Would you like to share an article on cybercrime? Please contribute!

These articles do not necessarily reflect official positions of the Council of Europe

Blogs Blogs

Computer-related forgery and computer-related fraud: the need to build and include these new criminal types in a modern penal code

The Convention on Cybercrime of 2001 includes in its substantive part the crimes of computer-related forgery and computer- related fraud as a category of behaviors which must be defined in the respective criminal legislations by the subscriber countries of the Agreement. This way, the Convention becomes an international legal framework that gives a good margin of action to the national legislator to create the corresponding criminal types. It also serves as a model for other countries that still do not include all types on computer crime in their respective legal systems.

In the case of crimes we are interested to mention, it is important to find out if the computer forgery and computer fraud types belong to a special category of transgressions or if they are only one category of crimes included in the traditional nomenclature. This will be the limit of our observations.

The first thing that has to be consider is that there is a presumed confusion in the criminal computer terminology, as the behaviors and actions that in some legal systems are called "computer forgery" others assimilate it to "computer fraud", and others conceive this type of offence as a specie within the generality of computer forgery.

Supporting this hierarchical relationship between both figures, we find the explanation of Claudio Magliona, from Chile, in reference to the rules in the penal systems of other countries. Magliona argues that the type of computer fraud includes the fraud, because it is built with its basic elements:

"This criminal offense [of computer forgery] came to absorb all those forgery behaviors that have built-in the computer as a tool for the offense, but they could not be subsumed in the classic type of fraud in the comparative law. From the beginning, this link with the fraud determined furthermore that the concept, structure and content of computer forgery were built based on the classic elements of the fraud." (MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile, Proyecto de Ley”. En Revista de Derecho Informático Alfa Redi No.50 (septiembre del 2002) (Free translation)

Regardless such opinion, we will try to give a brief analysis to each of these offences separately.

A.- The computer-related forgery as a new criminal type.

The forgery by computer perhaps is the most common type of crime within the cyber offenses. Indeed, it is the best known and probably the oldest: there are news of forgery committed with computers since the appearance of the third generation of computers, when they made their appearance in the life of financial and banking companies.

There are different ways to commit computer forgery, although always converge in the illegitimate information systems management, either by creating phantom users to receive economic benefits, the creation of additional unauthorized bank accounts, the introduction of mathematical algorithms that alter the normal functioning of the system for illegal profit, direct intervention in automatic processes of the computer, or rounding out banking or financial accounts, usually with the purpose to obtain a pecuniary advantage.

The means to commit the crimes derived, from the intrinsic nature of computer systems. All of them are designed to receive data, store it, sort it, modify it, delete it and subsequently give it as particular information to the consultant.

The Convention on Cybercrime of 2001 includes the frame of reference that the criminal legislator must take into account at the time of creating a penal type of this nature:

Article 7 – Computer-related forgery

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

Usually, offenses that deal with this issue are fairly extensive in the behaviors that it describes. It is intended to include all modalities referred to computer forgery as far as possible. The verbs indicated must be analyzed individually to understand fully the level of protection that the legislators are looking for.

In support of this thesis, Gutiérrez Francés always maintains a “multi-offense" view in the case of computer forgery. This author includes other legal assets of economic order, such as the economic interest, the Public Treasury and the patrimony, but she also places emphasis on the functioning of computer systems:

"Computer forgery behaviors present a multi-offense character. In each of its forms a double condition occurs: from an economic interest (either micro or macro-social), as the public finances, the credit system, the property, and a macro-social interest, linked to the performance of the computer systems." (GUTIÉRREZ FRANCÉS, María Luz, “Fraude informático y estafa”, p. 269. Editorial Centro de Publicaciones Secretaría Técnica del Ministerio de Justicia, Madrid, España, 1991. p. 269. Free translation)

After this brief explanation about the possible way to damage an information system, we just need to define if such behaviors should deserve a special criminal type or if they may be included in the traditional type of forgery.

The answer is definitely affirmative. Once again, it's a crime nomen iuris propio, (it means a particular behavior not included in the traditional penal figures). Undoubtedly, it requires a treatment of special protection by the penal law. We do not find it in other conducts which could be qualified as possible (and verifiable) violations.

Such conclusion does not mean that the laws of some countries like Chile or Spain will consider this idea as valid. In Spain the "computer forgery" is conceived as a sort of scam through technological manipulations. The legal values which should protect do not seem to be taken into account. It seems to protect exclusively the patrimony. In this regard, Choclán Montalvo says:

"The Spanish legislator has omitted to consider the phenomenon of the technological crime with some autonomy and did not have in mind the information in the network, the consistency in the functioning of the computer system or other similar collective assets as worthy of legal guardianship. This reductionist perspective, imposed by the principle of an exhaustive list of factors to include in the penal law, leaves aside from article 248.2 [of the Spain’s Penal Code] good part of technological crimes that occur today." (CHOCLÁN MONTALVO, José Antonio. “Infracciones patrimoniales en los procesos de transferencia de datos”. In the work “Delincuencia Informática. Problemas de responsabilidad”. Cuadernos de Derecho Judicial, IX, 2002. (Director: Óscar Morales García). Consejo General del Poder Judicial, Madrid, 2002, p.248. Free translation)

In the same sense, Magliona gives a series of arguments to justify his position, and express the need that the computer forgery must be considered as a new criminal type in the legislation of Chile:

"For all of the above, we believe that there is a need to incorporate into our legislation the forgery by computer as a malicious figure, in which the intention of profit must be required as a subjective element, along with an objective element as the illicit profit made by computer manipulation in the transfer of any patrimonial asset against a third party ". (MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile…”, op. cit..)

In conclusion, this criminal violation should be classified as a "computer crime" by itself and not as a traditional penal type. It reinforces our thesis that it is an autonomous figure and should be created outside of the traditional penal norms, situation that is not found in all the criminal codes.

B.- Computer-related fraud as a new criminal type.

The fraud in the traditional penal type always emphasis on verbs like "gambit", "deceit", “contrivance” or similar words. They apply against a victim in order to evade him his patrimony, in whole or in part. For example, the active subject (the criminal) shall commit fraud or somehow make the other part fall into error, conduct which also has as ultimate goal the obtaining of any patrimonial benefits from the victim.

On the other hand, the article 8 of the European Convention on Cybercrime defines the computing fraud as the production of a patrimonial prejudice against another, intentionally and without authorization. But the article does not include deceit against the victim, but any illicit change against the interference in the functioning of a computer system or the data:

Article 8 – Computer-related fraud

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by:

a.- any input, alteration, deletion or suppression of computer data;

b.- any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

Now, to understand better the scope of a criminal type in legal technique, we necessarily require appealing to the concept of "system". Let's see what this singular principle is in an abstract sense, but applied particularly to automated systems.

A system is a set of components designed to work together closely. Given that nature group, its various elements come to constitute inseparable and irreplaceable parts within it. From the functional standpoint, the system is more than the sum of its individual parts. Here applies the notion "synergistic" of the concept, in which the meaning of each component is not self-explanatory, but only in relation to everyone else. Structurally, from a very basic perspective, any system basically consists of three parts, called "inputs", "processes" and "outputs". The "input" is any data or material that feeds the system. For example, in constructing a database, the data would be the raw material that will work with the system. The "process" will consist of all the accumulated internal procedures and mechanical operations performed by the system to process entries received. The process is called usually “black box” to represent some procedures but without explain them. Finally, the "output" of the system will be the end result to be obtained, according to the primary elements and internal downstream processes. The performance of the system will always be limited to a certain "atmosphere" or “ambient”, which is where it interacts and which feeds back.

The basic criminal type of computer fraud seeks to embrace these three variables. The active subject, the criminal, could intervene in any of them. For example, if someone modifies input data, he ignores them or feeds the system with the type of data that is not necessarily the correct or complete; it would result in the assumptions of the criminal type elements: the use of false or incomplete data is included in the norm. It is important to clarify that the incorrect use of the data entry system can be executed by any person, without the need for particular expertise, with the exception of some basic instruction to provide data to the system.

On the other hand, it is feasible to also interfere with the data processing of the system, i.e., in any of the mechanical parts (or automated functions) that compose the 'black box'. This is possible if someone alters the "code" or logic instruction of the program or computer application which uses the system in the process of sorting of data, for different or additional results from the originally planned. This is achieved with the introduction of mathematical algorithms which can alter the programs 'sources' where originally entered the program code or direct modification of those programs. Obviously, to commit such fact requires special knowledge in the use of programming languages and have direct access to the sources of application programs.

There must be actions that influence the data processing, or by using false programming, or in general any action that influences on the processing of the data is sufficient to modify (injured, in legal terms) processes that compose the "black boxes" of the information systems. The consequences of such fact would necessarily be a result (output system) different, incomplete, incorrect, or additional information (according to the concept seen in this comment) of which was initially scheduled.

Finally, it is possible for anyone to manipulate an originally correct result given by a system. It is notorious that the cyber forgery concept does not leave out the possibility that it influences the result of data, and that is just as important as the process element. We have already seen that the data that someone enters to the database is automatically sorted and has the output, called properly information. The result of the data processing is precisely the information. If this is incorrect or incomplete, the system is yielding a non-conforming output with reality. Therefore, it is important to mention that if the harmful conduct has a direct influence on the data outcome it should be equally qualified as computer forgery.

Observe that it is not necessary to cause a false result (which is accomplished in the illicit handling of the process) but the action can produce real results that are manipulated to appear original. Fraud, as seen here, also covers the possibility of modification of the data results, or its improper use to refer to these cases when the actions fall upon products dumped by the system. As in the first point, referred to the input data, in the output case there is no need that the active subject has special computer knowledge, but just some experience in, for example, processors of words, programs of electronic sheets and search databases.

It is important to point out that the pursuit of profit is a fundamental constant that determines the nature of the conduct. If the desire for illicit cash profits did not exist, we would find ourselves to another type of crime, perhaps computer sabotage or illicit access. Either of these cases will always require the existence of a lucrative intention or some sort of personal benefit in the conduct of the active subject, as a sine qua non requirement to cover the equivalence with the "computer fraud" and even overcome the concept.

This leads us to consider the objects that could cover the computer fraud actions. It is usually information concerning values that may well be intangibles such as monetary amounts details. In other cases, data will refer to physical objects (cash and other tangible values) that the active subject could obtain by manipulating the system. Otherwise, i.e., if there is no illegitimate wealth increase, we could find us before another criminal figure, such as unauthorized access to systems or computer sabotage.

All this works also as a way to explain technically why it is not possible to "trick" or "cheat" a computer system. Is not a coincidence that the protected legal asset that we must bear in mind is the operation of the computer system in the terms which expresses the European Convention on Cybercrime, as well as others such as the information obtained with the automated systems processing or its transfer by networks linked remotely.

In the case of the computer fraud, the traditional notions wouldn't apply, because the feature of "deception" or “deceit” is not suitable for automated systems. These operate in accordance with issued orders for programming and not by external human stimuli. There will be deception if there is a decision-making process made by a human being and if that decision is based on false assumptions that would lead victim to a wrong view. Of course, the final result is different of what he were expected. It is a scenario that deals with intellectual development and psychological functions that are eminently human. The hardware and software do not have capacity to make decisions “right” or "wrong" because they only executed mechanically orders for which they have been designed. In this way, the automated system is not the victim of the offense but the means used by the active subject to execute the criminal offense.

This explanation, which might seem elementary, has a strong jurisprudential and doctrinal rooting. Thus, in Spain, the often-cited judgment of the Supreme Court of 19 April 1991 stated that:

"It is wrong to conclude that there was a perpetration of a crime of fraud by the accused, because it is not permitted by the legal and jurisprudential concept of deception, which occurs and affects by and against people... The commission of an act of patrimonial transfer is only achievable against a person and not against a machine... Has been rightly highlighted that machines or computers cannot be deceived, so the cases in which the damage occurs directly through the computer system by operations that transfer patrimonial assets, there is no deception or error to configure the crime of fraud." (Judgment of the Spanish Supreme Court of 19 April 1991)

However, we do not believe that we are really in front of a situation of fraud in the traditional sense, precisely because the possibility of deception to a person is not required (or even impossible to a computer system), but rather the use of automated systems for the commission of the offense. Note that the key criterion of obtaining "economic benefit" (or, conversely, "patrimonial damage" for the victim) as a result of the fraudulent action remains.

But in this case the deceit or maneuvers to get the hoax is replaced for an action as manipulation on computer data, it means, "introduction, alteration, deletion or suppression" of them, or the "attack" over the functioning of the computer system. In this case, it seems wrong to speak properly about "fraud” or a similar concept since a traditional view. It is better to describe it as "computer forgery” or even “computer fraud” because the manipulations may attack also the elements that compose the computer system: the input, the processes or the output data. That is why we think that articles 7 and 8 of the Convention on Cybercrime could be called or translated generically as "computer forgery" or “computer fraud” since it contains similar ideas and the necessary verbs to be included in only one article with minimal changes.

In the same line of thought, we wish to emphasize in the protected legal asset which the article 8 mentions. It is the operation of the computer system as a new element which would justify by itself the existence of a new type in a modern Penal Code as a criminal offense, not as a computer forgery but within the cyber-fraud. Once more it is a nomen iuris propio penal type.

Therefore, the creation of a specific criminal type to punish the "computer fraud" is a basic requirement since the application of the concept of fraud in the traditional sense is not enough. As first conclusion it is possible to see that the traditional type of fraud is insufficient to achieve that level of protection. And it's not just a semantic problem. The traditional fraud concept seems to refer to another type of behavior that makes difficult or impossible its application to the criminal offence in these new circumstances and ways.

A good example of this apparent confusion of concepts is shown in the legislation of Chile, according with Magliona, where the criminal type of common fraud in the country’s legislation does not have the reach necessary to protect information systems from attacks that endanger its integrity:

Much has been discussed about if the conduct sanctioned by the computer fraud can be punished under the crime of fraud (...) typified in article 468 of our criminal code. In this regard, we believe that the crime of fraud in our criminal code presents difficulties to include those fraudulent behaviors carried out by electronic means, in systems of processing of information not involving people in their control, and even in those with the presence of people, but whose interventions are limited to purely mechanical access." (MAGLIONA MARKOVITCH, Claudio. “Delincuencia Informática en Chile…”, op. cit.)

Another example of legislation which could be considered as confusing in their denominations, is the Criminal Code of Spain (modified in 2010), which in its article 248, paragraph 2, sees the possibility of incurring in fraud by "computer manipulation" (that would be a computer fraud, as we have seen before). The use of such voices does not help to find a solution of consensus on this issue because it seems to confuse one and other crime. It is not surprising that one and other criminal behavior are used almost as synonyms. Its content, modified in the year 2010, is large by the terms used:

"Article 248.2.- (...) will be also considered as fraud offenders:

a.- [those who] without profit and using any computer manipulation or similar artifice, achieve an unconsented transfer of any patrimonial assets in detriment of another.

b.- (…)”

In conclusion, rather than thinking about include such behaviors in the traditional fraud concept, those criminal actions should be created by the legislator into the "computer fraud" as categories or new typical behaviors, situations not contemplated in important penal codes such as Spain or Chile. The idea is not new since already other countries provide this possibility in their criminal codes, which may help to clarify what legal assets are involved, such as the information in a broad sense or the functioning of a computer system, which are the protected values the law should seek to protect.

- * -



Comment by Jose Francisco Salas-Ruiz on March 20, 2013 at 11:48pm

Hay una versión en español de este comentario que he puesto a disposición de los compañeros de habla hispana. Espero les sea de utilidad por cualquier duda que exista en la versión inglesa.


No comments yet. Please sign in to comment.
Tools on Cybercrime & Electronic Evidence Empowering You!
Web Content Display Web Content Display

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects