Regulating cybercrime
Week 1B – substantive law on cybercrime
Illegal access
Dutch legislator criminalizes the same as when you enter a home
(domestic). Trespassing in a home is criminalized. Computer is seen like a
home, where you have your (digital) valuables.
ECLI:NL:RBMNE:2021:1330
Prosecuted for hacking. In which he procured a way to enter the system of
another person. When he was prosecuted, he said he didn’t use it with
intent, he didn’t want to victimize that person but wanted to make him
aware of weaknesses. According to the court that wasn’t why he did it.
Illegal interception
Intent is very important here.
“The interception without right, made by technical means, of non-
public transmissions of computer data to, from or within a computer
system”
Non-public transmissions
The term non-public qualifies the nature of the transmission
(communication) process and not the nature of the data transmitted. If
you have public data (data that you can gain anywhere) but you want to
send this to a non-public channel, that is what we’re talking about. It can
be a closed off section of a Facebook page. It is not meant for the general
public. Art. 3 CoC refers to the confidentiality of the transmission process.
Technical means
Listening to, monitoring or surveillance of the content of communications,
to the procuring of the content of data either directly, through access and
use of the computer system, or indirectly, through the use of electronic
eavesdropping or tapping devices. (See cons. 53 of explanatory report).
Examples of communication. In the form of how transmission of
computer data can take place:
o Inside a single computer system (from CPU to printer)
o Between two computers communicating with one another
o Computer and a person (e.g. through the keyboard)
But: reservations possible!
, Intentionally and without right
o See cons. 58 of explanatory report
Reservations art. 3 CoC
Reservations limit the scope of what should be criminalized. A Party may
require that the offence be committed with dishonest intent, or in
relation to a computer system that is connected to another computer
system.
Illegal interception – CoC/EU
Next to art. 3 we also have art. 6 of the Directive. Member States shall
take the necessary measures to ensure that intercepting, by technical
means, non-public transmissions of computer data to, from or within an
information system, including electromagnetic emissions from an
information system carrying such computer data, intentionally and without
right, is punishable as a criminal offence, at least for cases which are not
minor.
Illegal interception – Dutch Penal Code (CDP)
There where the intention is non-public. A person could have a long-
distance microphone and listening in. And they could be able to record. It
does require a technical device.
Art. 139a/139b DPC
Secretly eavesdropping or recording, by a technical device, of oral
conversation.
Art. 139c DPC
1. A person who intentionally and without right intercepts or records with
the help of a technical device data not intended for himself, which are
processed
or transferred by telecommunications or a computer, is liable by a term of
imprisonment of not more than two years or a fine of the fourth category
…
2. This provision does not apply to intercepting or recording
(1) data received by a radio receiver, unless a special effort was
made or a prohibited receiver was used to make such reception
possible;
, (2) by a person entitled to the connection used for
telecommunication, except in cases of clear abuse;
(3) for the purpose of ensuring that the telecommunications
infrastructure used to service the general public is working properly,
for the purpose of criminal investigation, or to implement the 2002
Act on the Intelligence and Security Services.
If you’re using an open device, it is not punishable. The receiver side is
here the criteria. It requires that there needs to be a non-public aspect to
it.
Illegal interception – UK law
Investigatory powers act 2016. Section 4 zooms in more on the condition
that needs to be in place. So interestingly the data/communication
shouldn’t be the technical information that’s transmitted (meta data) but
it’s about getting info of what is being transmitted, and not the
transmission. It’s only the content of the communication, of what I am
saying.
Interception related criminalisations – DPC
In the Dutch legal system you have interception related criminalisations.
Art. 139e. Any person who
1. has at his disposal an object in which, as he knows or should reasonably
suspect, data has been stored that was obtained by unlawful ...
interception or recording of ... telecommunications or other type of data
transfer or data processing by a computerised device or system;
2. has obtained data by unlawfully ... intercepting or recording ...
telecommunications or other type of data transfer or data processing by
means of a computerised device or system, or data which has come to his
knowledge, as he knows or should reasonably suspect, as a result of
such ... interception or recording, and who intentionally discloses such
data to another person;
3. intentionally makes an object defined in (1°) available to another
person; shall be liable to a term of imprisonment not exceeding six
months ...
Data interference
Art. 4 CoC
1. Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law, when
, committed intentionally, the damaging, deletion, deterioration, alteration
or suppression of computer data without right.
2. A Party may reserve the right to require that the conduct described in
paragraph 1 result in serious harm.
Data interference – DPC
Dutch legislator is looking at what is similar in the physical world to what is
happening in the cyber world. They think it’s like damaging
property/damaging goods.
Art. 350 DPC damaging property/good
A person who intentionally and unlawfully destroys, damages, renders
unusable or causes to disappear any property belonging to another is
liable ...
- But under Dutch law, data are not considered property (or goods) ...
Art. 350a DPC data interference
1. A person who intentionally and unlawfully alters, erases, renders
useless or inaccessible data stored, processed or transferred by means
of an automated device or by telecommunication, or adds other data
thereto, is liable to a term of imprisonment of not more than two years or
a fine of the fourth category.
A damage is not required for liability here. A lot of the times in the Dutch
legal system you are found guilty when there has damage been done to
the property. The damage is not required in this article. If I send out a
Troyan horse but it wasn’t activated yet, but it’s already covered by this
article.
Art. 350a (continued)
3. A person who intentionally and unlawfully provides or disseminates
data designated to cause damage in an automated work, is liable to
a term of imprisonment of not more than four years ...
- E.g. Worms & viruses -> but article covers all data designated to cause
damage in computer (incl. trojans and logic bombs although they do not
necessarily cause damage in a computer – but may cause damage by
secretly passing on data)
- Damage not required for liability
4. A person who commits the act specified in section 3 with the object of
limiting the damage resulting from such data is not criminally liable.
Art. 350b
Week 1B – substantive law on cybercrime
Illegal access
Dutch legislator criminalizes the same as when you enter a home
(domestic). Trespassing in a home is criminalized. Computer is seen like a
home, where you have your (digital) valuables.
ECLI:NL:RBMNE:2021:1330
Prosecuted for hacking. In which he procured a way to enter the system of
another person. When he was prosecuted, he said he didn’t use it with
intent, he didn’t want to victimize that person but wanted to make him
aware of weaknesses. According to the court that wasn’t why he did it.
Illegal interception
Intent is very important here.
“The interception without right, made by technical means, of non-
public transmissions of computer data to, from or within a computer
system”
Non-public transmissions
The term non-public qualifies the nature of the transmission
(communication) process and not the nature of the data transmitted. If
you have public data (data that you can gain anywhere) but you want to
send this to a non-public channel, that is what we’re talking about. It can
be a closed off section of a Facebook page. It is not meant for the general
public. Art. 3 CoC refers to the confidentiality of the transmission process.
Technical means
Listening to, monitoring or surveillance of the content of communications,
to the procuring of the content of data either directly, through access and
use of the computer system, or indirectly, through the use of electronic
eavesdropping or tapping devices. (See cons. 53 of explanatory report).
Examples of communication. In the form of how transmission of
computer data can take place:
o Inside a single computer system (from CPU to printer)
o Between two computers communicating with one another
o Computer and a person (e.g. through the keyboard)
But: reservations possible!
, Intentionally and without right
o See cons. 58 of explanatory report
Reservations art. 3 CoC
Reservations limit the scope of what should be criminalized. A Party may
require that the offence be committed with dishonest intent, or in
relation to a computer system that is connected to another computer
system.
Illegal interception – CoC/EU
Next to art. 3 we also have art. 6 of the Directive. Member States shall
take the necessary measures to ensure that intercepting, by technical
means, non-public transmissions of computer data to, from or within an
information system, including electromagnetic emissions from an
information system carrying such computer data, intentionally and without
right, is punishable as a criminal offence, at least for cases which are not
minor.
Illegal interception – Dutch Penal Code (CDP)
There where the intention is non-public. A person could have a long-
distance microphone and listening in. And they could be able to record. It
does require a technical device.
Art. 139a/139b DPC
Secretly eavesdropping or recording, by a technical device, of oral
conversation.
Art. 139c DPC
1. A person who intentionally and without right intercepts or records with
the help of a technical device data not intended for himself, which are
processed
or transferred by telecommunications or a computer, is liable by a term of
imprisonment of not more than two years or a fine of the fourth category
…
2. This provision does not apply to intercepting or recording
(1) data received by a radio receiver, unless a special effort was
made or a prohibited receiver was used to make such reception
possible;
, (2) by a person entitled to the connection used for
telecommunication, except in cases of clear abuse;
(3) for the purpose of ensuring that the telecommunications
infrastructure used to service the general public is working properly,
for the purpose of criminal investigation, or to implement the 2002
Act on the Intelligence and Security Services.
If you’re using an open device, it is not punishable. The receiver side is
here the criteria. It requires that there needs to be a non-public aspect to
it.
Illegal interception – UK law
Investigatory powers act 2016. Section 4 zooms in more on the condition
that needs to be in place. So interestingly the data/communication
shouldn’t be the technical information that’s transmitted (meta data) but
it’s about getting info of what is being transmitted, and not the
transmission. It’s only the content of the communication, of what I am
saying.
Interception related criminalisations – DPC
In the Dutch legal system you have interception related criminalisations.
Art. 139e. Any person who
1. has at his disposal an object in which, as he knows or should reasonably
suspect, data has been stored that was obtained by unlawful ...
interception or recording of ... telecommunications or other type of data
transfer or data processing by a computerised device or system;
2. has obtained data by unlawfully ... intercepting or recording ...
telecommunications or other type of data transfer or data processing by
means of a computerised device or system, or data which has come to his
knowledge, as he knows or should reasonably suspect, as a result of
such ... interception or recording, and who intentionally discloses such
data to another person;
3. intentionally makes an object defined in (1°) available to another
person; shall be liable to a term of imprisonment not exceeding six
months ...
Data interference
Art. 4 CoC
1. Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law, when
, committed intentionally, the damaging, deletion, deterioration, alteration
or suppression of computer data without right.
2. A Party may reserve the right to require that the conduct described in
paragraph 1 result in serious harm.
Data interference – DPC
Dutch legislator is looking at what is similar in the physical world to what is
happening in the cyber world. They think it’s like damaging
property/damaging goods.
Art. 350 DPC damaging property/good
A person who intentionally and unlawfully destroys, damages, renders
unusable or causes to disappear any property belonging to another is
liable ...
- But under Dutch law, data are not considered property (or goods) ...
Art. 350a DPC data interference
1. A person who intentionally and unlawfully alters, erases, renders
useless or inaccessible data stored, processed or transferred by means
of an automated device or by telecommunication, or adds other data
thereto, is liable to a term of imprisonment of not more than two years or
a fine of the fourth category.
A damage is not required for liability here. A lot of the times in the Dutch
legal system you are found guilty when there has damage been done to
the property. The damage is not required in this article. If I send out a
Troyan horse but it wasn’t activated yet, but it’s already covered by this
article.
Art. 350a (continued)
3. A person who intentionally and unlawfully provides or disseminates
data designated to cause damage in an automated work, is liable to
a term of imprisonment of not more than four years ...
- E.g. Worms & viruses -> but article covers all data designated to cause
damage in computer (incl. trojans and logic bombs although they do not
necessarily cause damage in a computer – but may cause damage by
secretly passing on data)
- Damage not required for liability
4. A person who commits the act specified in section 3 with the object of
limiting the damage resulting from such data is not criminally liable.
Art. 350b
