Prohibited Actions under the Japanese Act on Prohibition of Unauthorized Computer Access

Act on Prohibition of Unauthorized Computer Access was enacted in February 2000 (Heisei 12) and revised in May 2012 (Heisei 24), and is currently in effect. This law, consisting of 14 articles, aims to prevent cybercrime and maintain order in telecommunications.

“Act on Prohibition of Unauthorized Computer Access” (Purpose)
Article 1: The purpose of this Act is to prevent computer-related crimes committed via telecommunications lines and maintain telecommunications-related order as realized by means of access control features by prohibiting acts of unauthorized computer access and stipulating penalties therefor and assistance measures to be taken by prefectural public safety commissions to prevent the recurrence of such acts, thereby contributing to the sound development of an advanced information and telecommunications society.

What specific actions does the Act on Prohibition of Unauthorized Computer Access prohibit? What are some real-life examples, and what measures should be taken in criminal and civil cases? We will explain the overview of the Unauthorized Computer Access Law and the measures to be taken if you become a victim.

Prohibited Actions under the Japanese Act on Prohibition of Unauthorized Computer Access

The Japanese Act on Prohibition of Unauthorized Computer Access(不正アクセス禁止法) prohibits and penalizes three main types of actions:

• Unauthorized access (Article 3)
• Actions that promote unauthorized access (Article 5)
• Illegally obtaining, storing, or requesting someone else’s identification code (Articles 4, 6, 7)

What is Unauthorized Access?

Specifically, Article 2, Paragraph 4 defines unauthorized access as “impersonation” and “security hole attack”. The law prohibits unauthorized access to someone else’s computer.

“Impersonation” refers to the act of entering someone else’s identification code (such as an ID or password) without their permission when using a provider. This is typically done on a computer.

While it may be a bit confusing, “someone else’s” in this context refers to IDs and passwords that have already been created (and are in use) by someone else. In other words, “impersonation” is essentially the act of “hijacking” an account, such as a Twitter or other SNS account, that someone else is already using.

Generally, “impersonation” refers to the act of creating a new account using someone else’s name or photo, and using Twitter or other SNS under the guise of that person. However, this is different.

“Security hole attack” refers to the act of exploiting the security holes (flaws in safety measures) in someone else’s computer to gain access to it. This is done by using attack programs and other means to bypass the access control function of someone else’s computer and use it without permission.

If you engage in these unauthorized access activities, you may be sentenced to “imprisonment for up to 3 years or a fine of up to 1 million yen” (Article 11).

What are Actions that Promote Unauthorized Access?

Actions that promote unauthorized access, which are prohibited by the law, refer to providing someone else’s ID or password to a third party without their permission. Regardless of the method, such as via phone, email, or website, if you tell or announce to someone else that “the ID for XX is XX, and the password is XX”, and enable them to access someone else’s data without permission, this constitutes an act that promotes unauthorized access.

If you engage in actions that promote unauthorized access, you may be sentenced to “imprisonment for up to 1 year or a fine of up to 500,000 yen” (Article 12, Paragraph 2).

Even if you provide a password without knowing that it will be used for unauthorized access, you may be fined up to 300,000 yen (Article 13).

What is the Illegal Acquisition, Storage, or Request of Someone Else’s Identification Code?

The law prohibits the illegal acquisition, storage, or request of someone else’s identification code (ID, password).

Article 4: Prohibition of acts of obtaining someone else’s identification code
Article 6: Prohibition of acts of wrongfully storing someone else’s identification code
Article 7: Prohibition of acts of illicitly requesting the input of identification codes

A typical example of this prohibited action is “requesting the input”, commonly known as phishing. For instance, posing as a financial institution, luring victims to a fake website that looks exactly like the real one, and making the victims enter their passwords and IDs on the fake website.

Identification numbers obtained through phishing are often used in auction fraud, and there have been many cases of fraud where deposits are transferred to different accounts without permission.

If you engage in these actions, you may be sentenced to imprisonment for up to 1 year or a fine of up to 500,000 yen (Article 12, Paragraph 4).

What are the Laws that Regulate Cybercrimes Other Than Unauthorized Access?

The Japanese Act on Prohibition of Unauthorized Computer Access is designed to address some types of so-called cybercrimes. Speaking of cybercrimes as a whole, other laws such as the Computer Damage and Business Interference Law, Fraudulent Business Interference Law, and Defamation Law may also be relevant in some cases.

Obligations of Access Administrators

The Japanese Act on Prohibition of Unauthorized Computer Access not only defines unauthorized access activities and penalties, but also imposes obligations on administrators to prevent unauthorized access in the management of servers and the like.

Protective Measures by an Access Administrator

Article 8: An access administrator who has added an access control feature to a specified computer is to endeavor to properly manage identification codes associated with the Access Control Feature concerned or codes used to confirm them via the access control feature concerned, and is to always inspect the effectiveness of the access control feature concerned and endeavor to promptly take necessary measures to protect the specified computer concerned from acts of unauthorized computer access, such as enhancement of the function of the access control feature concerned, whenever deemed necessary.

The obligations include “to properly manage identification code”, “to always inspect the effectiveness of the access control feature concerned”, and “enhancement of the function of the access control feature concerned, whenever deemed necessary”. However, these are obligations of effort, and there are no penalties for neglecting these measures.

However, if there are signs of leakage of IDs or passwords, administrators must promptly carry out access control measures such as account deletion or password changes.

Examples of Violations of The Japanese Act on Prohibition of Unauthorized Computer Access

Hijacking a Popular Male Student’s Twitter Account

On January 30, 2017 (Heisei 29), the Hyogo Prefectural Police arrested an 18-year-old male high school student on suspicion of violating The Japanese Act on Prohibition of Unauthorized Computer Access. The student allegedly hijacked a classmate’s Twitter account and impersonated him, sending over 300 messages to female students.

The arrest was based on allegations that between September and November of the previous year, the student logged into the popular male student’s Twitter authentication server 63 times using his password. He then sent obscene messages to female students from other schools who followed the account, such as “Let’s show each other our bodies” and “Let’s talk about naughty things”.

Unauthorized Access to Facebook and Other Platforms

In a case where a person was accused of repeatedly accessing Facebook and other platforms unlawfully and obtaining personal information, the Tokyo District Court sentenced the defendant (29) to two years and six months in prison on August 3, 2016 (Heisei 28). The court found that the defendant had unlawfully accessed the Facebook accounts of seven women a total of 238 times. The court ruled that there was no room for leniency given the defendant’s motive of wanting to feel a sense of accomplishment when successfully accessing the accounts unlawfully. The court also noted that the defendant had not leaked the information he had viewed and had no previous criminal record. Considering these circumstances, the court suspended the sentence for four years.

Illegally Obtaining Customer Information from the Company Where He Worked

On November 12, 2009 (Heisei 21), the Tokyo District Court sentenced a 45-year-old company employee to two years in prison. The employee, who was in charge of developing, operating, and supporting the company’s information system, had illegally obtained and attempted to sell customer information owned by the company. He also stole CD-Rs containing unauthorized access data.

The court could not overlook the fact that the employee had made a profit of nearly 350,000 yen from selling the information. Even though he had no previous criminal record and had been dismissed from his job as a disciplinary measure, the court ruled that the case was not one where the execution of the sentence should be suspended.

Cyber Attacker Sentenced to 8 Years in Prison

On April 27, 2017 (Heisei 29), the Tokyo District Court sentenced a 32-year-old defendant to eight years in prison. The defendant had illegally obtained identification codes for multiple companies’ internet banking systems using phishing emails and remote control viruses. He had also made unauthorized logins and transfers, and had obtained email addresses by attacking databases. In addition, he had sent remote control viruses to make them executable.

The defendant had used various methods to carry out cyber attacks and had connected to other people’s wireless LAN access points using encryption keys he had obtained unlawfully to avoid detection. He had also changed his contact email address before making unauthorized transfers. The total property damage caused by the unauthorized transfers was over 5.19 million yen. Furthermore, the defendant had committed these crimes shortly after being released on parole for a similar offense, which led to the severe sentence.

In cases of this type of attack, it may be possible to identify the perpetrator based on the emails they send. However, this is generally difficult at the civil level.

Measures to Take in Case of Unauthorized Access

When using email or social networking services (SNS), you may become a victim of unauthorized access by others. What can be done in such cases?

Filing a Criminal Complaint

Firstly, it is possible to file a criminal complaint against the person who accessed your account without authorization. Unauthorized access is a crime, and the person who committed it can be criminally punished. As explained above, the person who committed the unauthorized access could face imprisonment for up to 3 years or a fine of up to 1 million yen. If there was someone who abetted the crime, they could face imprisonment for up to 1 year or a fine of up to 500,000 yen.

Furthermore, violations of The Japanese Act on Prohibition of Unauthorized Computer Access are not subject to complaint, meaning that even without a complaint, the police can initiate an investigation and arrest the perpetrator if they become aware of the fact. Even if you are not the person who was accessed without authorization, anyone who becomes aware of the fact can report it to the police.

As mentioned in the article about obstruction of business, while a complaint crime is a “crime that cannot be prosecuted without a criminal complaint by the victim,” it does not mean that “you cannot file a complaint if it is not a complaint crime.” Even in the case of non-complaint crimes, the victim can file a complaint against the perpetrator.

Even if it is a non-complaint crime, if the victim files a criminal complaint, the suspect’s circumstances may worsen, and the punishment may become heavier. If you notice that you have been accessed without authorization, it is advisable to consult a lawyer and submit a damage report or complaint to the police. Once the police accept the damage report, they will promptly proceed with the investigation and arrest or send the suspect to the prosecutor’s office.

Claiming Civil Damages

If you suffer damage due to unauthorized access, you can claim damages from the perpetrator based on Article 709 of the Civil Code (Japanese Civil Code).

Civil Code Article 709

A person that has intentionally or negligently infringed the rights or legally protected interests of another person is liable to compensate for damage resulting in consequence.

If the perpetrator accessed your account without authorization and disseminated the personal information obtained, stole items from a social game, accessed data such as credit cards or bank accounts, and caused financial damage, you should claim damages including consolation money. Of course, if data such as credit cards or bank accounts are accessed and actual financial damage occurs, you can also claim compensation for these damages.

However, in order to claim damages from the perpetrator, you need to identify the perpetrator and gather evidence that they really committed the unauthorized access, which requires highly specialized knowledge. If you suffer damage due to unauthorized access, it is necessary to consult a lawyer with extensive experience in internet issues and request them to handle the procedures.