Would you like to share an article on cybercrime? Please contribute!

These articles do not necessarily reflect official positions of the Council of Europe

Circumvention of technological protection measures as a cybercrime

Without any doubt, the circumvention of an effective technological measure to protect an intellectual work could be considered as a cybercrime in the international legislation. It is a theme with links in the field of intellectual property, the criminal law and technologies of information and communications.

We define technological protection measures as any mechanism or technical work designed with the objective to control or make impossible the non-authorized use, copy or access to an intellectual work’s content without the right-holder permission, the abuse of an authorization granted or generally to protect the copyright on an intellectual work.

As a justification for its application, these kind of rights are consequences of the privileges that the owner can apply inside his intellectual work when it is presented in a technologic format, so there are possibilities to include mechanisms of protection against a non-authorization copy or a misuse of it, along with other offences that can avoid the exploitation of an intellectual work by its owner.

In this sense, the Convention of Europe on Cybercrime stands the protection of the copyright as a possible matter to be sheltered by criminal laws so the Agreement’s parties and the observant countries can elaborate the necessary norms to include them in its legal systems if they do not have it.

“Article 10.– Offences related to infringements of copyright and related rights

1.- Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright (…), with the exception of any moral rights conferred by such conventions, where such acts are committed willfully, on a commercial scale and by means of a computer system.

2.- (…)

3.- (…)”

From the same scope, the Directive 2001/29 of the Parliament and the Council of the European Union (Chapter III, article 6) exhorts to the country parties to include and regulate the technological measures in its internal legislation.

This very same Directive 2001/29, article 6, paragraph 3, defines the "technological measures" as “any technology, device or component that, in the normal course of its operation, is designed to prevent or restrict acts, in respect of works or other subject-matter, which are not authorized by the rightholders of any copyright or any right related to copyright as provided for by law…”

Copyright legislation from different countries has recognized expressly the technological measures to protect software, electronic apparatus and other digital works against its non-authorized use, duplication or breaking the owner’s exploitation rights, meanly grounded in the copyright’s protection (author’s rights). Examples of those technological measures could be the use of passwords, contents encryption, watermarks, identifications logos, amount of time to allow the use, or in general any technical device that prevents the illicit duplication or non-authorized access to the software’s content that could breaks the author’s rights to the royalties. In such cases, those behaviors can bring sanction in the criminal field against persons who break the technical preventions. They are measures designed for digital works susceptible to include such technical barriers.

It is important to have clear that the technological measure must to be “effective”, including methods or technological devices that, working the way they were designed, control the access to the protected work. This means that protection cannot be break by accident. So, it is necessary that the action of circumvent the protection must be intentional. The article 6 paragraph 3 of the Directive 2001/29 of the Parliament and of the Council of the European Union, explains what means “effective technological measure”:

"Technological measures shall be deemed "effective" where the use of a protected work or other subject-matter is controlled by the rightholders through application of an access control or protection process, such as encryption, scrambling or other transformation of the work or other subject-matter or a copy control mechanism, which achieves the protection objective.”

According with the World Intellectual Property Organization (WIPO), there are several technological measures and its characteristics vary from time to time. Besides, the WIPO shares the measures in two groups depending if they are use a) to limit the access to the intellectual work’s contents and it only can be access by authorized persons; or b) to control the use by authorized consumers, but without go away beyond the granted authorization:

“In general, right holders seek to control the use of their works in the online environment by utilizing specialized technologies. Technological protection measures take various forms and their features are continually changing.

These measures can broadly be grouped into two categories: first, measures that are deployed to limit access to protected content to users who are authorized to such access. Common access control features are, for example, cryptography, passwords, and digital signatures that secure the access to information and protected content.

The second major group of technologies aims at controlling the use of protected content once users have access to the work. According to the corresponding license agreement, certain uses of protected content may be allowed for certain purposes. To make sure that these obligations are complied with and no unauthorized reproductions are made, the respective technological measures attempt to track and control copying, and thus prevent the user from surpassing the right he has been granted. Examples of such copy control measures are serial copy management systems for audio digital taping devices, and scrambling systems for DVDs that prevent third parties from reproducing content without authorization.” (World Intellectual Property Organization; FAQ’s section. How do technological protection measures work? [Consulted: March 31th., 2013].

As the reader can conclude, the circumvention of any technological protection measures can require an expertise level, skills and technological knowledge that are not common, so it is a conduct that must be sanctioned as a typical cybercrime. Besides, it implies the use of sophisticated equipment or software that could be exclusively created by the active subject with the objective to elude the protection measures.

Indeed, this scenario should have a narrow relationship with the article 6 of the Convention on Cybercrime because it implies abuses of technical devices to commit informatics offences:

“Article 6 – Misuse of devices

1.- Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a) the production, sale, procurement for use, import, distribution or otherwise making available of:

i.- a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with the above Articles 2 through 5;

ii.- a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b) the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2.- This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3.- Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.”

Nevertheless, the content of the article 6 does not make a formal reference to the article 10 of the Convention on Cybercrime about copyright protection. That is why we have to discard the application of this article 6 because its content about misuse of devices does not include the technological protection measures but the basic penal crimes from the articles 2 to 5 such illegal access, illegal interception, data interference and system interference. None of them stand a reference about protection of intellectual property or copyright. In spite of such omission, we would not find differences among create an cyber virus, break the authentication process while mounting a software, install a tricky file inside a firmware or circumvent a videogame protection. All such behaviors imply very similar actions so they are equally criminal offences; they have connection with actions like for example the creation of a password or access code to achieve an illicit interception or an illegal access. The only difference will be if there are copyright´s elements involved.

It could be convenient that the article 6 of the Convention on Cybercrime, which deals with the misuse of devices, can include the reference to the article 10, so the action of circumvent a technological protection measures can be expressly contented as a cybercrime against the copyright in technological products.

Finally, I would like to ask some questions to the reader:

1.- Does your country include the technological protection measures in your legal system?

2. - If yes, is it a cybercrime o just an action against the intellectual property?

3.- If your legal system does not include the technological protection measures, is there an legislative initiative to include them as a cybercrime or at least as a violation against copyright?

- * -


Comment by Jose Francisco Salas-Ruiz on April 1, 2013 at 1:05am

There is a Spanish version of this post. I hope you will find it useful.



Thoughts on the benefits of cross-country cooperation and communication

I have the chance of contributing to an exciting project at the moment that involves cross-country cooperation and communication. The project is aiming to develop, test, validate, distribute and maintain software tools in the fields of cybercrime investigation and digital forensics. As one of the outputs of the projects these tools will then be provided free of charge to law enforcement agencies around the world. But the project is not the reason for this blog post; the real reason is an observation that I made during this project.

Exchanging ideas and experiences with other international colleagues it was interesting to see how the need for software tools performing certain tasks was very similar despite the fact that the participants were coming from different countries. However during the discussions I had with the other project partners we discovered that there exist several examples for specific, custom-made software that has the same purpose but was developed independently by different countries. That means that some countries invested manpower and in some cases high budgets to external companies although a solution for their problem already existed.

So I asked myself two questions: First: How this could happen? and Second. How can this be avoided in the future?

The answer to the first question is difficult because it is not possible to reconstruct the entire process of how the tool was developed. The most likely answer is that the countries that wasted their resources either did not know that another very similar tool already exists or that the existing tool did not meet their requirements exactly. The third possible answer could be that each country wanted to develop "their own" tool, giving them the freedom to customise the software whenever needed along with the copyrights and intellectual property rights. A last reason why one organization might have developed their own tool although an alternative has already been available might be that the other tools that existed were proprietary, license based and/or too expensive to buy. There are valid arguments in favor and against all of these circumstances but I wanted thought that there might be things that we can learn about all these solutions.

The lessons that might be learned - to answer the second question - is that it needs more projects encouraging international cooperation on tool development and distribution amongs non-profit law enforcement organizations. Why? Because with the right approach duplicate work can be minimized, tools can be provided free of charge and the source code of the tools can be made available and thus the tools become customizable for all law enforcement agencies. If the project is equipped with sufficient funding even multi-language support, tool manuals and training can be developed. This approach could really solve most of the circumstances that I just described. The downpoint of course is that such projects need funding so a larger investment is necessary but I think in total it can save a lot of resources of terms of law enforcement agencies personnel, budgets and time.

Any thoughts, comments, ideas?

Combating Cyber Crime in African Region

Combating Cyber Crime in African Region

Except a few, many countries in Africa do not have Cyber Law yet and with the rapid penetration and usage of Internet in these countries the number of cyber incidents are becoming more and more often. Law Enforcement Authorities (Police & Gendarmerie) are facing the challenge of how to attend to cyber crimes when victims are complaining of hacking , phishing , identity theft etc.. Two things that are of direct concern are (i) the capacity of Law Enforcement to attend to such crimes, and (ii) until they get a piece of cyber law to act upon, they have to manage to get the culprits within the existing criminal laws prevailing in the country which is not easy. Both situations needs time, efforts and most importantly decisions at very high level.

Noticeably, some countries in West Africa are making efforts to combat cyber crimes.

In Benin 12 officers from Gendaremerie Nationale & Police Nationale had a full week training on combating Cyber Crime (Formation appliquée sur la cybercriminalité 3- 6 Dec 2012) organized by Francopol with the collaboration of the “Organisation Internationale De La Francophonie”. The training was held at the Police Training School in Cotonou.

Likewise in Burkina Faso, 16 officers from Gendaremerie Nationale & Police Nationale had a similar training from 25th February to 1st March 2013 through the same sponsorship, both being French speaking countries.

However, not much is being heard on cyber law or international cooperation to combat cyber crime from these countries. Exposure to the existing cyber law, convention on cyber crime and 24/7 High Tech Crime Network are no doubt things that will help them to catch-up.

Other than South Africa, Zambia and Mauritius that do have capacity and laws to combat cyber crimes, countries like Ghana, Botswana and a few others are also improving in this area.

I want to hear more of developments in this region, anybody is most welcome !!!

Content Provider Liability

UK court finds Google could be liable for blog comments

Cybercrime and forensics education in different countries - share your experience!

Hey everyone,

as the Octopus Cybercrime Community is a panel on global experts in the field of cybercrime I would like to take the chance to ask for your broad range of experiences and opinions in regards to cybercrime education in your countries. To provide some basis for our discussion I will set up a brief introduction about cybercrime education and the observations that I have made. In the end I will raise some questions to start our discussion.

I think we all agree that fighting cybercrime is not just a challenge of our own countries but usually has a transnational character. That is the reason why international treaties like the Council of Europe Cybercrime Convention have be set up and more and more countries seek to harmonise their national legislations in the field of cybercrime. While it can take a long process to change or adjust national laws it can even take longer to implement them in the national jurisdiction as well as the executive authorities.

Especially when it comes to fields like cybercrime and digital forensics the real challenge oftentimes is not just a legislative one but also one of establishing and maintaining technical expertise to keep up with cybercriminals. Even if the necessary laws are in place qualified personnel is needed not only trace but also to convict perpetrators in the cyberspace. Therefore a high degree of specialism is required not only for law enforcement officers but also on the judges and prosecutors side as well as on the governmental side. To establish a satisfactory level of technical expertise different professional training programmes are needed.

I have made the experience that the level of cybercrime and forensic education extremely differs not only from country to country but also from branch to branch. Some countries do not have any cybercrime training programmes at all, some countries send people abroad to visit training courses in other countries, while some countries might have comprehensive practical trainings for law enforcement practicioners but only very little courses for judges and prosecutors. As far as I know only a few countries have set up academic programmes in cybercrime and digital forensics education and even less countries have established research facilities in addition to their trainings. Some organisations like the Council of Europe (CoE), the European Anti-Frau Office (OLAF), the European Commission (EC) and the European Cybercrime Training & Education Group (ECTEG) have spent a lot of efforts to run training projects on a European and international level (e.g. CyberCrime@IPA, CyberCrime@EAP, Hercule, 2CENTRE)

From what I have encountered there are different approaches to cybercrime and digital forensics education:

  • Training programmes at academies
    Be it on police academies or on judicial academies these training programmes range from just a few courses up to a broad range of modules comparable to university/college degrees. The scope of these courses oftentimes is very much oriented upon the practical needs.
  • Certifications
    There are some certifications out there, especially in the field of digital forensics. Some of them are the Certified Forensic Computer Examiner (CFCE), the Certified Computer Examiner (CCE), the Certified Ethical Hacker (CEH), the Computer Hacking Forensic Investigator (CHFI), the Certified Information Systems Security Professional (CISSP) and the Global Information Assurance Certifications (GIAC).
  • Vendor specific courses
    Vendors of forensic tools oftentimes offer courses for their tools. Some of the vendors even offer a certification process to give prove of some tool specific knowledge, like the EnCase Certified Examiner (EnCE) or the Access Data Certified Examiner (ACE).
  • Academic degrees
    The academic degrees range from Bachelor of Science (BSc) to Master of Science (MSc) and even promotional degrees (PhD). Two example that I know about is the Master of Science in Forensic Computing and Cybercrime Investigation at University College Dublin in Ireland and the Master of Science in Digital Forensics at Univery Albstadt-Sigmaringen in Germany.
  • Conferences
    Conferences also include educational parts. That is why I included them in this list. I personally know of some conferences like the Digital Forensics Research Conference (DFRWS), the International Conference on IT Security Incident Management & IT Forensics (IMF), the EuroForensics and Octopus Conference or course.
  • Research facilities
    Do you know of any?


This is where I would really like you to share your experiences with us! Please let us know:

  • What is the approach in your country?
  • Did you encounter any other approaches?
  • Do you know any of the organisations in your country that offer cybercrime and/or forensics trainings?
  • Do you know of any standardization of cybercrime education in your country, continent or even global?

Thank you for letting us participate in your experiences!

Fraude Informático y Estafa Informática: la necesidad de construir e incluir estos nuevos tipos penales en un código penal moderno

El Convenio de Europa sobre Ciberdelincuencia de 2001 incluye, en su parte sustantiva, los delitos de fraude informático y estafa informática como una categoría de conductas que deben tipificarse en las respectivas legislaciones penales de los países suscriptores del Acuerdo. De esta manera, el Convenio de Europa se convierte en un marco jurídico internacional donde se otorga un buen margen de actuación al legislador nacional para crear los tipos penales correspondientes. También sirve de ejemplo para otros países que aún no contemplan todos los tipos penales sobre criminalidad informática en sus respectivos códigos.

En el caso concreto de los delitos que nos interesa mencionar, es importante determinar si los tipos penales de estafa y fraude informático pertenecen a una categoría especial de infracciones o si son sólo una categoría de delitos incluida en la nomenclatura tradicional. Tal será el límite de nuestras observaciones.

Lo primero que llama la atención es que existe una aparente confusión en la terminología penal informática, pues las conductas y acciones que en algunos sitios denominan “estafa informática” otros lo asimilan a “fraude informático”, y otros más visualizan a este tipo de delito como una especie dentro de la generalidad de los fraudes informáticos.

En apoyo a esta relación jerárquica entre ambas figuras, encontramos la explicación de Claudio Magliona, de Chile, en referencia a las normas en los ordenamientos penales de otros países, quien sostiene que el tipo de fraude informático subsumió al de estafa, por estar construido con sus elementos básicos:

“Esta figura [del fraude informático] vino a absorber todas aquellas conductas defraudatorias que, por tener incorporada la informática como herramienta de comisión, no podían ser subsumidas en el tipo clásico de la estafa del derecho comparado. Esta vinculación con la estafa desde sus inicios determinó además que el concepto, estructura y contenido del fraude informático fueran construidos a partir de los elementos del delito de estafa.” (MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile, Proyecto de Ley”. En Revista de Derecho Informático Alfa Redi No.50 (septiembre del 2002) (Free translation)

No obstante tal opinión, intentaremos dar a cada una de esas infracciones un breve análisis por separado.

A.- El fraude informático como un nuevo tipo penal.

El fraude informático es quizás el tipo de delito más común dentro de las infracciones cibernéticas. De hecho, es el más conocido y probablemente el más antiguo, pues se tienen noticias de fraudes cometidos con computadoras que datan de la tercera generación de éstas, cuando éstas hicieron su aparición en la vida laboral de empresas de tipo financiero y bancario.

Las formas de cometer el fraude informático son muy variadas, aunque siempre convergen en el manejo ilegítimo de los sistemas de información, ya sea mediante la creación de usuarios fantasmas para recibir beneficios económicos, la creación de cuentas bancarias adicionales no autorizadas, la introducción de algoritmos matemáticos que alteren el funcionamiento normal del sistema para obtener ganancias ilícitas, la intervención directa en los procesos automáticos de la computadora, o el redondeo de cuentas bancarias o financieras, todo ello con el objeto de obtener algún provecho pecuniario.

Los medios para llevar a cabo los ilícitos derivan de la naturaleza intrínseca de los sistemas informáticos. Todos ellos han sido diseñados para recibir datos, almacenarlos, ordenarlos, modificarlos, borrarlos y posteriormente darlos a conocer como información particular para el consultante.

El Convenio sobre Ciberdelincuencia de 2001 incluye el marco de referencia que deberá tener en cuenta el legislador penal al momento de crear un tipo de esta naturaleza:

Artículo 7 - Falsificación informática

Cada Parte adoptará las medidas legislativas y de otro tipo que resulten necesarias para tipificar como delito en su derecho interno, cuando se cometa de forma deliberada e ilegítima, la introducción, alteración, borrado o supresión de datos informáticos que dé lugar a datos no auténticos, con la intención de que sean tenidos en cuenta o utilizados a efectos legales como si se tratara de datos auténticos, con independencia de que los datos sean o no directamente legibles e inteligibles. Cualquier Parte podrá exigir que exista una intención fraudulenta o una intención delictiva similar para que se considere que existe responsabilidad penal.

Usualmente, los tipos penales que tratan este tema son bastante extensos en cuanto a las conductas que describe. Se pretende abarcar en lo posible todas las modalidades que se conocen del fraude informático. Los verbos que indica deben ser analizados individualmente para comprender a cabalidad el nivel de protección que se busca.

En apoyo a esta tesis, la española Gutiérrez Francés mantiene siempre una visión “pluriofensiva” en el caso del fraude informático e incluye otros bienes jurídicos de orden económico, tales como el interés económico, la hacienda pública y el patrimonio, pero también hace énfasis en el funcionamiento de los sistemas informáticos:

“las conductas de fraude informático presentan un indudable carácter pluriofensivo. En cada una de sus modalidades se produce una doble afección: la de un interés económico (ya sea micro o macrosocial), como la Hacienda Pública, el sistema crediticio, el patrimonio, etc., y la de un interés macrosocial, vinculado al funcionamiento mismo de lo sistemas informáticos.” (GUTIÉRREZ FRANCÉS, María Luz, “Fraude informático y estafa”, Editorial Centro de Publicaciones Secretaría Técnica del Ministerio de Justicia Madrid, España, 1991 p. 269)

Después de esta breve explicación de la forma como puede infringirse daño a un sistema de información, sólo falta definir si tales conductas deberían ser merecedoras de un tipo penal especial o puede incluirse en el tipo tradicional de estafa.

La respuesta es decididamente afirmativa. Una vez más, se trata de un delito nomen iuris propio, sin lugar a dudas, que exige un tratamiento de resguardo especial por parte de la legislación punitiva. No encontramos en qué otro conducta podrían ser calificados esas posibles (y comprobables) infracciones.

Tal conclusión no significa que las legislaciones de algunos países como Chile o España consideren dicha idea como válida. En España se concibe a la “estafa informática” como una suerte de fraude mediante manipulaciones tecnológicas. Los bienes jurídicos que deberían tutelarse no parecen ser tomados en cuenta, sino que parece protegerse exclusivamente el patrimonio. Al respecto, Choclán Montalvo explica:

“El legislador español ha omitido contemplar el fenómeno del delito tecnológico con cierta autonomía y no ha tenido en cuanta como bien jurídico digno de tutela bienes de carácter colectivo como pudiera ser la información en la red, la regularidad en el funcionamiento del sistema informático u otros similares. Esta perspectiva reduccionista, impuesta por el principio de taxatividad, deja al margen del art. 248.2 buena parte de los delitos tecnológicos que se presentan en la actualidad.” (CHOCLÁN MONTALVO, José Antonio. “Infracciones patrimoniales en los procesos de transferencia de datos”. En la obra “Delincuencia Informática. Problemas de responsabilidad”. Cuadernos de Derecho Judicial, IX, 2002. (Director: Óscar Morales García). Consejo General del Poder Judicial, Madrid, 2002, p.248)

En el mismo sentido, Magliona, quien después de dar una serie de argumentos de peso para justificar su posición, expresa la necesidad de que el fraude informático sea considerado como un nuevo tipo penal en la legislación de Chile:

“Por todo lo anterior, es que creemos debe incorporarse a nuestra legislación el fraude informático, como una figura dolosa, en la cual se exija como elemento subjetivo del tipo el ánimo de lucro, y como elemento objetivo la obtención mediante una manipulación informática de una transferencia indebida de cualquier activo patrimonial en perjuicio de tercero”.

En conclusión, debe clasificarse esta infracción penal dentro de los “delitos informáticos propiamente dichos”, lo que refuerza nuestra tesis de que se trata de una figura autónoma y de necesaria tipificación, fuera de las normas punitivas tradicionales, situación que no se encuentra en todos los Códigos Penales.

B.- Estafa informática como un nuevo tipo penal.-

En el tipo penal común de estafa siempre se hace énfasis en los verbos de “ardid”, “engaño”, “artificio” o similares, que se apliquen contra una persona con el objetivo de sustraerle su patrimonio, en todo o en parte. Es decir, para que se configure el delito, se deberá incurrir en falsedad o de alguna manera hacer caer en error al otro, conducta que también tendrá como finalidad última la obtención de algún beneficio patrimonial de la víctima.

Por otra parte, el artículo 8 del Convenio de Europa sobre la Ciberdelincuencia de 2001 conceptúa la “estafa informática” como “la producción de un perjuicio patrimonial” contra otro, de manera intencional y sin autorización. Pero el artículo no incluye el engaño en contra de una persona, sino en contra los datos o la interferencia en el funcionamiento de un sistema computacional:

“Artículo 8 – Estafa informática

Cada Parte adoptará las medidas legislativas y de otro tipo que resulten necesarias para tipificar como delito en su derecho interno los actos deliberados e ilegítimos que causen un perjuicio patrimonial a otra persona mediante:

a.- cualquier introducción, alteración, borrado o supresión de datos informáticos;

b.- cualquier interferencia en el funcionamiento de un sistema informático,

con la intención fraudulenta o delictiva de obtener ilegítimamente un beneficio económico para uno mismo o para otra persona.”

Ahora bien, para comprender mejor los alcances de un tipo penal en la técnica jurídica, necesariamente requerimos de apelar al concepto de “sistema”. Veamos en qué consiste este singular principio, en un sentido abstracto, pero aplicado en especial a los sistemas automatizados.

Un sistema es un conjunto de elementos diseñados para funcionar juntos en estrecha relación. Dada esa naturaleza grupal, sus distintos elementos llegan a constituir partes indisolubles e insustituibles dentro de él. Desde el punto de vista funcional, el sistema es más que la suma de sus partes individuales. Es allí donde se aplica la noción “sinergética” del concepto, mediante la cual el sentido de cada componente no se explica por sí mismo, sino sólo en relación con todos los demás. Estructuralmente, desde una perspectiva muy elemental, todo sistema está constituido básicamente por tres partes, denominadas “entradas”, “procesos” y “salidas”. La “entrada” es todo dato o materia con que se alimenta el sistema. Por ejemplo, en la construcción de una base de datos, éstos serían la materia prima con que trabajará el sistema. El “proceso” consistirá en todo el cúmulo de procedimientos y maniobras mecánicas internas que realiza el sistema para procesar las entradas recibidas. Por último, la “salida” del sistema será el resultado final que se espera obtener, de acuerdo con los elementos primarios y los procesos posteriores internos. La actuación del sistema siempre estará limitada a un cierto “ambiente”, que es donde interactúa y en el que se retroalimenta.

El tipo penal básico de estafa informática procura abarcar esas tres variables, pues en cualquiera de ellas podría intervenir el sujeto activo. Por ejemplo, si una persona modifica datos de entrada, los omite o alimenta la base con información del tipo que sea, no necesariamente la correcta o completa, estaríamos ante los supuestos del tipo penal, cuyas acciones de utilización de datos falsos o incompletos, o su supresión previenen esta posibilidad. Conviene aclarar que la incorrecta utilización de los datos de entrada del sistema pueden ser ejecutados por cualquier individuo, sin necesidad de conocimientos técnicos particulares, con excepción de algunas instrucciones básicas para dotar de datos al sistema.

Por otra parte, es factible interferir también en el procesamiento de datos del sistema, es decir, en cualquiera de las partes mecánicas que componen la “caja negra” de ella. Esto es posible si se altera el “código” o instrucción lógico-funcional del programa o aplicación informática que utiliza el sistema en el proceso de ordenamiento de los datos, para obtener un resultado diferente o adicional del originalmente planificado. Esto se logra con la introducción de algoritmos matemáticos que pueden alterar los programas “fuentes” donde originalmente se ha escrito el código del programa, o bien, con la modificación directa de esos programas. Evidentemente, para cometer tal hecho se requiere de un conocimiento especial en el manejo de lenguajes de programación y tener acceso directo a los programas fuentes de las aplicaciones.

Deberá tratarse de acciones que influyan en el procesamiento de los datos, o bien, si se utilizare programación falsa, o en general cualquier acción que influyere sobre el proceso de los datos es suficiente como para modificar (lesionar, en términos jurídicos) los procesos que efectuarán las “cajas negras” de los sistemas de información. Las consecuencias de tal hecho serían necesariamente un resultado (salida de sistema) diferente, incompleta, incorrecta o adicional de información (según el concepto visto en este comentario), de la que se programó inicialmente.

Finalmente, es posible también para cualquier persona manipular un resultado originalmente correcto dado por un sistema. Es notorio que el contenido que abarca el fraude cibernético no deja de lado la posibilidad de que se influya en el resultado de los datos, tan importante como el procesamiento. Ya hemos visto que la información que se introduce a la base de datos es automáticamente ordenada y tiene una salida, denominada información. Es decir, el resultado del procesamiento de los datos es precisamente la información. Si ésta es errónea o incompleta, el sistema está arrojando una salida no conforme con la realidad. Por ello, no puede dejar de mencionarse que, si la conducta dañosa influye directamente sobre el resultado de los datos, debe quedar igualmente calificada como fraude informático.

Obsérvese que no es necesario provocar un resultado falso (que se logra en el manejo ilícito del proceso) sino que la acción puede producirse sobre resultados verdaderos que se manipulan para aparecer distintos de los originales. La estafa, pues, cobija también la posibilidad de modificación del resultado de los datos o su utilización indebida para referirse a estos supuestos en que la acción recae sobre los productos arrojados por el sistema. Al igual que el punto primero, referidos a las datos de entrada, en este caso no se necesita que el sujeto activo posea especiales conocimientos informáticos, sino tan sólo alguna experiencia en, por ejemplo, procesadores de palabras, programas de hojas electrónicas y búsqueda en bases de datos.

Es importante anotar que el afán de lucro es una constante fundamental que determina la naturaleza de la conducta. Si dicho deseo de obtener ganancias pecuniarias ilícitas no existiese, nos encontraríamos ante otro tipo de figura, quizás el sabotaje informático o acceso ilícito. En cualquiera de estos casos, se requerirá siempre la existencia de un afán lucrativo o alguna clase de beneficio personal en el resultado de la conducta del sujeto activo, como requisito sine qua non para abarcar la equivalencia con la “estafa informática” e incluso superar el concepto.

Esto nos lleva a considerar los objetos sobre los que puede recaer la acción de la falsificación informática. Se trata generalmente de información relativa a valores que bien podrán ser intangibles tales como datos sobre montos monetarios. En otros casos, los datos harán referencia a objetos corporales (dinero en efectivo y otros valores tangibles) que obtendría el sujeto activo mediante la manipulación del sistema. De otro modo, es decir, si no se busca el aumento patrimonial ilegítimo, podríamos encontrarnos ante otra figura penal, como podría ser el acceso no autorizado a sistemas o el sabotaje informático.

Todo ello sirve también como forma de explicar técnicamente por qué no es posible “engañar” o “estafar” un sistema informático. No es casualidad que el bien jurídico tutelado que debemos tener en cuenta sea precisamente el funcionamiento del sistema informático en los términos que expresa la Convención de Europa sobre Ciberdelincuencia, además de otros como la información obtenida con el procesamiento de sistemas automatizados o su transferencia por redes enlazadas remotamente.

En el caso de la estafa informática, las nociones tradicionales no tendrían forma de aplicarse, pues la característica de “engaño” no se adapta a los sistemas automatizados. Estos funcionan de acuerdo con las órdenes emanadas de una programación previa y no por estímulos humanos externos. Para que exista engaño, debe darse un proceso de toma de decisiones basado en supuestos falsos que lleven a una conclusión o resultado diferente del que esperaba el individuo embaucado. Es decir, trátase de acciones de desarrollo intelectual y funciones psicológicas que son eminentemente humanas. Las máquinas no tienen capacidad de tomar decisiones “erróneas”, sino que sólo ejecutan mecánicamente las órdenes para las cuales se les haya diseñado. De esta manera, el sistema automatizado no es la víctima del delito sino el medio por el cual se ejecuta la infracción.

Esta explicación, que podría parecer elemental, tiene un fuerte arraigo doctrinal e incluso jurisprudencial. Así, en España, la a menudo citada Sentencia del Tribunal Supremo de 19 de abril de 1991 indicó que:

“mal puede concluirse la perpetración de un delito de estafa por parte de procesado, al impedirlo la concepción legal y jurisprudencial del engaño, ardid que se produce e incide por y sobre personas… La inducción a un acto de disposición patrimonial sólo es realizable frente a una persona y no frente a una máquina… Con razón se ha destacado que a las máquinas no se las puede engañar, a los ordenadores tampoco, por lo que los casos en los que el perjuicio se produce directamente por medio del sistema informático, con el que se realizan las operaciones de desplazamiento patrimonial, no se produce ni el engaño ni el error necesarios para el delito de estafa.” (Sentencia del Tribunal Supremo Español de 19 de abril de 1991)

Sin embargo, no creemos hallarnos verdaderamente ante una situación de estafa en la concepción tradicional, precisamente porque no se exige la posibilidad de engaño hacia una persona (o, aunque sea imposible, hacia un sistema informático), sino más bien la utilización de sistemas automatizados como medios para la comisión del hecho. Obsérvese que sí se mantiene el criterio fundamental de obtención de “beneficio económico” (o, correlativamente, “perjuicio patrimonial” para la víctima) como resultado de la acción dolosa.

Pero, en este caso, el engaño o maniobra para lograr el embuste se ve sustituido por la manipulación en datos informáticos, esto es, “introducción, alteración, borrado o supresión” de ellos, o el “atentado” contra el funcionamiento del sistema informático. En tal caso, parece que no se podría hablar propiamente de “estafa” desde el punto de vista tradicional y sí de “falsificación informática o incluso “fraude informático”, pues las manipulaciones pueden recaer en las partes de que está compuesto un sistema informático, esto es, en la entrada, procesamiento o salidas de los datos. Por eso pensamos que los artículos 7 y 8 del Convenio sobre Ciberdelincuencia bien pueden llamarse o traducirse genéricamente como “estafa informática” o “fraude informático” ya que contiene las mismas ideas y verbos necesarios para ello y estar incluidos en un solo numeral, con cambios mínimos.

En esta misma línea de exposición, deseamos hacer hincapié en el bien jurídico que menciona el artículo 8. Se trata del funcionamiento del sistema informático como elemento novedoso, lo que justificaría de por sí la existencia de un nuevo tipo en un Código Penal moderno, quizás no como fraude informático pero sí susceptible de protegerse dentro de la ciber-defraudación. Una vez más, es un tipo penal nomen iuris propio.

Es por ello que se requiere la creación de un tipo penal específico para castigar la “estafa informática”, pues no basta con la aplicación del concepto de estafa en el sentido tradicional. Como primera conclusión vemos que el tipo tradicional de estafa resulta insuficiente para lograr ese nivel de amparo. Y no se trata sólo de un problema semántico sino que parece referirse a otro tipo de conducta que hace de aquél una infracción penal de difícil o imposible aplicación en estas circunstancias novedosas.

Un buen ejemplo de esta aparente confusión de conceptos puede verse en la legislación de Chile pues, según manifiesta Magliona, el tipo penal de estafa común en la legislación de este país no tiene el alcance necesario para proteger los sistemas de información de ataques que pongan en riesgo su integridad:

“Mucho se ha discutido si las conductas sancionadas mediante el fraude informático pueden ser sancionadas al amparo del delito de estafa (…) tipificado en el Art. 468 de nuestro Código Penal. En este sentido, creemos que el delito de estafa de nuestro Código Penal presenta dificultades para comprender a aquellas conductas defraudatorias realizadas por medios informáticos, en sistemas de tratamiento automatizado de la información en que no intervienen personas en su control, e incluso en aquellos en que existe la presencia de personas, pero cuyas intervenciones están limitadas a accesos meramente mecánicos.” MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile…”, op. cit.

Otro ejemplo de legislación que podría tenerse como confusa en sus denominaciones, traemos a colación el caso de España, que en el artículo 248 párrafo 2 del Código Penal de 2010 vislumbra la posibilidad de incurrir en estafa mediante la “manipulación informática” (lo que conllevaría en realidad, según hemos visto, a un fraude informático). El uso de tales voces no ayuda a encontrar una solución de consenso en este tema pues parece confundir uno y otro delito. No es de extrañar que se utilicen uno y otro tipo penal casi como sinónimos. Su contenido, modificado en el año 2010, es amplio por los términos empleados:

“Artículo 248.2.- (…)

También se consideran reos de estafa:

a) Los que, con ánimo de lucro, y valiéndose de alguna manipulación informática o artificio semejante, consigan una transferencia no consentida de cualquier activo patrimonial en perjuicio de otro.

b) (…)”

Así las cosas, más que pensar en abarcar tales conductas en el tipo de estafa tradicional, debería crearse legislativamente las conductas que componen la “estafa informática” como categorías o acciones típicas nuevas, situación que no se contempla en códigos penales importantes como el de España o Chile. La idea no es nueva puesto que ya otras legislaciones contemplan esa posibilidad, lo que quizás contribuya a esclarecer de qué manera deberán ampararse los bienes jurídicos involucrados, tales como la información en sentido amplio o el funcionamiento de un sistema informático, que son los bienes jurídicos que se buscan proteger.




Comment by Jose Francisco Salas-Ruiz on March 20, 2013 at 9:32pm

This is the Spanish version of my first blog. I think it could be useful for others Spanish speakers.


How digital forensics can help your investigations

As a small introduction to the new "Digital Forensics" group in the Octopus Cybercrime Community I want to give a brief overview about this interesting field. In the course of this article I will try to answer some common questions, explain why digital forensics is important for Cybercrime cases and how it can support your investigations.

While this article is quite basic I will also publish articles on some more advanced topics in the following weeks.

What is digital forensics?

Digital Forensics is a branch of forensic science related to the acquisition, processing, analysis and reporting of evidence that is stored on computer systems, digital devices and other storage media with the aim of admissibility in court.

How does a typical digital forensics examination work?

Figure 1: Workflow in digital forensics examinations

After the case investigator has identified and seized sources of electronic evidence the exhibits gets handed over to the forensic examiner. The typical workflow in a digital forensics examination (see fig. 1) starts with the acquisition of the electronic evidence. Creating a copy of the original evidence in a forensically sound manner is crucial for the admissibility of the evidence in court. During that process the examiner has to ensure and verify that no changes are made to the original evidence and that the copy does exactly match the original.

The next step in the digital forensics workflow is the processing. This basically involves filtering all data down to just a subset of data that needs to be analysed in the analysis step, ensuring that the most promising case relevant data gets prioritised. The processing also includes basic data recovery tasks to ensure that really all data gets filtered.

The most time consuming step in the workflow is the analysis. In this step the experienced analyst has to examine all allocated and deleted data as well as partial fragments to find evidence that is relevant for the case.

In the last step, the presentation, the forensic examiner creates a report for the court. It is essential to formulate the text as little technical as possible because Judges and prosecutors most of the times do not have an informatics background. The presentation step finally ends with presenting the evidence in court.


Which areas belong to digital forensics?

Digital forensics include a whole bunch of sub branches. Figure 2 provides an overview of the areas that belong to the broad field of digital forensics.

Figure 2: Digital Forensics and its' sub branches.

Why are digital forensics examination important for everyone working with in the field of Cybercrime?

Cybercrime - as well as a lot of other crimes nowadays - involves computer systems that either were used to commit the crime or at least used to store case related information or communication. Thous in nearly every Cybercrime case computer systems, mobile phones or other electronic devices can contain important information that can prove someones guilt or at least give valuable indications. If you think of security incidents not only the computer system of the suspect but also the compromised server need to be analysed by forensic specialists.

How digital forensics can help your investigations

Digital forensics can show you which websites were visited with a certain user account on a computer system, which searches were conducted, which files were download, which software was started and even which USB devices were connected to a system. It can also extract information on which files were deleted by the user, which files were opened recently, which phone calls were made with a mobile phone, which messages were sent and received, which cell towers and wireless access points the device was connected to, where photos were taken and so on and so forth. The possibilities of digital forensics supporting your investigations are nearly endless.

What are the current challenges of digital forensics?

In my next articles I will cover some of the current challenges of digital forensics.




Computer-related forgery and computer-related fraud: the need to build and include these new criminal types in a modern penal code

The Convention on Cybercrime of 2001 includes in its substantive part the crimes of computer-related forgery and computer- related fraud as a category of behaviors which must be defined in the respective criminal legislations by the subscriber countries of the Agreement. This way, the Convention becomes an international legal framework that gives a good margin of action to the national legislator to create the corresponding criminal types. It also serves as a model for other countries that still do not include all types on computer crime in their respective legal systems.

In the case of crimes we are interested to mention, it is important to find out if the computer forgery and computer fraud types belong to a special category of transgressions or if they are only one category of crimes included in the traditional nomenclature. This will be the limit of our observations.

The first thing that has to be consider is that there is a presumed confusion in the criminal computer terminology, as the behaviors and actions that in some legal systems are called "computer forgery" others assimilate it to "computer fraud", and others conceive this type of offence as a specie within the generality of computer forgery.

Supporting this hierarchical relationship between both figures, we find the explanation of Claudio Magliona, from Chile, in reference to the rules in the penal systems of other countries. Magliona argues that the type of computer fraud includes the fraud, because it is built with its basic elements:

"This criminal offense [of computer forgery] came to absorb all those forgery behaviors that have built-in the computer as a tool for the offense, but they could not be subsumed in the classic type of fraud in the comparative law. From the beginning, this link with the fraud determined furthermore that the concept, structure and content of computer forgery were built based on the classic elements of the fraud." (MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile, Proyecto de Ley”. En Revista de Derecho Informático Alfa Redi No.50 (septiembre del 2002) (Free translation)

Regardless such opinion, we will try to give a brief analysis to each of these offences separately.

A.- The computer-related forgery as a new criminal type.

The forgery by computer perhaps is the most common type of crime within the cyber offenses. Indeed, it is the best known and probably the oldest: there are news of forgery committed with computers since the appearance of the third generation of computers, when they made their appearance in the life of financial and banking companies.

There are different ways to commit computer forgery, although always converge in the illegitimate information systems management, either by creating phantom users to receive economic benefits, the creation of additional unauthorized bank accounts, the introduction of mathematical algorithms that alter the normal functioning of the system for illegal profit, direct intervention in automatic processes of the computer, or rounding out banking or financial accounts, usually with the purpose to obtain a pecuniary advantage.

The means to commit the crimes derived, from the intrinsic nature of computer systems. All of them are designed to receive data, store it, sort it, modify it, delete it and subsequently give it as particular information to the consultant.

The Convention on Cybercrime of 2001 includes the frame of reference that the criminal legislator must take into account at the time of creating a penal type of this nature:

Article 7 – Computer-related forgery

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

Usually, offenses that deal with this issue are fairly extensive in the behaviors that it describes. It is intended to include all modalities referred to computer forgery as far as possible. The verbs indicated must be analyzed individually to understand fully the level of protection that the legislators are looking for.

In support of this thesis, Gutiérrez Francés always maintains a “multi-offense" view in the case of computer forgery. This author includes other legal assets of economic order, such as the economic interest, the Public Treasury and the patrimony, but she also places emphasis on the functioning of computer systems:

"Computer forgery behaviors present a multi-offense character. In each of its forms a double condition occurs: from an economic interest (either micro or macro-social), as the public finances, the credit system, the property, and a macro-social interest, linked to the performance of the computer systems." (GUTIÉRREZ FRANCÉS, María Luz, “Fraude informático y estafa”, p. 269. Editorial Centro de Publicaciones Secretaría Técnica del Ministerio de Justicia, Madrid, España, 1991. p. 269. Free translation)

After this brief explanation about the possible way to damage an information system, we just need to define if such behaviors should deserve a special criminal type or if they may be included in the traditional type of forgery.

The answer is definitely affirmative. Once again, it's a crime nomen iuris propio, (it means a particular behavior not included in the traditional penal figures). Undoubtedly, it requires a treatment of special protection by the penal law. We do not find it in other conducts which could be qualified as possible (and verifiable) violations.

Such conclusion does not mean that the laws of some countries like Chile or Spain will consider this idea as valid. In Spain the "computer forgery" is conceived as a sort of scam through technological manipulations. The legal values which should protect do not seem to be taken into account. It seems to protect exclusively the patrimony. In this regard, Choclán Montalvo says:

"The Spanish legislator has omitted to consider the phenomenon of the technological crime with some autonomy and did not have in mind the information in the network, the consistency in the functioning of the computer system or other similar collective assets as worthy of legal guardianship. This reductionist perspective, imposed by the principle of an exhaustive list of factors to include in the penal law, leaves aside from article 248.2 [of the Spain’s Penal Code] good part of technological crimes that occur today." (CHOCLÁN MONTALVO, José Antonio. “Infracciones patrimoniales en los procesos de transferencia de datos”. In the work “Delincuencia Informática. Problemas de responsabilidad”. Cuadernos de Derecho Judicial, IX, 2002. (Director: Óscar Morales García). Consejo General del Poder Judicial, Madrid, 2002, p.248. Free translation)

In the same sense, Magliona gives a series of arguments to justify his position, and express the need that the computer forgery must be considered as a new criminal type in the legislation of Chile:

"For all of the above, we believe that there is a need to incorporate into our legislation the forgery by computer as a malicious figure, in which the intention of profit must be required as a subjective element, along with an objective element as the illicit profit made by computer manipulation in the transfer of any patrimonial asset against a third party ". (MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile…”, op. cit..)

In conclusion, this criminal violation should be classified as a "computer crime" by itself and not as a traditional penal type. It reinforces our thesis that it is an autonomous figure and should be created outside of the traditional penal norms, situation that is not found in all the criminal codes.

B.- Computer-related fraud as a new criminal type.

The fraud in the traditional penal type always emphasis on verbs like "gambit", "deceit", “contrivance” or similar words. They apply against a victim in order to evade him his patrimony, in whole or in part. For example, the active subject (the criminal) shall commit fraud or somehow make the other part fall into error, conduct which also has as ultimate goal the obtaining of any patrimonial benefits from the victim.

On the other hand, the article 8 of the European Convention on Cybercrime defines the computing fraud as the production of a patrimonial prejudice against another, intentionally and without authorization. But the article does not include deceit against the victim, but any illicit change against the interference in the functioning of a computer system or the data:

Article 8 – Computer-related fraud

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by:

a.- any input, alteration, deletion or suppression of computer data;

b.- any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

Now, to understand better the scope of a criminal type in legal technique, we necessarily require appealing to the concept of "system". Let's see what this singular principle is in an abstract sense, but applied particularly to automated systems.

A system is a set of components designed to work together closely. Given that nature group, its various elements come to constitute inseparable and irreplaceable parts within it. From the functional standpoint, the system is more than the sum of its individual parts. Here applies the notion "synergistic" of the concept, in which the meaning of each component is not self-explanatory, but only in relation to everyone else. Structurally, from a very basic perspective, any system basically consists of three parts, called "inputs", "processes" and "outputs". The "input" is any data or material that feeds the system. For example, in constructing a database, the data would be the raw material that will work with the system. The "process" will consist of all the accumulated internal procedures and mechanical operations performed by the system to process entries received. The process is called usually “black box” to represent some procedures but without explain them. Finally, the "output" of the system will be the end result to be obtained, according to the primary elements and internal downstream processes. The performance of the system will always be limited to a certain "atmosphere" or “ambient”, which is where it interacts and which feeds back.

The basic criminal type of computer fraud seeks to embrace these three variables. The active subject, the criminal, could intervene in any of them. For example, if someone modifies input data, he ignores them or feeds the system with the type of data that is not necessarily the correct or complete; it would result in the assumptions of the criminal type elements: the use of false or incomplete data is included in the norm. It is important to clarify that the incorrect use of the data entry system can be executed by any person, without the need for particular expertise, with the exception of some basic instruction to provide data to the system.

On the other hand, it is feasible to also interfere with the data processing of the system, i.e., in any of the mechanical parts (or automated functions) that compose the 'black box'. This is possible if someone alters the "code" or logic instruction of the program or computer application which uses the system in the process of sorting of data, for different or additional results from the originally planned. This is achieved with the introduction of mathematical algorithms which can alter the programs 'sources' where originally entered the program code or direct modification of those programs. Obviously, to commit such fact requires special knowledge in the use of programming languages and have direct access to the sources of application programs.

There must be actions that influence the data processing, or by using false programming, or in general any action that influences on the processing of the data is sufficient to modify (injured, in legal terms) processes that compose the "black boxes" of the information systems. The consequences of such fact would necessarily be a result (output system) different, incomplete, incorrect, or additional information (according to the concept seen in this comment) of which was initially scheduled.

Finally, it is possible for anyone to manipulate an originally correct result given by a system. It is notorious that the cyber forgery concept does not leave out the possibility that it influences the result of data, and that is just as important as the process element. We have already seen that the data that someone enters to the database is automatically sorted and has the output, called properly information. The result of the data processing is precisely the information. If this is incorrect or incomplete, the system is yielding a non-conforming output with reality. Therefore, it is important to mention that if the harmful conduct has a direct influence on the data outcome it should be equally qualified as computer forgery.

Observe that it is not necessary to cause a false result (which is accomplished in the illicit handling of the process) but the action can produce real results that are manipulated to appear original. Fraud, as seen here, also covers the possibility of modification of the data results, or its improper use to refer to these cases when the actions fall upon products dumped by the system. As in the first point, referred to the input data, in the output case there is no need that the active subject has special computer knowledge, but just some experience in, for example, processors of words, programs of electronic sheets and search databases.

It is important to point out that the pursuit of profit is a fundamental constant that determines the nature of the conduct. If the desire for illicit cash profits did not exist, we would find ourselves to another type of crime, perhaps computer sabotage or illicit access. Either of these cases will always require the existence of a lucrative intention or some sort of personal benefit in the conduct of the active subject, as a sine qua non requirement to cover the equivalence with the "computer fraud" and even overcome the concept.

This leads us to consider the objects that could cover the computer fraud actions. It is usually information concerning values that may well be intangibles such as monetary amounts details. In other cases, data will refer to physical objects (cash and other tangible values) that the active subject could obtain by manipulating the system. Otherwise, i.e., if there is no illegitimate wealth increase, we could find us before another criminal figure, such as unauthorized access to systems or computer sabotage.

All this works also as a way to explain technically why it is not possible to "trick" or "cheat" a computer system. Is not a coincidence that the protected legal asset that we must bear in mind is the operation of the computer system in the terms which expresses the European Convention on Cybercrime, as well as others such as the information obtained with the automated systems processing or its transfer by networks linked remotely.

In the case of the computer fraud, the traditional notions wouldn't apply, because the feature of "deception" or “deceit” is not suitable for automated systems. These operate in accordance with issued orders for programming and not by external human stimuli. There will be deception if there is a decision-making process made by a human being and if that decision is based on false assumptions that would lead victim to a wrong view. Of course, the final result is different of what he were expected. It is a scenario that deals with intellectual development and psychological functions that are eminently human. The hardware and software do not have capacity to make decisions “right” or "wrong" because they only executed mechanically orders for which they have been designed. In this way, the automated system is not the victim of the offense but the means used by the active subject to execute the criminal offense.

This explanation, which might seem elementary, has a strong jurisprudential and doctrinal rooting. Thus, in Spain, the often-cited judgment of the Supreme Court of 19 April 1991 stated that:

"It is wrong to conclude that there was a perpetration of a crime of fraud by the accused, because it is not permitted by the legal and jurisprudential concept of deception, which occurs and affects by and against people... The commission of an act of patrimonial transfer is only achievable against a person and not against a machine... Has been rightly highlighted that machines or computers cannot be deceived, so the cases in which the damage occurs directly through the computer system by operations that transfer patrimonial assets, there is no deception or error to configure the crime of fraud." (Judgment of the Spanish Supreme Court of 19 April 1991)

However, we do not believe that we are really in front of a situation of fraud in the traditional sense, precisely because the possibility of deception to a person is not required (or even impossible to a computer system), but rather the use of automated systems for the commission of the offense. Note that the key criterion of obtaining "economic benefit" (or, conversely, "patrimonial damage" for the victim) as a result of the fraudulent action remains.

But in this case the deceit or maneuvers to get the hoax is replaced for an action as manipulation on computer data, it means, "introduction, alteration, deletion or suppression" of them, or the "attack" over the functioning of the computer system. In this case, it seems wrong to speak properly about "fraud” or a similar concept since a traditional view. It is better to describe it as "computer forgery” or even “computer fraud” because the manipulations may attack also the elements that compose the computer system: the input, the processes or the output data. That is why we think that articles 7 and 8 of the Convention on Cybercrime could be called or translated generically as "computer forgery" or “computer fraud” since it contains similar ideas and the necessary verbs to be included in only one article with minimal changes.

In the same line of thought, we wish to emphasize in the protected legal asset which the article 8 mentions. It is the operation of the computer system as a new element which would justify by itself the existence of a new type in a modern Penal Code as a criminal offense, not as a computer forgery but within the cyber-fraud. Once more it is a nomen iuris propio penal type.

Therefore, the creation of a specific criminal type to punish the "computer fraud" is a basic requirement since the application of the concept of fraud in the traditional sense is not enough. As first conclusion it is possible to see that the traditional type of fraud is insufficient to achieve that level of protection. And it's not just a semantic problem. The traditional fraud concept seems to refer to another type of behavior that makes difficult or impossible its application to the criminal offence in these new circumstances and ways.

A good example of this apparent confusion of concepts is shown in the legislation of Chile, according with Magliona, where the criminal type of common fraud in the country’s legislation does not have the reach necessary to protect information systems from attacks that endanger its integrity:

Much has been discussed about if the conduct sanctioned by the computer fraud can be punished under the crime of fraud (...) typified in article 468 of our criminal code. In this regard, we believe that the crime of fraud in our criminal code presents difficulties to include those fraudulent behaviors carried out by electronic means, in systems of processing of information not involving people in their control, and even in those with the presence of people, but whose interventions are limited to purely mechanical access." (MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile…”, op. cit.)

Another example of legislation which could be considered as confusing in their denominations, is the Criminal Code of Spain (modified in 2010), which in its article 248, paragraph 2, sees the possibility of incurring in fraud by "computer manipulation" (that would be a computer fraud, as we have seen before). The use of such voices does not help to find a solution of consensus on this issue because it seems to confuse one and other crime. It is not surprising that one and other criminal behavior are used almost as synonyms. Its content, modified in the year 2010, is large by the terms used:

"Article 248.2.- (...) will be also considered as fraud offenders:

a.- [those who] without profit and using any computer manipulation or similar artifice, achieve an unconsented transfer of any patrimonial assets in detriment of another.

b.- (…)”

In conclusion, rather than thinking about include such behaviors in the traditional fraud concept, those criminal actions should be created by the legislator into the "computer fraud" as categories or new typical behaviors, situations not contemplated in important penal codes such as Spain or Chile. The idea is not new since already other countries provide this possibility in their criminal codes, which may help to clarify what legal assets are involved, such as the information in a broad sense or the functioning of a computer system, which are the protected values the law should seek to protect.

- * -



Comment by Jose Francisco Salas-Ruiz on March 20, 2013 at 11:48pm

Hay una versión en español de este comentario que he puesto a disposición de los compañeros de habla hispana. Espero les sea de utilidad por cualquier duda que exista en la versión inglesa.


How reliable and accurate is the WHOIS Database ? What is being done ?

How reliable and accurate is the WHOIS Database ?

Law Enforcement very often starts cyber investigation by looking for information on WHOIS DATABASE. It is noticed that in many cases where enquiry are required, registrants’ information are not accurate or not sufficient to help investigations. Many domain registrars grant domain names without validation of applicant’s data furnished at time of registration; things happen at mouse clicks and payments effected for the domain name requested electronically. Each domain registrar keeps their own WHOIS database which doesn't include domains registered by competing registrars. Putting all this together makes it a big question; How reliable and accurate is the Whois Database ?

Representatives of Law Enforcement Authorities ( LEA) started discussions with ICANN (Internet Corporation for Assigned Names and Numbers) on the subject matter. Consultations and discussions were held at the International ICANN 44 meeting in Prague, Czech Republic in June 2012 on how ICANN may revisit the policies in place for Domain Name Registrars worldwide. The discussions were taken again with ICANN Security and Stability Advisory Committee (SSAC) at the International ICANN 45 meeting in Toronto in October 2012. The SSAC very conscious of the issue is working on the subject matter. Representations are also being carried out at other forums within ICANN on the WHOIS DATA VALIDATION issue. Though very complex, LEA is looking forward for a very pragmatic approach for the validation of registrants at all Domain Name Registrars. Cyber crime detection and cyber security is what matters for us all !!!

Crims buy access to Brazilian national security database

Criminals have bought from a hacker access to Brazil's biggest public security state database containing information on millions of citizens including surveillance data, arrest warrants, and firearms and vehicle registrations .

TV channel SBT discovered the credentials for sale that access the INFOSEG shared services network -- the largest database of public security information in the country containing data used by police to fight crime.,crims-buy-access-to-brazil...
Tools on Cybercrime & Electronic Evidence Empowering You!
Useful links Useful links

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects