Would you like to share an article on cybercrime? Please contribute!

These articles do not necessarily reflect official positions of the Council of Europe

Blogai Blogai

Circumvention of technological protection measures as a cybercrime

Without any doubt, the circumvention of an effective technological measure to protect an intellectual work could be considered as a cybercrime in the international legislation. It is a theme with links in the field of intellectual property, the criminal law and technologies of information and communications.

We define technological protection measures as any mechanism or technical work designed with the objective to control or make impossible the non-authorized use, copy or access to an intellectual work’s content without the right-holder permission, the abuse of an authorization granted or generally to protect the copyright on an intellectual work.

As a justification for its application, these kind of rights are consequences of the privileges that the owner can apply inside his intellectual work when it is presented in a technologic format, so there are possibilities to include mechanisms of protection against a non-authorization copy or a misuse of it, along with other offences that can avoid the exploitation of an intellectual work by its owner.

In this sense, the Convention of Europe on Cybercrime stands the protection of the copyright as a possible matter to be sheltered by criminal laws so the Agreement’s parties and the observant countries can elaborate the necessary norms to include them in its legal systems if they do not have it.

“Article 10.– Offences related to infringements of copyright and related rights

1.- Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright (…), with the exception of any moral rights conferred by such conventions, where such acts are committed willfully, on a commercial scale and by means of a computer system.

2.- (…)

3.- (…)”

From the same scope, the Directive 2001/29 of the Parliament and the Council of the European Union (Chapter III, article 6) exhorts to the country parties to include and regulate the technological measures in its internal legislation.

This very same Directive 2001/29, article 6, paragraph 3, defines the "technological measures" as “any technology, device or component that, in the normal course of its operation, is designed to prevent or restrict acts, in respect of works or other subject-matter, which are not authorized by the rightholders of any copyright or any right related to copyright as provided for by law…”

Copyright legislation from different countries has recognized expressly the technological measures to protect software, electronic apparatus and other digital works against its non-authorized use, duplication or breaking the owner’s exploitation rights, meanly grounded in the copyright’s protection (author’s rights). Examples of those technological measures could be the use of passwords, contents encryption, watermarks, identifications logos, amount of time to allow the use, or in general any technical device that prevents the illicit duplication or non-authorized access to the software’s content that could breaks the author’s rights to the royalties. In such cases, those behaviors can bring sanction in the criminal field against persons who break the technical preventions. They are measures designed for digital works susceptible to include such technical barriers.

It is important to have clear that the technological measure must to be “effective”, including methods or technological devices that, working the way they were designed, control the access to the protected work. This means that protection cannot be break by accident. So, it is necessary that the action of circumvent the protection must be intentional. The article 6 paragraph 3 of the Directive 2001/29 of the Parliament and of the Council of the European Union, explains what means “effective technological measure”:

"Technological measures shall be deemed "effective" where the use of a protected work or other subject-matter is controlled by the rightholders through application of an access control or protection process, such as encryption, scrambling or other transformation of the work or other subject-matter or a copy control mechanism, which achieves the protection objective.”

According with the World Intellectual Property Organization (WIPO), there are several technological measures and its characteristics vary from time to time. Besides, the WIPO shares the measures in two groups depending if they are use a) to limit the access to the intellectual work’s contents and it only can be access by authorized persons; or b) to control the use by authorized consumers, but without go away beyond the granted authorization:

“In general, right holders seek to control the use of their works in the online environment by utilizing specialized technologies. Technological protection measures take various forms and their features are continually changing.

These measures can broadly be grouped into two categories: first, measures that are deployed to limit access to protected content to users who are authorized to such access. Common access control features are, for example, cryptography, passwords, and digital signatures that secure the access to information and protected content.

The second major group of technologies aims at controlling the use of protected content once users have access to the work. According to the corresponding license agreement, certain uses of protected content may be allowed for certain purposes. To make sure that these obligations are complied with and no unauthorized reproductions are made, the respective technological measures attempt to track and control copying, and thus prevent the user from surpassing the right he has been granted. Examples of such copy control measures are serial copy management systems for audio digital taping devices, and scrambling systems for DVDs that prevent third parties from reproducing content without authorization.” (World Intellectual Property Organization; FAQ’s section. How do technological protection measures work? [Consulted: March 31th., 2013].

As the reader can conclude, the circumvention of any technological protection measures can require an expertise level, skills and technological knowledge that are not common, so it is a conduct that must be sanctioned as a typical cybercrime. Besides, it implies the use of sophisticated equipment or software that could be exclusively created by the active subject with the objective to elude the protection measures.

Indeed, this scenario should have a narrow relationship with the article 6 of the Convention on Cybercrime because it implies abuses of technical devices to commit informatics offences:

“Article 6 – Misuse of devices

1.- Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a) the production, sale, procurement for use, import, distribution or otherwise making available of:

i.- a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with the above Articles 2 through 5;

ii.- a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b) the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2.- This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3.- Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.”

Nevertheless, the content of the article 6 does not make a formal reference to the article 10 of the Convention on Cybercrime about copyright protection. That is why we have to discard the application of this article 6 because its content about misuse of devices does not include the technological protection measures but the basic penal crimes from the articles 2 to 5 such illegal access, illegal interception, data interference and system interference. None of them stand a reference about protection of intellectual property or copyright. In spite of such omission, we would not find differences among create an cyber virus, break the authentication process while mounting a software, install a tricky file inside a firmware or circumvent a videogame protection. All such behaviors imply very similar actions so they are equally criminal offences; they have connection with actions like for example the creation of a password or access code to achieve an illicit interception or an illegal access. The only difference will be if there are copyright´s elements involved.

It could be convenient that the article 6 of the Convention on Cybercrime, which deals with the misuse of devices, can include the reference to the article 10, so the action of circumvent a technological protection measures can be expressly contented as a cybercrime against the copyright in technological products.

Finally, I would like to ask some questions to the reader:

1.- Does your country include the technological protection measures in your legal system?

2. - If yes, is it a cybercrime o just an action against the intellectual property?

3.- If your legal system does not include the technological protection measures, is there an legislative initiative to include them as a cybercrime or at least as a violation against copyright?

- * -


Comment by Jose Francisco Salas-Ruiz on April 1, 2013 at 1:05am

There is a Spanish version of this post. I hope you will find it useful.



No comments yet. Please sign in to comment.
Tools on Cybercrime & Electronic Evidence Empowering You!
Web turinio atvaizdavimas Web turinio atvaizdavimas

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects