Details and Violation Examples of the Japanese Act on Prohibition of Unauthorized Computer Access
The Unauthorized Computer Access Law (officially known as the “Law Concerning the Prohibition of Unauthorized Computer Access”) is a law enacted with the aim of preventing cybercrime and maintaining order in telecommunications.
With the proliferation of smartphones and the increase in internet users, the number of unauthorized access cases is also on the rise year by year.
In this article, we will explain in detail the contents of the Japanese Unauthorized Computer Access Law and examples of violations.
What is the Unauthorized Computer Access Law?
The Unauthorized Computer Access Law was enacted in 2000 and was revised in 2012 (Heisei 24) in response to the increasing severity of cybercrimes.
With this revision, phishing activities and the unauthorized acquisition and storage of identification codes (IDs and passwords) were prohibited, and the statutory penalties for unauthorized access were increased. Actions that were not previously punishable were prohibited, making the law more effective.
The purpose of the Unauthorized Computer Access Law is defined as “contributing to the healthy development of an advanced information and communication society” (Article 1).
The actions prohibited by the Unauthorized Computer Access Law are as follows:
- Unauthorized access (Article 3)
- Acts that promote unauthorized access (Article 5)
- Unlawfully acquiring or storing someone else’s identification code (Articles 4 and 6)
- Unlawfully requesting the input of someone else’s identification code (Article 7)
What is Unauthorized Access?
Unauthorized access can be divided into two categories: “unauthorized login” and “security hole attacks”.
Unauthorized login refers to the act of arbitrarily entering someone else’s identification code (ID and password) and logging into accounts such as SNS accounts and email addresses.
A security hole attack refers to an attack that exploits a security hole (a security defect that occurs in a computer connected to a network, also known as a “vulnerability”). Attackers can execute operations without proper authority, steal data, modify or delete data without editing rights, and use it as a stepping stone for intrusion or attacks on other systems by exploiting security holes. This attack can be automated like computer viruses and internet worms, so users may suffer damage or spread infections to other systems without their knowledge.
If you engage in unauthorized access, you may be sentenced to imprisonment for up to three years or fined up to one million yen.
What are Acts that Promote Unauthorized Access?
The Unauthorized Computer Access Law not only prohibits unauthorized access but also acts that promote unauthorized access. Acts that promote unauthorized access refer to making it possible for a third party to log into an account without the owner’s consent by disclosing someone else’s ID or password.
If you violate this, you may be sentenced to imprisonment for up to one year or fined up to 500,000 yen.
What is the Unlawful Acquisition and Storage of Someone Else’s Identification Code?
The act of unlawfully acquiring someone else’s identification code refers to “the act of acquiring someone else’s ID or password in order to engage in unauthorized access”.
Also, the act of unlawfully storing someone else’s identification code refers to “the act of storing someone else’s ID or password that was unlawfully acquired in order to engage in unauthorized access”.
Even if you do not engage in unauthorized access, the act itself that leads to unauthorized access is prohibited.
If you engage in either of these acts, you may be sentenced to imprisonment for up to one year or fined up to 500,000 yen.
What is the Unlawful Request for the Input of Someone Else’s Identification Code?
The act of unlawfully requesting the input of someone else’s identification code (ID and password) is commonly known as “phishing”. Phishing is a method where the perpetrator sends emails pretending to be an online shopping site or financial institution, lures the victim to a fake site that closely resembles the real one, and makes them enter personal information such as IDs, passwords, and credit card information. The English term “phishing” is a coined word combining “fishing” (to fish) and “sophisticated” (refined method).
Even if you do not make the victim enter personal information, the act of setting up a fake site itself is considered phishing and is subject to regulation.
If you engage in phishing, you may be sentenced to imprisonment for up to one year or fined up to 500,000 yen.
Duties of the Access Administrator
Under the Unauthorized Computer Access Law, administrators of servers and the like (access administrators) are required to take defensive measures to prevent unauthorized access (Article 8).
Administrators are obligated to take measures to prevent unauthorized access, such as “properly managing identification codes”, “constantly verifying the effectiveness of access control functions”, and “enhancing access control functions as necessary”. However, these three are obligations of effort, so there are no penalties for violating these obligations.
Examples of Violations of the Japanese Unauthorised Access Prohibition Law
Among cybercrimes, cases that fall under the violation of the Japanese Unauthorised Access Prohibition Law are on the rise. This trend is thought to be due to the widespread use of not only PCs but also smartphones, and the increase in financial transactions on the internet, such as internet banking and smartphone payments (like PayPay).
News reports of personal information leaks and unauthorized logins to SNS accounts due to cyber attacks are daily occurrences. Some cases even result in significant damages. What kind of incidents fall under the violation of the Japanese Unauthorised Access Prohibition Law?
Below, we introduce some specific cases.
Game Account Hijacking
A 23-year-old company employee was arrested by the Saitama Prefectural Police on suspicion of misappropriation of lost property and violation of the Japanese Unauthorised Access Prohibition Law for allegedly hijacking someone else’s smartphone game account.
The man is suspected of taking a smartphone that the victim had left behind, launching the installed smartphone game, and transferring the data to his own smartphone.
Unauthorized Login to Facebook
A 29-year-old company employee was arrested by the Tokyo Metropolitan Police Department’s Cybercrime Countermeasures Division on suspicion of violating the Japanese Unauthorised Access Prohibition Law for allegedly logging into the Facebook accounts of celebrities and others without authorization.
The suspect is believed to have logged into the Facebook and iCloud accounts of celebrities and ordinary people without authorization. He is said to have guessed the ID and password based on information such as birth dates, logged in, and downloaded the stored photos to his own PC.
Approximately 257,000 private photos, which should only be viewable by the celebrities themselves, were reportedly stored on the suspect’s PC. It seems that he was not only looking at the images but also browsing through contact lists without permission.
Unauthorized Access to Auction Site
The Kanagawa Prefectural Police Cybercrime Countermeasures Division and Minami Station arrested a 19-year-old boy on suspicion of violating the Japanese Unauthorised Access Prohibition Law and the
Japanese Private Electromagnetic Record Fraud and Supply Law. The boy is suspected of illegally logging into an auction site using someone else’s ID and password from his home PC and changing the email address and shipping destination.
The boy reportedly stated, “The ID and password were posted on an online bulletin board. I logged in illegally more than 50 times.” The police are investigating the possibility that the boy illegally obtained computer parts and other items on the auction site.
Unauthorized Intrusion into Workplace Server
A prefectural employee was sent to the Nagasaki District Prosecutor’s Office on suspicion of violating the Japanese Unauthorised Access Prohibition Law for unauthorized intrusion into the Nagasaki Prefectural Government’s server by inputting multiple colleagues’ IDs and passwords without permission.
The prefectural employee is said to have intruded into the server using his colleagues’ IDs and passwords and peeked at their work content. The number of unauthorized accesses by this prefectural employee is believed to have reached tens of thousands, and the number of downloaded files is believed to exceed one million. However, it is reported that no information leakage to the outside has been confirmed.
Credit Card Information Leak due to Unauthorized Access
It was found that a sports goods mail-order site was subjected to unauthorized access, and there is a possibility that customer credit card information has been leaked.
According to the site operator, the credit card information of customers who purchased products using the site has been leaked, and some of the card information may have been used fraudulently. The site operator explains that the cause of the unauthorized access was a vulnerability in the system, and the payment application was tampered with.
Unauthorized Login to Smartphone Payment System
In the case of unauthorized access to a smartphone payment system, the Fukuoka Prefectural Police arrested two men on suspicion of violating the Japanese Unauthorised Access Prohibition Law and fraud. The suspects are believed to have illegally logged into the smartphone payment system using someone else’s ID and password and bought about 190 items (worth about 95,000 yen) such as electronic cigarette cartridges at a convenience store.
Although the victim’s smartphone payment originally had 5,000 yen deposited, it was found that an additional 90,000 yen had been deposited from the man’s credit card.
This smartphone payment system has suffered many other cases of unauthorized access and unauthorized use. The number of victims identified by the end of July 2019 (Heisei 31) was about 800, and the total amount of damage was about 38.6 million yen. The service was discontinued in September 2019 (Reiwa 1).
Summary: Details and Violation Examples of the Japanese Act on Prohibition of Unauthorized Computer Access
Anyone who uses the internet, whether as an individual or a business, is potentially vulnerable to damage caused by unauthorized access. The damage can take many forms, including unauthorized logins to social networking sites, leakage of personal information, and fraudulent use of smartphone payments or credit cards, and in some cases, the amount of damage can be substantial.
If you suffer damage due to a violation of the Japanese Unauthorized Computer Access Prohibition Law, you can file a criminal complaint or a claim for damages based on the Civil Code. However, both procedures require advanced expertise, so it is recommended to consult with a lawyer who is well-versed in unauthorized access issues.