An Attorney Explains the Actions and Cases Prohibited by the Japanese Unauthorised Access Prohibition Law

The Unauthorized Computer Access Law (officially known as the “Law Concerning Prohibition of Unauthorized Computer Access”) was enacted in February 2000 (Heisei 12) and revised in May 2012 (Heisei 24), and is currently in effect. This law, consisting of 14 articles, aims to prevent cybercrime and maintain order in telecommunications.

“Law Concerning Prohibition of Unauthorized Computer Access” (Purpose)

Article 1: The purpose of this law is to prohibit unauthorized computer access and to establish penalties and assistance measures by prefectural public safety commissions to prevent recurrence. By doing so, it aims to prevent crimes related to computers conducted through telecommunications lines and maintain order in telecommunications realized by access control functions, thereby contributing to the healthy development of an advanced information and communication society.

What specific actions does the Unauthorized Computer Access Law prohibit? What are some real-world examples, and what measures should be taken in criminal and civil cases? We will explain the overview of the Unauthorized Computer Access Law and the measures to be taken in case of victimization.

Prohibited Actions under the Japanese Unauthorized Computer Access Law

The Japanese Unauthorized Computer Access Law prohibits and penalizes, broadly speaking, the following three actions:

• Unauthorized access (Article 3)
• Actions that promote unauthorized access (Article 5)
• Illegally obtaining, storing, or requesting someone else’s identification code (Articles 4, 6, 7)

The term “identification code” here refers to a code set by each access administrator for those who have obtained the access administrator’s permission to use a specific electronic computer. It is used by the access administrator to distinguish the user from other users (Article 2, Paragraph 2).

A typical example of an identification code is a password used in combination with an ID. In addition to this, mechanisms for identifying individuals by fingerprints or iris patterns are becoming more common, and these also fall under the category of identification codes. Furthermore, when identifying whether a person is the signatory based on the shape of the signature or the pressure of the pen, the numerically and coded version of that signature also becomes an identification code.

What is Unauthorized Access?

Specifically defined in Article 2, Paragraph 4, unauthorized access refers to the act of “impersonation” by misusing someone else’s identification code and “security hole attack” by exploiting the flaws in a computer program. The Japanese Unauthorized Computer Access Prohibition Law prohibits these methods of unauthorized access to another person’s computer.

Act of Misusing Someone Else’s Identification Code

The so-called “impersonation” refers to the act of using a computer that one does not have the authority to access by misusing someone else’s identification code.

In other words, when using a certain computer system, you must enter an identification code such as an ID or password on your computer. This refers to the act of entering someone else’s identification code without their permission, even though they have the legitimate right to use it.

Although it may be a bit difficult to understand, the term “someone else’s” here refers to IDs and passwords that someone else has already created (and is using). In short, “impersonation” refers to the act of “hijacking” accounts on social networking sites (SNS) like Twitter that someone else is already using.

Since the requirement is that the identification code was entered without the person’s permission, if, for example, you tell your colleague at the office your password while you are on a business trip and have them check your emails on your behalf, it does not violate the Japanese Unauthorized Computer Access Prohibition Law because you have obtained consent from the person.

Generally, “impersonation” refers to the act of creating a new account using someone else’s name or photo and using SNS like Twitter pretending to be that person. However, the act prohibited by the Japanese Unauthorized Computer Access Prohibition Law is different from this. For a detailed explanation of the general meaning of “impersonation”, please refer to the article below.

https://monolith.law/reputation/spoofing-dentityright[ja]

Act of Exploiting the Flaws in a Computer Program

“Security hole attack” refers to the act of attacking the security hole (flaw in safety measures) of someone else’s computer and making that computer usable. By using attack programs and other means to provide information and commands other than the identification code to the target of the attack, it bypasses the access control function of someone else’s computer and uses the computer without permission.

The access control function mentioned here refers to the function that the access manager has on a specific electronic computer or an electronic computer connected to a specific electronic computer via a telecommunications line to prevent anyone other than the legitimate user from using the specific electronic computer (Article 2, Paragraph 3).

To explain it simply, it is a mechanism that allows only those who have entered the correct ID and password etc. to use it when someone tries to access the computer system over the network.

Therefore, “security hole attack” can be described as the act of making the computer system usable without entering the correct ID and password etc. by disabling this mechanism.

Two Types of Unauthorized Access

As mentioned above, there are two types of unauthorized access.

What needs to be noted is that in order for either type to be considered unauthorized access, it is required that it be carried out via a computer network. Therefore, even if you enter a password etc. without permission and use a computer that is not connected to a network, i.e., a standalone computer, it does not constitute unauthorized access.

However, not only open networks such as the Internet but also closed ones like internal LANs are subject to computer networks.

Also, there is no restriction on the content of unauthorized use by unauthorized access, and it will violate the Japanese Unauthorized Computer Access Prohibition Law even if you make unauthorized orders, view data, transfer files, rewrite homepages, etc.

If you commit either of these two types of unauthorized access, you may be sentenced to “imprisonment for up to 3 years or a fine of up to 1 million yen” (Article 11).

What Constitutes Actions that Encourage Unauthorized Access

Actions that encourage unauthorized access, which is prohibited under the Japanese Unauthorized Computer Access Law, involve providing someone else’s ID or password to a third party without the owner’s permission. Regardless of the method, such as through phone calls, emails, or websites, if you inform others by saying things like “The ID for XX is YY, and the password is ZZ,” enabling others to freely access someone’s data, it constitutes an act of encouraging unauthorized access.

If you engage in actions that encourage unauthorized access, you may be subject to “imprisonment for up to one year or a fine of up to 500,000 yen” (Article 12, Paragraph 2).

Furthermore, even if you provide a password without knowing that it will be used for unauthorized access, you may still be subject to a fine of up to 300,000 yen (Article 13).

What is the Act of Illegally Obtaining, Storing, or Requesting Someone Else’s Identification Code?

Under the Japanese Unauthorized Computer Access Law, it is prohibited to illegally obtain, store, or request someone else’s identification code (ID and password).

• Article 4: Prohibition of illegally obtaining someone else’s identification code
• Article 6: Prohibition of illegally storing someone else’s identification code
• Article 7: Prohibition of illegally requesting someone else’s identification code

A typical example of these prohibited acts is the “requesting act”, commonly known as phishing. For instance, pretending to be a financial institution, luring victims to a fake homepage that looks exactly like the real one, and making them enter their passwords and IDs on this fake homepage.

Identification numbers obtained through phishing are used in auction fraud, and there have been many cases of fraud where deposits are transferred to different accounts without the owner’s consent.

Engaging in these acts can result in imprisonment for up to one year or a fine of up to 500,000 yen (Article 12, Paragraph 4).

What are the Laws Regulating Cybercrimes Other Than Unauthorized Access?

As such, the Japanese Unauthorized Access Prohibition Law is a law designed to address certain types of what are commonly known as cybercrimes. When it comes to the entirety of “cybercrimes”, there are cases where other laws, such as the Japanese Computer Damage and Business Obstruction Crime, Fraudulent Business Obstruction Crime, and Defamation Crime, may come into play. A detailed explanation of the overall picture of cybercrimes is provided in the article below.

https://monolith.law/corporate/categories-of-cyber-crime[ja]

Obligations of Access Administrators

We will explain the obligations defined by the Japanese Unauthorized Computer Access Prohibition Law. An access administrator is a person who manages the operation of a specific computer connected to a telecommunications line (Article 2, Paragraph 1).

The term “management” here refers to the decision-making process regarding who is allowed to use a specific computer via a network and the scope of its use. A person who has the authority to determine such users and the scope of use is considered an access administrator under the Japanese Unauthorized Computer Access Prohibition Law.

For example, when a company operates a computer system, it appoints system administrators from among its employees to manage it. However, each system administrator is merely managing according to the company’s intentions. Therefore, in such cases, the access administrator is not the system administrator, but the company operating the computer system.

The Japanese Unauthorized Computer Access Prohibition Law not only defines unauthorized access activities and penalties but also imposes obligations on administrators to prevent unauthorized access in server management, etc.

Defensive Measures by Access Administrators

Article 8: An access administrator who has added an access control function to a specific computer shall strive to properly manage the identification code related to the access control function or the code used to verify it through the access control function, constantly verify the effectiveness of the access control function, and promptly enhance the function or take other necessary measures to protect the specific computer from unauthorized access when deemed necessary.

While it is obligatory to “properly manage identification codes,” “constantly verify the effectiveness of access control functions,” and “enhance access control functions as needed,” these are obligations of effort, and there are no penalties for neglecting these measures.

However, if an administrator finds evidence of a leak of IDs or passwords, they must promptly carry out access control measures such as account deletion or password changes.

Measures to Take in Case of Unauthorized Access

If you are using email or social networking services, you may become a victim of unauthorized access by others. In such cases, what actions can you take?

Filing a Criminal Complaint

Firstly, you can file a criminal complaint against the person who accessed your account without authorization. Unauthorized access is a crime, and the person who committed it can be criminally punished. As explained above, the person who committed the unauthorized access could face imprisonment for up to 3 years or a fine of up to 1 million yen. If there was someone who abetted the crime, they could face imprisonment for up to 1 year or a fine of up to 500,000 yen.

Furthermore, violations of the ‘Japanese Unauthorized Access Prohibition Law’ are not subject to complaint-only prosecution, meaning that even without a complaint, the police can start an investigation and arrest the perpetrator if they become aware of the fact. Also, even if you are not the person who was subjected to unauthorized access, anyone who becomes aware of the fact can report it to the police.

As mentioned in the article about obstruction of business, while complaint-only crimes are “crimes that cannot be prosecuted without a criminal complaint by the victim,” it does not mean that “you cannot file a complaint if it is not a complaint-only crime.” Even in the case of non-complaint-only crimes, the victim can file a complaint against the perpetrator.

Even if it is a non-complaint-only crime, if the victim files a criminal complaint, the suspect’s circumstances may worsen, and the punishment may become more severe. If you notice that you have been subjected to unauthorized access, it is advisable to consult a lawyer and submit a damage report or complaint to the police. Once the police accept the damage report, they will promptly proceed with the investigation and arrest or send the suspect to the prosecutor’s office.

Claiming Civil Damages

If you suffer damage due to unauthorized access, you can claim damages against the perpetrator based on Article 709 of the ‘Japanese Civil Code’.

Japanese Civil Code Article 709

A person who infringes the rights of another person or interests protected by law through intent or negligence shall be liable to compensate for the damage caused thereby.

If the perpetrator accessed your account without authorization and disseminated personal information obtained therefrom, stole items from a social game, accessed data such as credit cards or bank accounts, and caused financial damage, you should claim damages including consolation money. Of course, if you actually suffer financial damage due to unauthorized access to data such as credit cards or bank accounts, you can also claim compensation for these damages.

However, in order to claim damages from the perpetrator, you need to identify the perpetrator and gather evidence that the person really committed the unauthorized access, which requires highly specialized knowledge. If you suffer damage due to unauthorized access, it is necessary to consult a lawyer with extensive experience in internet issues and request them to handle the procedures.

Summary

The Japanese Unlawful Access Prohibition Law holds increasingly significant importance in our modern society as it continues to advance in IT. However, even if you are a victim of unauthorized access, it is often technically difficult to identify the perpetrator yourself.

Furthermore, violations of the Japanese Unlawful Access Prohibition Law are subject to criminal penalties, so it is possible to file a damage report with the police. However, as this is a new type of crime, the police may not always immediately understand the case. Therefore, when filing a damage report, it is necessary to provide a detailed explanation from both legal and technical perspectives to help the police understand. In this sense, dealing with the Japanese Unlawful Access Prohibition Law requires a high level of expertise, making it important to consult with a lawyer who is also knowledgeable about the technical aspects of IT.