Is DoS a Crime? A Lawyer Explains the 'Japanese Computer Damage and Business Interference Crime'

The crime of Obstruction of Business by Damaging a Computer (Japanese: 電子計算機損壊等業務妨害罪) was newly established in the Showa 62 year (1987). At that time, due to the rapid growth of the socio-economy and the development of technology, computers began to be introduced into offices in large numbers.

Work that was traditionally done by humans began to be performed by computers, and as the scope of business expanded, it was anticipated that business obstruction through harm directed at computers would occur. To address this, the law was newly established.

However, at the time of enactment, computers were still in their developmental stages, and the internet was not yet widespread, making it difficult to specifically predict internet crimes. Furthermore, this law does not use terms from computer science, information science, or those commonly used in society, but is defined in terms that resemble those of the Penal Code, leading to various interpretations and making it a regulation that is difficult for the general public to understand.

Moreover, this crime is generally recognized as corresponding to the type of crime called computer crime among cybercrimes.

In this article, we will explain the details of the crime of Obstruction of Business by Damaging a Computer in an easy-to-understand manner.

https://monolith.law/corporate/categories-of-cyber-crime[ja]

What is a DoS Attack?

A DoS (Denial of Service) attack is a type of cyber attack that overwhelms a target website or server by sending a large amount of data or malicious data, causing the system to become inoperable. Unlike unauthorized access or viruses that bypass user permissions or take control of the system, a DoS attack disrupts the ability of legitimate users to access the system. This method of cyber attack has been around for a long time, and is often used in DDoS (Distributed Denial of Service) attacks, a distributed type of attack. Even in recent years, there have been many cases of harassment and damage caused by these attacks.

Types of DoS Attacks

DoS attacks can be divided into two types: “Flood type” and “Vulnerability type”.

The term ‘Flood’ comes from the English word for flood, and refers to an attack that overwhelms the target by exploiting protocols to send a large amount of data, causing the target to become unable to process the data.

On the other hand, vulnerability type attacks exploit vulnerabilities in servers or applications, causing them to perform unauthorized operations and stop functioning. While the distinction from unauthorized access can be vague, a typical example of a vulnerability type DoS attack is a LAND attack, which involves sending a packet with matching source and destination IP addresses and port numbers. To simplify, if attacker A sends a packet to target server B saying “I am B and I want a reply”, B will reply to itself, and this phenomenon will repeat, causing an infinite loop. This exploits the vulnerability of “replying to packets where the source is oneself”, but since it does not bypass password authentication, it is classified as a “vulnerability type DoS attack” rather than “unauthorized access”.

https://monolith.law/reputation/unauthorized-computer-access[ja]

DDoS attacks, on the other hand, are a distributed method that involves remotely controlling thousands of computers infected with a bot virus and launching flood type DoS attacks from each one.

How DoS Attacks Work

The mechanism of a DoS attack is technically simple, involving the frequent repetition of actions that are normally permitted within the scope of TCP/IP. For example, when trying to purchase tickets for a popular idol’s concert on the day of general sale, the site may become slow or go down due to many people accessing it at the same time, making it difficult to connect. A DoS attack is an attack that intentionally creates this situation by abusing legitimate authority.

Does a DoS Attack Constitute a Crime of Obstruction of Business by Damaging a Computer?

So, does a DoS attack constitute a crime? Let’s examine whether it falls under the crime of obstruction of business by damaging a computer.

Anyone who damages an electronic computer or electromagnetic record used for business, or gives false information or unauthorized instructions to an electronic computer used for business, or by any other means, prevents the electronic computer from performing its intended function, or causes it to perform a function contrary to its intended purpose, thereby obstructing someone’s business, shall be punished by imprisonment for up to five years or a fine of up to one million yen.

Article 234-2, Paragraph 1 of the Penal Code (Obstruction of Business by Damaging a Computer)

As such, for the crime of obstruction of business by damaging a computer to be established, the objective requirements are:

1. An act of aggression directed at a computer
2. Obstruction of the operation of a computer
3. Obstruction of business

And the subjective requirement is that these actions are intentional.

Fulfillment of Objective Requirements

Let’s examine each of these in detail.

Act of Aggression Directed at a Computer

The act of aggression (execution act) must fall under one of the following:

• “Damage to an electronic computer or electromagnetic record used for it”
• “Giving false information or unauthorized instructions to an electronic computer”
• “Or any other method”

Regarding the term “electronic computer,” there is no dispute that it refers to an electronic device that automatically performs calculations and data processing, as defined by a court precedent (Fukuoka High Court, September 21, 2000 (Heisei 12)). This includes office computers, personal computers, control computers, etc. The term “electromagnetic record” is defined in Article 7-2 of the Penal Code. It can be said that servers, which are the targets of DoS attacks, naturally fall under these categories.

“Damage” refers to any act that harms the utility of an object, not just physical destruction, such as erasing data. “False information” refers to information that contradicts the truth. “Unauthorized instructions” refer to giving instructions that can be processed by the computer without authority. For example, if a flood-type DoS attack is carried out in a large and concentrated manner, the target server becomes overloaded and cannot properly execute processes. Such an attack, even if it does not result in “damage” such as data deletion, can be considered an “unauthorized instruction” as it is an access against the will of the server owner and gives instructions without authority.

Obstruction of the Operation of a Computer

The issue is whether it falls under “preventing the computer from performing its intended function” or “causing the computer to perform a function contrary to its intended purpose.” There is a dispute over whose intended use should be assumed, but considering that the protected legal interest of this crime is the safe and smooth execution of business, it should be assumed that the installer’s purpose is intended. When a DoS attack is carried out and the server becomes overloaded, services may become unavailable, and the proper processing operation intended by the server installer may not be performed. In such cases, it can be said that the “intended operation” is not being performed, and it constitutes an obstruction of operation.

Obstruction of Business

The crime of obstruction of business by damaging a computer is an aggravated type of the crime of obstruction of business (Articles 233 and 234 of the Penal Code), so this obstruction of business is considered in the same way as the usual crime of obstruction of business. That is, “business” refers to the repeated and continuous execution of tasks based on one’s social status, and it is not necessary for the business to be actually harmed to be considered “obstruction.” When a DoS attack is carried out, it can be said that the “business” of providing services on the Internet by using the server is obstructed, which constitutes an obstruction of business.

Fulfillment of Subjective Requirements (Intention)

After fulfilling these requirements, it is necessary to recognize intention (Article 38, Paragraph 1 of the Penal Code). Intention refers to the recognition and acceptance of the facts corresponding to ① to ③ (these are called constitutive requirements). It is not necessary to have malice or harmful intent to obstruct others, and even if there is no such intention, if there is a recognition that “the server might go down and the service might become unavailable,” intention can be recognized.

Okazaki City Central Library Website Mass Access Incident

Related to the above, we introduce the “Okazaki City Central Library Website Mass Access Incident (also known as the Librahack Incident)”.

A man (39) in Aichi Prefecture was arrested for launching a cyber attack after he collected information on new books from the library’s website using a program he created. However, according to an analysis by an expert commissioned by the Asahi Shimbun, it was found that there was a bug in the library software, and it appeared to have been attacked by mass access. It was also discovered that similar problems occurred in six libraries nationwide that use the same software. The software development company has started renovations in about 30 libraries nationwide.
This problem occurred at the Okazaki City Library in the same prefecture. The software had a bug that made it appear as if the computer was still processing every time it called up book data, similar to leaving the receiver off the hook after a phone call. After a certain amount of time, it is forcibly disconnected, but in this library, if there are more than about 1,000 accesses in 10 minutes, you cannot browse the website, and it looked like it was receiving a large number of accesses.
The man is a software engineer and borrowed about 100 books a year from the Okazaki City Library. The library’s website was difficult to use, so he created a program to collect information on new books every day and started using it in March.
Since then, the library has received complaints from citizens that they cannot connect to the website. The Aichi Prefectural Police, who received the consultation, judged that the man had intentionally sent requests beyond the processing capacity and arrested him on suspicion of obstructing business. In June, the Nagoya District Prosecutor’s Office Okazaki Branch decided not to prosecute him, saying that “there is no strong intention to obstruct business.”

Asahi Shimbun Nagoya Morning Edition (August 21, 2010)

The man arrested in this incident was a user of the Okazaki City Central Library, and he did it to collect new book information from the library’s website, and he had no intention of obstructing the library’s operations. The access frequency was also low, about once per second, which would not normally be considered a DoS attack, but there was a problem with the library’s server and a system failure occurred at this level.

Even if there is no malice, it is recognized that the library’s server was down and its operations were obstructed by actions that could be considered a DoS attack, so we will look at the objective requirements. As for intent, as mentioned earlier, intent can be recognized even if there is no malice. The prefectural police judged that this man, who is a computer-savvy engineer, was aware of the possibility that sending a large number of requests could affect the library’s server, but still sent a large number of requests, so there was intent, and it was judged that a crime could be established.

Problems and Criticisms of the Incident

The method of mechanically obtaining data from public websites, as the man did, is widely and commonly used, and there is no illegality in the programming itself. The man later explained the circumstances and intentions of the incident on his own site, but there is no point worthy of moral condemnation as a “crime” from its contents, and it shocked many engineers who use such technology and sparked a lot of criticism and concern.

For example, it is pointed out that if a public library’s public website, which is used by an unspecified number of people, has a problem that it goes down with one access per second, it is too weak and vulnerable, and if there was a server of the strength that should normally be prepared, the man would not have been arrested. Another point is that there is a legislative problem that a crime can be established with a provision that can be a crime even if there are no elements that clearly seem to be a crime, such as “revenge” or “harassment” against the man, or sending a large amount of data that is clearly different from normal usage. There is also a discrepancy between the application of the law and the actual use of the Internet. For example, the impression of the same 10,000 accesses differs between people who are proficient in Internet and information processing technology and ordinary people who are not, including the police and prosecutors, and it is a problem that it is operated without correcting such a discrepancy in perception. There is also concern and anxiety that the freedom and development of the Internet and industry may be stifled if anyone, like this man, has the potential to be arrested.

The man was eventually given a suspended indictment because there was no strong intention to obstruct business, but he was interrogated under arrest and detention for 20 days and was physically restrained. In addition, his real name was reported at the time of his arrest. Also, a suspended indictment is a type of non-prosecution that is different from “insufficient suspicion” and means “there was a crime, but it is not malicious, or deeply regretful, so we will not prosecute this time”, in other words, it is considered that he committed a crime. Even if he is not prosecuted, it is a problem that he suffered a strong social disadvantage.

Summary

As discussed, a DoS attack can constitute a violation of the Japanese “Act on Prohibition of Unauthorized Computer Access” (電子計算機損壊等業務妨害罪). However, there are several issues with the application of this law, and there is a risk that even actions that are hard to describe as malicious, like the series of incidents we introduced, could be deemed criminal. The situation has changed since the law was enacted, with many people now owning internet devices such as smartphones and computers, and the rapid development of the internet society. To overcome these issues and protect freedom on the internet, it is necessary to reconsider the application of the law and consider new legislative measures.

If a company’s server is damaged by a cyber attack such as a DoS attack, it will be necessary to urge the police to investigate. However, many cases involve highly technical issues, and as in the library incident mentioned above, it may not be possible to respond appropriately without knowledge and expertise in both IT and law.

As a civil solution, if the perpetrator can be identified, it is possible to claim damages against them. Therefore, consulting with a lawyer who is knowledgeable about the internet and business could be one option.