International review of criminal policy - Nos. 43 and 44/SUBSTANTIVE CRIMINAL LAW PROTECTING THE HOLDER OF DATA AND INFORMATION/The development of national law

89. Two primary issues are raised by the use of legislation to protect the holder or processor of data or information. First, to what extent is the criminal law an adequate appropriate mechanism for guaranteeing the integrity and correctness of data or information? Secondly, when or how should the interests of proprietors or holders in the exclusive use or secrecy of data or information be protected?

1. The integrity and correctness of data

The integrity of data

90. Until the 1980s, in most legal systems the integrity of computer-stored data was covered by general provisions regarding damage to property, vandalism or mischief. However, these provisions were developed to protect tangible objects; thus their application in the information sphere posed new questions. In a few criminal codes the mere erasure of data without damaging the physical medium does not fall under the traditional provisions regarding damage to property, since electrical impulses are not considered to be corporeal property and interference with the use of physical medium is not considered to be destruction. However, the prevailing opinion in most countries considers the deliberate damage or destruction of data on tapes or disks to be equivalent to damage to, or interference with the use of, property (i.e. vandalism) de lege data, since the use of the tape or disk has been affected.

91. To clarify the situation, new legislation has been enacted in many countries. Some countries amended the traditional statues on mischief, vandalism or damage to tangible property; others created specific provisions. The legislation of a few countries covers all kind of documents, not only computer-stored data. In the United States, a number of state laws contain more specific sanctions for the insertion or intrusion of a computer virus, and on the federal level, a provision sanctions the reckless causing of damage when a federal computer system is intentionally accessed without authorization. Some legal systems also include specific qualifications for computer sabotage that leads to the obstruction of business or of national security.

The correctness of data

92. Owing to its fragmentary character, criminal law is too blunt an instrument to guarantee the general correctness of data, especially its informational content. Only in specific cases, such as balance sheet items, medical reports or other specific documents, can it attempt to guarantee the preservation of faultless data.

93. Some of the most important criminal law provisions covering the integrity, as well as he correctness, of specific data are provisions on forgery, which guarantee the authenticity of a document for the statement that it contains. In some countries, the provisions on forgery require visual readability of statements embodied in a document and, for this reason, do not cover electronically stored data. With the intention of giving electronically based documents the same legal protection as paper-based declarations, some enacted or proposed new statues on forgery that relinquish visual perceptibility. De lege lata, courts in other countries came to the same result.

False data as a means to attack other legally protected interests

94. Traditionally, the involvement of computer data (e.g. in the case of murder committed by the manipulation of a computerized hospital supervision system) does not create specific legal complications. The respective legal provisions are formulated in terms of result, and it is completely irrelevant if the result is achieved with the involvement of a computer.

95. In the area of financial manipulations the situation is different. In many legal systems the statutory definitions of theft, larceny and embezzlement require that the offender take an "item of another person's property". In such systems, the provisions are not applicable if the perpetrator appropriates deposit money. In many countries, these provisions also cause difficulties in regard to the manipulation of financial transactions through automated cash dispensers. The statutory provisions on fraud in some legal systems demand the deception of a person. They cannot be used when a computer is deceived. Statutory definitions of breach of trust or abus de confiance, which exist in several countries, sometimes apply only to offenders in high positions and not to punchers, operators or programmers; some provisions also have restrictions on which objects may be protected. Consequently, many legal systems have looked for solution de lege data without overstretching the wording of existing provisions, and new laws on computer fraud have been enacted in many countries. Such clarifications or amendments should be considered, if necessary.

2. The exclusive use of data or information

96. The exclusive use of information by its holder is protected by three legal instruments: (a) new, computer-specific statutes concerning illegal access to or use of computer systems; (b) the general rules of intellectual property law, especially copyright law; and (c) the general rules of trade secret law, especially the provisions on economic espionage.

Special statutes protecting exclusive access to and use of computer systems

97. In many countries, since the 1980s, the protection of computer data by the general provisions of trade secret law and intellectual property law has not been considered to be sufficient. In response to the new cases of hacking, many States developed new statutes protecting a "formal sphere of secrecy or privacy" for computer data by criminalizing illegal access to or use of another person's computer, thereby also protecting the computer data contained therein. This new legislation became necessary because, in most countries, protection of this "formal sphere or privacy" against illegal access to computer-stored data and computer communication could not be guaranteed by traditional criminal provisions.

98. As far as wire-tapping and the interception of data communications are concerned, the traditional wire-tap statutes of most legal systems refer only to the interception of communications. Therefore, legislative proposals that cover wire-tapping and other forms of electronic surveillance or the interception of computer system functions or communications have been put forth in many countries. When enacting legislation in this area, it is important that the new law should address interception in all of its possible forms, whether of communications to, from or within a computer system, or of inadvertent or advertent emissions of radiation.

99. Similarly, traditional provisions on trespassing and forgery often cannot be used. In all countries, the applicability of traditional penal provisions to unauthorized access to data-processing and storage systems is generally difficult. Therefore, new legislative provisions concerning such access have been enacted in many countries. These provisions demonstrate various approaches. Some criminalize "mere" access to EDP systems; other punish access only in cases where the accessed system is protected by security measures or where the perpetrator has harmful intentions or where data obtained, modified or damaged. Some countries combine several of these approaches in a single provision covering both "mere" access (in the form of a basic hacking offence) and qualified forms of access (in the form of a more serious ulterior offence with more severe sanctions).

100. One problem concerns the circumstances under which an initially authorized access may become unauthorized or may otherwise turn into a criminal action. In most countries, the new provisions deal only with the initial unauthorized access, thus criminalizing only the acts of outsiders; other countries also proscribe unauthorized use of or presence in systems, thus also criminalizing use or "time theft" by both outsiders and employees. A special solution to protect employees can be found in the California state law, which does not apply to employees if their use is within the scope of their employment or, in the case of uses outside the scope of employment, the use does not result in any injury or the value of the used services does not exceed $100.

101. The discussion about initially authorized access demonstrates that illegal access to computer systems is closely connected to, and partly overlaps with, the criminalization of unauthorized use of computers (i.e. both use without authority and time theft), although up to the present this close relationship has not yet been generally realized by all countries. De lege ferenda in most civil law countries the problem of illegal use of computers is reduced to the illegal use of computer hardware and discussed within the context of furtum usus of corporeal property. In this context many civil law countries reject a general criminalization of furtum usus of tangibles (with some exceptions, such as for moto vehicle joyriding) and consequently do not incorporate a provision against the illegal use of computers or time theft in their new computer crime laws. However, there are (mainly Nordic) countries that have a legal tradition of criminalizing the unauthorized use of corporeal property, so that the new reform proposals of these countries also criminalize the unauthorized use of computer systems. Many common law countries or parts thereof (e.g. Canada and many States of the United States) have recognized the relationship between access and use, and in statutory definitions subsume either "access" or "use" into the other concept, thereby creating a single legal concept that address both situations for the purposes of the new penal provisions. Since the unauthorized use of computer systems generally presupposes unauthorized access to that system, an adequate access or use provision could at the same time cover the other delict as well.

102. A further distinction that is sometimes recognized is one between (a) the unauthorized obtaining of computer services or time that is ordinarily provided for a fee and (b) the unauthorized use of computer systems in general. The delict in respect of the former is the unauthorized obtaining of computer services without payment of the requisite fee, thereby causing the owner of the system to suffer a financial loss. In some countries, such abuse is covered by general theft of service laws. The statutes of other countries, however, are limited to the unlawful use, waste or withdrawal of electricity. General theft and fraud statutes may be applicable in some countries, while in other countries specific provisions have had to be enacted to deal with this type of theft of service.

103. The delict in respect of the mere unauthorized use of the computer is the violation of the exclusive use rights of the owner. Addressing this problem raises all of the issues previously discussed in relation to the issues of unauthorized access and unauthorized use.

Intellectual property law

104. The concept of intellectual property law has been predicated both on the recognition of natural rights in intellectual property and on the policy of encouraging the creation of works by granting a certain premium to the creators. In the field of information technology, this concept is especially important for the protection of computer programs and semiconductor topographies.

Computer programs

105. Depending on the circumstances, trade secret protection may apply to computer-stored date, including computer programs themselves. However, since these legal devices are restricted to secret programs, special relationships and/or specific acts of accessing information, they are not sufficient to guarantee secure trade with respect to computer programs in general. The price discrepancy between expensive originals of computer programs and cheaper unauthorized reproductions is so vast that there is a demand in all countries for the more comprehensive regulation of these activities. Protective systems could be expanded to include non-secret programs and could be applicable to third parties.

106. In recent years, many countries have debated the scope of copyright law, given that patent law can protect only a small number of programs, such as those that include a technical invention. With the aim of avoiding legal uncertainty, many countries have expressly provided copyright protection for computer programs by way of legislative amendments. This fundamental recognition of the need to copyright computer programs can, however, only be regarded as a first step. The creation of effective copyright protection for computer programs raises explicitly the question of the appropriate scope of copyright protection, as well as some additional problems. Until now, these questions have been solved in disparate and often unsatisfactory ways in many countries.

107. The role op penal copyright protection has also been evaluated differently in various countries. In the past, copyright law in common law systems rarely, if ever, resorted to penal sanctions; civil law systems, in contrast, have traditionally punished infringements of copyright by lenient criminal sanctions. The increase in audio- and videotape piracy in recent years, however, has necessitated more stringent criminal sanctions in both systems; thus the distinction between civil and common law systems has been effectively removed.

108. Although some of the new laws are still confined to phonographic products, many are of a more general nature. Reform proposals providing more severe criminal sanctions for copyright infringements have been enacted in many countries. These efforts to achieve more effective copyright protection are justified, since attacks against intellectual property deserve a criminal law response as much as do the more conventional attacks on corporeal property. The reluctance to criminalize copyright infringements, still evident in some countries, could be counteracted by adequate civil law provisions. The law can be structured to differentiate between less objectionable activities, such as private back-up copying, and more clearly criminal behaviour, which either causes economic damage or is regularly committed for gain.

Semiconductor products

109. Computer programs are not the only new economic values created by modern computer technology. As is evidenced by the miniaturization of computers and the development of fifth-generation computers, the technique of integrated circuits is becoming more and more sophisticated. The possibilities of copying the topography of semiconductor products give rise to demand for an effective protection of such products in order to stop unauthorized reproduction.

110. In most countries, it remains unclear to what extent the topography of semiconductor products is protected against reproductions by patent law, copyright law, registered designs, trade secret law and competition law. In the United States, special protection for computer chips was provided by the Semiconductor Chip Protection Act of 1984. 8 Many states followed this sui generis approach by enacting similar legislation.

111. However, criminal sanctions provided under this type of legislation differ from country to country. In contrast to the laws of Canada, Italy and the United States, the new Finnish, German, Japanese, Netherlands and Swedish laws include criminal sanctions, which among other things punish the infringement of a circuit layout right. Civil and penal sanctions for egregious infringements of circuit layout rights require serious consideration.

The protection of trade secrets

112. When information is acquired by stealing a corporeal carrier of information, such as a printout, tape or disk, the traditional penal provisions on theft, larceny or embezzlement are not problematic in application. However, the ability of data-processing and communication systems to copy data quickly, inconspicuously and, often, via telecommunication facilities has meant that most of these acts of traditional information carrier theft are replaced with acts of actual information acquisition. Therefore, the question arises, To what extent can or should the pure acquisition of incorporeal information be covered by these provisions? Most countries are reluctant to apply traditional provisions on theft and embezzlement to the unauthorized appropriation of secret information, because these provisions generally require that corporeal property be taken away with the intention of depriving the victim of use or control The acquisition of information (e.g. by copying it or taking away a copy) does not necessarily deprive the original holder of the information. The data may still exist intact, or other copies my exist.

113. Additionally, in many countries the traditional laws of theft also require that the thing that is taken constitute property. However, legislators and the judiciary in many of these countries are reluctant to ascribe a property status to information, even confidential information. The issue of misappropriation of information raises a number of broader legal, social and economic issues. The conflict of interest between the free flow of information and the right to confidentiality must be taken into account, as must be the economic interests in certain kinds of information. Just as in the area of intellectual property law solutions in this area must also provide for an appropriate degree of flexibility to balance these competing interests. Traditional property law, with its emphasis on exclusivity to one owner, does not adequately account for the dynamics of information in an information society. Rather than relying on traditional theft provisions, special laws may need to be enacted. 2

114. As a result of problems in applying the general property law to cover trade secrets, in many countries the misappropriation of someone else's secret information is covered by special provisions on trade secrets law. These provisions protect trade secrets by prohibiting only certain condemnable acts of obtaining information, either by provisions of the penal code or by penal or civil provisions of statutes against unfair competition. These laws generally attempt to balance the competing interests.

115. Generally speaking, it can be said that criminal trade secret law and civil unfair competition law are less developed in common law countries, at least statutorily, and in Asian countries than in continental Europe. As far as future policy-making is concerned, the international trend towards trade secret protection should be encouraged. To achieve an international consensus, all legal systems could, either in their penal codes or in statutes against unfair competition, establish penal trade secret protection reinforced by adequate civil provisions on unfair competition.