but a legitimate and justified one (although we are not in the avoidance of criminalisation clauses).
The meaning of „without right” expression compulsory arises from the context in which it is used and request a strong analyse of the principles and interests which, eventually, could remove the guilt of the offender.
According to art. 35, 2nd paragraph, a person is acting without right if:
is not authorised, in terms of a law or a contract;
exceeds the limits of authorisation;
has no permission from the qualified person to grant it, according to the law, to use, administer or control a computer system or to carry aut scientific research in a computer system.
In what regards the act itself, the forms and methods of access will be detailed hereinafter.
The ACCESS, with the meaning from the law, refers to the „entrance” in the whole or just a part of a computer system. The communication method - remote, including the satellite facilities or not, or direct – does not affect the analysis.
In its simpliest form, the access of a computer system relies on a interaction with the targeted machine, through the equipments or certain components of the system (power source, On/Off Switch, keyboard, mouse, joystick and so).
Manoeuvring such devices mean electric requests to the processor, which will run applications and data on behalf of the intruder.
Within the conditions of the article 42 and taking into account the above explanations, becomes obvious that no illegal access of a computer system will be considerred if the interaction with the PC was somehow authorised by the legal user (or by the owner or legal detainer). Moreover, accessing a system which is a good belonging to a married couple by one of the spouse cannot be referred to as a crime as long as the system is used normally by both of them (and irrespective to the time allocated by each other), and the computer data generated or stored in the system are not personalised or flaged as personal by means of cryptgraphic measures or protected by passwords against opening, modifying, deletion or alteration in any kind.
In similar conditions, one cannot consider as being a crime the interaction with a open computer system, which freely and costless allows the access to its resources.
Using certain software applications could be compliant with the provisions of art. 42 (if we take into consideration a direct, link-through or cooky-based access to a website), and therefore the access could be referred to as being a legitimate (authorised) one, by the means of accepting Browser interrogations or clicking the optional box „accept cookies?”.
Much of the investigators neglect the definitions provided by Law 161/2003 and therefore mix up the notion of „computer system” with the one of „computer program” or „application”, leading to misinterpretation of the Law and possible wrong indictments.
With other words, if we are in the case of computer system which is regularly accessed by two or more people, it is admitted that those persons legally access that system, being granted with the proper authorisation or deal. In these conditions, accessing one individual’s personal data stored or transmitted within that system by any of the other authorised persons cannot be further regarded as a crime (in the provisions of article 42), but an infringement in the privacy (private life) of the first or a breach in the protection of classified information (if the case).
We still could consider a simple form of illegal access of a computer system (art. 42) if the perpetrator, manoeuvring his own computer system (or a legally accessed system) finds and uses an external way of entering another remote computer system, for which he does not have the permision to access.
In this point our legal analyse requires some considerations on certain legal practice issues regarding the access of someone else’s electronic mail.
Generally speaking, electronic mail (email) is now the easiest way people can communicate or stay in touch, based on computer systems’s interconnections and developped protocols for electronic message exchange.
From a technical perspective, a certain user of a computer system could use a friendly interface (program), easy to handle, called EMAIL CLIENT, or to directly access the mail server through the WEBMAIL application. Basically, both forms allow the user to access the same (electronic) services, the differences being, for example: the compulsory authentication - Webmail case, or the direct on HDD storage of received emails – Email Client case.
These methods have advantages as well as a series of disadvantages which can lead to confusion and possible incorrect indictments. As regards to the Webmail service provided by the Yahoo, there is the possibility of connecting to the mail server not only through authentication to http://mail.yahoo.com URL page but also through the Yahoo Messenger iRC application. This amusing program has the option of automate authentication to the system at every starting of (the operating system of) the PC and offers the user (legal or unlawful) the possibility of accessing as well the electronic messages server (email).
As for the access to the electronic mail, there are as many options (situations) as alternatives of correct juridical framing:
1.the electronic mail is accessed from the computing system owned by the harmed side irrespective of the title or legally used based on an agreement, on the job attributions or on legal provisions. Under these circumstances, any accessing of the system by another person who doesn’t own the same rights will be considered illegal and one can invoke art.42, para.1.
1.1the usual access to the electronic mail is done through the specialized interface named Email Client. This program facilitates the messages sending, receiving and/or storing (as computer data) by the owner of the electronic mail account. Usually, after the data exchange with the mail servers, both the received and the sent messages by using this program remain stored on the computer’s Hard Disk (in the memory area allocated to the electronic mail applications).
1.1.1the electronic mail application (the email client) is not protected against the unauthorized access through security measures. If a person enters this application, we don’t deal anymore with an illegal access to a computer system, as, according to the definitions given by art.35, the computer system is a device or a device assembly and not a computer program or an application. Accessing the electronic mail program cannot be legally indicted by simply using the legal provisions in force.
If the offender accesses the electronic mail application with the purpose of obtaining the already/previously received, transmitted or stocked messages by the harmed side then the correct framing is illegal access to a computer system with the purpose of obtaining computer data (art.42, para.2) – this related only to the system illegal access stipulated at para.1 and violating the correspondence confidence (art.195, para.1, Penal code) in ideal concurrence.
The opinion according to which the electronic messages server is illegally accessed due to the use of an email client is wrong because at its opening the application communicates automatically and independently of the user with the messages server and stocks locally the new information in order to be read. To put it differently, there is no prerequisite charge absolutely necessary to prove the existence of any offence.
1.1.2 The electronic mail application is secured through security measures and the offender takes action in order to eliminate them. In this situation, will keep in mind only the illegal access to an IT system, possibly with a view to obtaining IT data (art. 42, paragraph 2) and violating secrecy of correspondence (art. 192, paragraph 1C.Pen) in real concurrence, any other statement regarding art. 42, paragraph 3 of Law 161/2003 (illegal access to an IT system through security measures’ breach) being wrong.
1.2. The electronic mail is directely accessed from the mail server of services’ provider (provider, ISP) through WEBMAIL facility (remote access of mail account), possible directly by the mean of a Operationg System Utility Tool (called Browser).
Dealing with an external resource and taking into account the fact that the server is an electronic device (interconnected with other electronic devices) it is clear/obvious that we find ourselves in the situation of an IT system’s accessing.
The user’s authentication within the system by the account’s name and the related password is compulsory.
1.2.1 Accessing the mail account through the Webmail facility is done by the offender following the correct authentication in the system by using the account’s name and the right password.
At this point, the correct classification is: an offence of illegal access to an computer system in simple version (art. 42, paragraph 1) – related to accessing without being entitled the owned computer system or lawfully used by the injured party, an offence of illegal access to a computer system for the purpose of obtaining computer data (art.42, paragraph 2) – in connection with remotely accessing the Mail Server, and and violating secrecy of correspondence (art. 195, paragraph 1C.pen), the latter being in ideal concurrence, since the offender was not entitled to access the electronic mail account created and used by the injured party.
Following the provisions of the art.42, paragraph 3 (illegal access to a computer system by breaching the security measures) would be misleading, since technically speaking, the authentication (even fraudulent) has been properly done, being introduced the recognized data.
By accepting only these two elements of safety (account name and password), the system doesn’t have other opportunities to verify the identity of the entitled user, nor it considers the security measures to have been breached.
1.2.2 Accessing the electronic mail account through Webmail facility is done by the offender by forcing the security measures. To obtain access, the offender will try a variety of techniques, such as: password attack, free access attack, the attack exploiting the technical weaknesses or the shared libraries, IP attack, or the attack by the diversion of TCP session etc.
In this case, the correct classification is: an offence of illegal access to a computer system in simple version (art.42, paragraph 1) – related to accessing without being entitled the IT system owned or lawfully used by the injured party, an offence of illegal access to a computer system for the purpose of obtaining computer data by breaching the security measures (art. 42, paragraph 3) – in connection with remote forced access to the Mail Server and violating secrecy of correspondence (art. 195, paragraph 1 C.pen), these two being in ideal concurrence.
2.Electronic mail is consulted on a free access computer (or a public unrestricted access computer).
2.1 Access to e-mail is done via email client.
2.1.1 The access to the electronic mail is done through an email client unprotected by security measures. Therefore, the penalty shall be violating the correspondence confidence (in accordance with art.195, para.1, Penal Code).
2.1.2 The access to the electronic mail is done through a protected email client and the offender operates so as to breach the security measures. The only possible penalty shall be again violating the correspondence confidence (in accordance with art.195, para.1, Penal Code).
2.2 The access to the electronic mail is done by means of WEBMAIL facility, by distantly accessing the Mail Server, which is an informatics system as established by Law 161/2003.
2.2.1The offender succeeds in being authenticated in the Mail Server by correctly introducing (the identifier’s) account name and password. Thus, the correct indictment is illegal access to a computer system with the aim of obtaining computer data (art.42, para.2) and violating the correspondence confidence (art.195, para.1, Penal Code), both in ideal concurrence.
2.2.2 The offender succeeds in being authenticated in the Mail Server by removing or forcing the security measures. Therefore, the correct penalty is illegal access to a computer system with the aim of obtaining computer data by breaching the security measures (art.42, para.3) and violating the correspondence confidence (art.195, para.1, Penal Code), both in ideal concurrence.
We have brought for discussion in all these cases the offence of violating the correspondence confidence, stipulated and punished by art.195 of the Penal Code. Although, at a first analysis, the indictments of the actions seems appropriate when using the legal instruments offered by art.42, para.1-3 of Law 161/2003, one must notice that the offender’s attention is turned to a special informatics data category, i.e. those which represent electronic mail messages.
Given these circumstances of the nature of the informatics data, we believe it is important to consider as well the offender’s offence of violating the correspondence confidence, in ideal (or real) concurrence with the rest of the actions of penal nature related to the informatics system.
The practice has proved that, for the greatest part of the cases of illegal access to the computer systems, the offender operates so as to get hold of computer data, which could mean:
taking possession of an alphanumerical printer;
running some programs or applications which handle computer data (e.g. programs of administrating the databases of an institution, electronic mail programs etc.).
By getting hold of computer data one can very logically understand (from technical point of view) copying them on external stocking sources/supports (Floppy Disk, CD, Memory Stick, Flash Memory, Hard Drive etc.).
This is another vulnerable point which can favour an erroneous juridical framing.
In general, in drafting Title III of Law 161/2003, the Romanian legislator confined to translating and assimilating the provisions of the Convention of the European Council on Cybercrime, document signed by several European states in Budapest, 2001.
Out of the wish of incriminating at all costs one’s action of taking electronic data out of an informatics system or of stocking data on an external support (portable), the Romanian legislator inexplicably chose to make references on the matter in an article bearing a title with no semantic or technical connection with the declared purpose, i.e. art.44, altering the integrity of the informatics data.
In the same time, the use of certain terms has been as incorrectly chosen as it might lead to erroneous juridical framing which could be subsequently speculated by the respondents’ lawyers.
Thus, too often does one make confusion between copying the informatics data and transferring the same data. To put it otherwise, when the offender operates to copy the informatics data (as a natural result of finding and obtaining them), their binary representation (0 and 1 bits from logical level with their electronic correspondent) is replicated also on another stocking support (whether fix or portable) without the original data being modified or losing their initial location.
When referring to a transfer, either of some computer data, the term shows a relocation of an element (money, objects, data, etc.) from an initial position (location) to another. As regards to the computer data, for instance, in a computer system which operates under Windows, the sequence of commands Control-X Control-V will ensure the moving of a file from Hard Disk to Flash Memory or CD.
Therefore, assuming that there is only one copying of the searched computer data, the action will be punished in accordance with art.42, para.2 (illegal access to a computer system with the purpose of obtaining computer data.
However, if the offender transfers the data to an external support (with the sense of moving or migrating the data on the respective storage media), the dispositions of art.42, para.3 and 3 of Law 161/2003 shall be applied under the entitling, though incorrect, of “altering the integrity of the computer data”.
In general, the right owners or users choose to protect their computer systems through standard security measures.
The protection can be physical (isolating the computing technique in a security area, insurance with keyed or metal ciphered mechanical devices, manual control of the power supply, etc.), logical (through passwords, access encryption codes) or procedural (establishing some access rules, methods of authentication and control of the access – Smart Card, digital impression, hand geometry, voice print, retina, iris, signature dynamics, etc.).
According to art.3, the offender will operate on the computer system by forcing (infringing) these protections.
At physical level, “forcing” or “infringing” involves closing down the security mechanical devices through various mechanical-chemical-electric means. At logical level, we have attacks against passwords.
At procedural level, those concerned (the perpetrators) will exploit the weaknesses of the security programs or of applying different specific measures. The widest spread attack at procedural level aimed at obtaining the access to an informatics system is the social engineering – tantamount to an interview carefully oriented through which one attempts to obtain confidential data or passwords from a legal user of the targeted system. Forcing the protection at logical level has been detailed at 1.2.2.
One thing is to remember again, i.e. once the data needed for authentication are obtained, their use and implicitly the impersonating of the legal user cannot be considered as a forcing, removal, etc. of the security measures, because, as we previously showed, in the absence of other verifying methods (e.g. through biometry) the computer system will return the truth value to the authentication procedure and will allow the normal access to its resources.