What are the Three Categories of Cybercrime? A Lawyer Explains the Countermeasures for Each Pattern
“Cybercrime” is a term that has become somewhat common in everyday language, but internationally, it is defined as “crimes exploiting computer technology and telecommunications technology”. Certain types of cybercrime, such as so-called “hacking (cracking)”, can victimize businesses, and when such damage occurs, it is necessary to consider what measures should be taken.
In this article, we classify cybercrime in general into three patterns commonly used in Japan, and explain for each pattern what kind of crime it corresponds to and what measures can be taken if victimized. The reason why this classification is important is because:
- If you are not a “victim” in the legal sense, it may be difficult to prompt the police to investigate the crime through a damage report or accusation, even if you can “report” that a crime has occurred.
- For crimes where there are civil remedies, you can identify the perpetrator and make a claim for damages against the perpetrator through civil means by hiring a lawyer, without relying on police investigations.
- If you are the victim of a crime and there are no civil solutions, you will need to prompt a police investigation.
As such, the “measures” differ for each pattern.
Three Categories of Cybercrime
As mentioned above, it is common in Japan to classify cybercrimes into three categories.
- Computer Crimes: The precise definition will be explained later, but in a nutshell, these are crimes that disrupt business operations.
- Network Utilization Crimes: Crimes committed by misusing the internet.
- Violations of the Japanese Unlawful Access Prohibition Law: This includes actions such as unauthorized logins.
We will explain each of these in detail below.
What is Computer Crime?
What is the Crime of Damaging Computers and Obstructing Business?
The act that falls under the crime of damaging computers and obstructing business, which is stipulated in the Japanese Penal Code, is a typical example of this type of crime.
“A person who damages an electronic computer or electromagnetic record used for a person’s business, or gives false information or improper instructions to an electronic computer used for a person’s business, or by any other method, does not cause the electronic computer to perform actions in accordance with its intended use, or causes it to perform actions contrary to its intended use, thereby obstructing a person’s business, shall be punished by imprisonment for not more than 5 years or a fine of not more than 1 million yen.”Article 224-2 of the Penal Code
Although it is a difficult sentence to read, in simple terms, it is a crime that is established when the following actions are taken to cause the PC in question to perform unexpected operations and obstruct business:
- Damaging a PC or the data inside it used for business
- Sending false information or information not originally anticipated to a PC used for business
Typical examples of this include actions such as exploiting security holes or illegally logging into someone else’s account to increase the balance of an online bank account. Similarly, actions such as exploiting security holes or illegally obtaining login information to rewrite a company’s website also fall under this category. While the act of “logging in illegally” itself is a type of “violation of the Unauthorized Access Prohibition Law” as mentioned later, this type of crime captures actions such as illegal operations, tampering, deletion, and illegal rewriting of data.
What is the difference from unauthorized access?
This type of crime can be established even without the involvement of illegal login activities. For example, a typical case is a so-called DoS attack. Patterns such as sending a large number of emails to cause a failure in the mail server, or making a large number of accesses to a website to cause a failure in the web server. Each of these actions is legal when viewed individually, but when performed in large quantities, they cause the server (PC) to perform unexpected operations and cause damage to the company, such as being unable to use email or not being able to open the website. Therefore, it is said that “it does not violate the Unauthorized Access Prohibition Law, but it does fall under the crime of damaging computers and obstructing business”. In addition, in the case of these types of crimes, the crime of fraudulent business obstruction also becomes an issue.
How to encourage investigation by the police
These actions are crimes as mentioned above, and since the company in question is the victim, it is possible to request an investigation by the police. However, in reality, the Japanese police are not very responsive to these crimes. This is partly due to technical issues. For example, I mentioned a simple DoS attack above, but in reality, attacks are often carried out from a large number of IP addresses, i.e., the source of the attack is distributed, rather than in a simple form where 1 million emails or accesses are made from a single IP address. Such attacks are called “DDoS”.
If a large number of emails or accesses are made from the same IP address, it is clear that they are a large number of accesses by the same person and that they are “information not expected”. However, if the IP addresses are distributed, unless there is evidence that they were all made by the same person, it cannot be said that they are illegal information transmissions. So, how can we prove that “a large number of emails or accesses were made by the same person” under the strict criminal trial? This is indeed a troubling issue for the police and prosecutors.
In addition, in a criminal trial, it is not enough to simply prove that “communications constituting a crime (for example, sending a large number of emails in the above example) were made from the suspect’s PC”. What is required in a criminal case is not “from which PC”, but “by whose hand” level of fact-finding. In fact, in criminal trial judgments, there are not a few cases where this part, namely, “the criminal act was definitely carried out from the suspect’s PC, but was it really carried out by the suspect himself?” is carefully examined. These hurdles of proof, while important in the sense of “preventing false charges”, are thought to be causing the police and prosecutors to hesitate in investigating cyber crimes.
However, if the timing is soon after the incident, it is possible in some cases to extract evidence such as “it is highly likely to have been done by the same person” and “and it is definitely done by the suspect himself” by carefully analyzing server logs and other data. A legal analysis that translates what was understood by the IT technology investigation into legally meaningful materials. If these two are in place, it can be said that there are cases where the police can be encouraged to investigate.
Resolution in civil terms is difficult
It would be nice if there were civil solutions without relying on the police, but to be honest, there are few civil measures for this type of crime.
For example, in the case where a large number of emails were sent, the sender’s IP address is listed in the email (in the email header), so you would want to disclose the address and name of the contractor who was using the IP address to the provider. However, under Japanese civil law, there is no right to legally request this disclosure. In the case of defamation on the Internet, as mentioned later, you can use the right to request disclosure of sender information under the Provider Liability Limitation Law, but to put it simply, this right to request disclosure is only recognized for:
Communications for making posts that are seen by an unspecified number of people (typically, communications for posting defamatory posts on Internet bulletin boards that are open to the public)
It is not recognized for anything else.
In reality, in the case of advanced cyber crimes, it is often necessary to have more detailed reports and other documents to encourage the police to investigate than when filing a lawsuit. Also, from the first contact with the police to the actual investigation and arrest, it often takes a period of time such as one year. On the other hand, resolving the issue in civil terms may be easier, requiring less work and time… but for this pattern of crime, it is impossible or very difficult to resolve the issue in civil terms. If the perpetrator can be identified, it is possible to claim damages for the damage caused by the criminal act, such as the occurrence of a failure in the web server, but there is no specific means for that.
Network Usage Crimes
Defamation on the Internet
This refers to crimes committed using PCs and networks, other than the computer crimes mentioned above. For example, so-called defamation on the Internet does not involve damaging data, sending unexpected information, or causing unexpected operations on a PC, but it is carried out using the Internet network.
Posts that constitute defamation are classified as:
- Illegal both criminally and civilly (typical example is defamation)
- Not illegal criminally, but illegal civilly (typically privacy infringement or portrait rights infringement)
If it is illegal both criminally and civilly, it is possible to aim to identify the poster using a sender information disclosure request under the Provider Liability Limitation Act in civil means, or to encourage the police to investigate and arrest the poster.
However, depending on the content, the police do not conduct very active investigations on such posts due to the so-called “non-intervention in civil matters”. Also, privacy infringement and portrait rights infringement are not crimes under the Penal Code, so civil resolution is essential.
Damage caused by one-to-one communication such as email
What is difficult is the sending of inappropriate messages, etc., using one-to-one communication methods such as email and Twitter DM. For example, a typical case is an email with wording that constitutes a threat or extortion. The sender information disclosure request under the Provider Liability Limitation Act can only be used in cases like the above, where:
Communication for posting that is seen by an unspecified number of people (typically, communication for posting defamatory writing on an Internet bulletin board that is open to the public)
Therefore, there is no civil solution prepared for such communication in the first place, and we can only hope for an investigation by the police. However, even if the content posted on an Internet bulletin board, etc., would constitute defamation, if a one-to-one communication method is used, the defamation crime does not occur. Simply put, defamation only occurs in actions against an unspecified or large number of people. In one-to-one communication, defamation does not occur in principle.
Damage caused by obscene images and illegal sites
Furthermore, crimes where there are no victims, or where companies that actually suffer damage do not become victims, are also included in these types. For example:
- Posting of uncensored images and videos on so-called adult sites (public display of obscene drawings)
- Advertising of illegal casino sites, etc.
- Fraudulent sites that claim to sell brand-name goods but do not actually deliver products
These are typical patterns.
For example, if voyeurism is conducted in a women’s changing room in a company and the voyeuristic images are posted on the Internet, the images clearly constitute privacy infringement (and portrait rights infringement) of the female subject, but as mentioned above, privacy infringement (and portrait rights infringement) is not a crime, and although the act of voyeurism itself is a crime, the posting of photos taken by voyeurism does not immediately become a crime, so it becomes a difficult problem as to how to ask the police to investigate.
Furthermore, even if the existence of illegal casino sites or fraudulent sites results in a decrease in the company’s sales or a decrease in the company’s trust, the above-mentioned acts are crimes for the sake of society where there are no specific victims (typically similar to speed violations and drug regulations), or they are things that only have direct victims (for example, consumers who paid money to the fraudulent site) as victims, so even if a company complains of damage, it will only be a report by a third party who is not a victim. Also, if you are not a “victim”, you cannot even conceive of identification by sender information disclosure requests, etc.
However, if the act infringes on the intellectual property rights (trademark rights, copyright, etc.) held by the company, such as the sale of counterfeit brand-name goods, the company can encourage police investigations as a “victim” or aim to identify the seller by civil means.
Violation of the Unauthorized Computer Access Prohibition Law
Actions Prohibited by the Unauthorized Computer Access Prohibition Law
Finally, let’s discuss the actions prohibited by the Unauthorized Computer Access Prohibition Law (Japanese Unauthorized Computer Access Prohibition Law). This law prohibits:
- Unauthorized access
- Encouraging unauthorized access
- Unlawful acquisition and related actions
Among these, the first one, unauthorized access, mainly includes:
- Impersonation: The act of entering someone else’s ID, password, etc., and logging in as that person without permission
- Security hole attack: The act of exploiting a security hole to log in as someone else without needing to enter an ID, password, etc.
These are the two main types.
The second one, encouraging unauthorized access, refers to the act of disclosing or selling someone else’s account information (ID, password, etc.) to others without permission.
Finally, the third one, unlawful acquisition and related actions, refers to the act of making someone else enter their account information through means such as phishing sites, or storing the account information obtained unlawfully in this way.
Resolution by the Police
If you are a victim of unauthorized access, you will need to urge the police to investigate. However, many cases involve highly technical issues, and just like the computer crimes mentioned above, unless someone with knowledge and expertise in both IT and law prepares the report, it is often difficult for the police to actually conduct an investigation.
Also, if the perpetrator can be identified, it is possible to claim damages from them. However, just like the computer crimes mentioned above, it is extremely difficult to identify the perpetrator using civil means.