Computer Crime and Criminal Information Law - New Trends in the International Risk and Information Society -[1]
Computer crime and criminal information law are relatively young phenomena. A first historical analysis indicates that each new development of computer technology was followed by a corresponding adaptation of crime as well as by legislative changes. A short overview - using the example of Germany - illustrates this adaptation of crime and information law to the new information technologies. It also indicates that this process started gradually at first, but then continued at an increasing pace:
- From the beginning of the 1950s computers were introduced in industry and administration to control routine processes. As late as 20 years after that time, the first cases of computer manipulation, computer sabotage and computer espionage became known. Only in 1986 did the German legislator react with the Second Act for the Prevention of Economic Crime.
- On the other hand, the mass processing of personal data in electronic data banks since the 1960s was soon regarded as a danger to privacy. In Germany, the first law that took this development into account was enacted in 1970.
- The open networks of the 1970s soon led to corresponding misuses in the form of "hacking", which the Law Committee of the German Parliament could still consider in the Second Act for the Prevention of Economic Crime in 1986.
- The mass phenomenon of program piracy came along simultaneously with the spreading of personal computers in the 1980s, forcing the legislator to carry out different reform measures from 1985 onwards.
- The use of automated teller machines in the 1980s, too, was immediately followed by new ways of code card misuses, which already represented criminal offenses due to the reforms of the Second Act for the Prevention of Economic Crime.
- Today, electronic post services, mailboxes, ISDN as well as the development of close links between data processing and telecommunication are used by neo-nazi groups, perpetrators in the field of economic crime and organized criminals: Computer technology and telecommunication have not only become part of general life, but also of general crime. The changes that these new technologies caused in criminal procedural law do therefore not only concern traditional computer offenses, but all kinds of crime.
Starting from this historical background the first part of this paper will give an overview on the relevant forms of offenses and changes in computer crime. The second part deals with the corresponding reactions of the law. The third part asks for the change of paradigms and future prospects of the legal development. In the end, the analysis will show that the multitude of computer-related offenses has led to four waves of computer-specific reform laws in all countries, which are marked by the fundamental changes of our society.
In most countries, the discussion about computer misuse began in the 1960s with the endangerment of privacy, which was discussed under the catchword of "data protection" and was at first not seen as a part of "computer crime" (see infra A). In the 1970s, scientific research concentrated on computer-specific economic crimes, especially computer manipulations, computer sabotage, computer espionage and software piracy (see infra B).[2] Further research demonstrated rapidly that - along with the advance of information technology into new areas of life - criminals can use computers for almost all offenses and that - from a phenomenological point of view - homogeneous computer crime does not exist any more (see infra C).[3] Today changes and differentiations that are characterized especially by the innovations of telecommunication technology are ascertainable in all areas mentioned.
The 1960s saw the beginning triumph of computers, and in many Western countries it was realized that the collection, storage, transmission and connecting of personal data endangers the personality rights of citizens. Orwellian visions and the mistrust of the revolting youth of the late sixties inspired the discussion about the dangers of the "Big Brother". However, today the old paradigm of the computer as an exotic instrument in the hands of the powerful became at the latest obsolete with the massive spreading of personal computers.
According to official statistics, data protection offenses are only of limited importance today.[4] The cases that became known show different degrees of endangerment: The misuse of "STASI" documents, i.e. the documents of the Ministry for State Security of the former GDR, or the possible blackmailing of AIDS-infected patients prove that in the information society of the 20th century, data protection has become a central matter of concern. The storing of information about defaulting debtors by credit investigation agencies or the transmission of data within criminal prosecution authorities also show, however, that the ascertainment of infringements of privacy in numerous cases depends on a difficult assessment and evaluation of conflicting principles: The underlying discussion on values does not only have to deal with the protection of privacy, but also with the freedom of information, which is the driving force of the cultural, economic and political development of an "open society".[5]
"Clear" infringements of privacy became known especially in the area of traditionally protected (also by criminal law) professional secrets, especially concerning official secrecy as well as the requirement of confidentiality for officials, doctors, lawyers and banks. Such data constituted the object of the offense in a South-African case, in which the offender - presumably through theft of magnetic tapes - obtained medical data of persons which had undergone an AIDS-test; the data were passed on to the employers of the persons affected.[6]
Another clear case of infringement of traditional regulations on protection of secrets happened in 1989 when two employees of one of the biggest Swiss banks helped the French tax authorities to decode magnetic tapes containing customers' data for a compensation of 500,000 FF.
In contrast, difficult problems on evaluation and assessment with regard to the ascertainment of infringements of privacy are illustrated by an Italian case. In 1986 IBM was accused that its security system RACF represented an inadmissible control over employees.[7]
Since the 1970s, the discussion about computer misuse was not only marked by data protection crime but also by computer-related economic crimes, which today are regarded as the central area of computer crime and which were at first exclusively characterized by that term. In this field, the central offenses are those of computer manipulation, computer sabotage, computer extortion, hacking, computer espionage, as well as software piracy and other forms of product piracy.
Computer manipulations were at the starting point of the discussion about computer-related economic offenses. During the time of the large mainframe computers, computer manipulations constituted a uniform group of crimes. Because of the diversification of computer systems in the 1980s, today the term computer manipulation describes a spectrum of different cases within the field of economic crimes.[8]
a) Among the "classic" large-scale computer manipulations, invoice manipulations concerning the payment of bills and salaries of industrial companies as well as the manipulations of account balances and balance sheets at banks are the predominant offenses. In the course of the recession of the last years, an extension of manipulations to increase the inventory could be perceived.
In Germany, a complicated invoice manipulation was committed as early as 1974 by a programmer who carried out salary manipulations of over 193,000 deutschmarks (DM) through changes of salary data as well as the book-keeping and balance sheet programs of his company.
Among the balance sheet manipulations, especially the case of the German Herstatt Bank of 1974 must be mentioned, in which balances totalling over one billion deutschmarks were manipulated.[9]
An example for a typical account balance manipulation is the terminal-input of a Japanese bank accountant who put in a deposit of 1,800 million yen and withdrew 50 million yen in cash and cheques amounting to 80 million yen from a subsidiary of the affected Sanwa-Bank in 1981.[10]
In 1994, a Russian group of offenders showed that these manipulations could also be carried out via data networks by external perpetrators. Operating from St. Petersburg, the group succeeded in making an American bank transfer over ten million dollars to them.[11]
b) Numerous misuses of ATM-cards and similar means of payment have been added to these "big" manipulations since the end of the eighties. Even though these misuses often lead only to small sums of damage, statistics show that the misuses of cards surpass the number of classic manipulations by far and meanwhile constitute the most frequent computer crime cases.[12] The protection of the respective cards - above all by chip technology - is gaining more importance in particular for the point-of-sales-systems, which are already common in Japan and which are being introduced in Europe at the moment. Suitable methods of protection are important especially because of the fact that meanwhile, the relevant classic credit card crimes are committed mostly by organized groups of criminals.
Today the forms of committing misuses of ATM-cards range from the simple use of stolen cards and the manipulation of cards with the help of computers to the independent manufacturing of card copies. Apart from the ATM-cards other magnetic cards are manipulated, e.g. phone cards or cards for horse betting.[13]
The offenders get the PIN-code necessary for the use of the cards often by a phone call trick, by preparing the keyboard, by false keyboards or - as in a Japanese case - by bugging data telecommunication lines.[14]
A Hungarian case was particularly remarkable due to a high sum of damage. Within one month, the respective maximum amount of approx. 250 US $ was withdrawn by the help of the copy of a single card in 1,583 cases.[15]
c) The misuse of the telephone network, in the field of which considerable qualitative changes have occurred in recent years, is currently also becoming a "mass crime": In the 1960s, offenders only wanted to avoid expenditures for their own phone calls. Since the end of the 1980s, the techniques originally developed by young hackers were also used by "companies" which - in often changing apartments or with the help of mobile telephones - offered conversations especially in intercontinental telecommunications. In the 1990s, even financial manipulations resulting in the transfer of money were made possible by the telephone companies when the insufficiently protected telephone network, which was not developed for this purpose, was used in an incautious way for the accounting of services.
Blue boxing was already developed in the sixties and is based on the fact that in the traditional analogous telephone network, control tones for establishing a link are transmitted through the same line as the information and can therefore be manipulated with the help of the so-called "blue box". By using a telephone number free of charge (in Germany a 0130-number), e.g., an operator of an American telephone company is called. Then the conversation is ended with the help of a "break tone" and the free line is held with the help of a "seize tone". After the input of certain control impulses it is possible to dial the desired number in the USA free of charge. However, especially as a consequence of installed frequency blockers, the blue boxing technique now only works in a limited way, i.e. in telecommunications between certain countries only.
This is why young telephone hackers today predominantly use manipulation techniques which allow phone calls at the expense of other network participants. This is made possible by breaking into badly protected voice-mail-systems, the direct-dialing functions of which are exploited. A widespread form of manipulation is also the trade with foreign "calling card" numbers, which, e.g., are given away by insiders of the telephone companies, are obtained with the help of trick phone calls from the card holders, are "hacked" by intruding a computer or are found out by listening in on phone calls. Some of the phone calls are carried out at the expense of other users with the help of modified walkie-talkies or home-made devices.
Apart from that, phonecards for public phone-boxes are faked or manipulated. These manipulations can easily be effected in countries where only magnetic strip systems are used. In other countries as in, e.g., Germany, the telephone companies use phonecards with integrated chips which are especially secured against "recharging" by hardware protections. However, German youths are currently working on a copy of phonecards. They decode the signals of the cards with adapter cables and small computers and then simulate the signals with their own "intelligent" cards. According to reliable sources, the first successful "copying" of a phonecard with integrated chip which can be recharged after using it is said to have been completed in Germany in 1994. This card could therefore be used permanently.
Against the background of these forms of misuse one could foresee that the use of the telephone network for the accounting of services had to lead to a new wave of manipulations in the 1990s. In Gemany, especially the "sex telephones" and "party lines" were used for this purpose, which can be called under the area code of 0190. Out of the 1.15 DM per minute to be paid to Deutsche Telekom, 52% remain with Deutsche Telekom whereas 48% go to the providers of the services (where they are divided between the provider of the service and the provider of the content); for foreign numbers, the revenue per minute amounts to over 3 DM. The perpetrators set up - partly with the help of specialized agencies - corresponding service numbers which were then called at the expense of Deutsche Telekom and of some clients by young telephone hackers who shared the profits. In doing this, they used the whole range of possibilities of misuse described above. Moreover, Deutsche Telekom got harmed worst when whole private offices were rented for the exclusive purpose of calling chargeable service numbers during a two-month period with the help of numerous (in a particular case up to 400) telephone connections and by using telephone computers before Deutsche Telekom claimed the outstanding invoices. Employees of Deutsche Telekom also misused telephone connections not yet given to clients by switching off the meter. Furthermore, clients of Deutsche Telekom were also charged when so-called "dialers" (i.e. electronic dialling machines, about the size of a cigarette box and distributed at 150 DM) were arbitrarily connected to some switchboxes, local telephone exchanges or wires, which called pre-programmed numbers especially at night at the expense of the affected telephone connection.
The first larger inquiries of telephone misuses were carried out in Germany in March 1994, when the apartments of 60 suspects were searched in nine German regions at the same time and four persons were arrested. In December 1994 and in January 1995 further searches were carried out at the request of the state attorney's office of Cologne (among others the head office of Deutsche Telekom at Bonn was searched) and some arrests because of financial manipulation in the field of service numbers were made. Two employees of Deutsche Telekom were arrested who are suspected of having collaborated with foreign organized groups of criminals. It is estimated that more than 80% of the turnovers off all sex-phones result from such manipulations. According to their own reports some youths obtained monthly commissions of more than 100,000 DM. The total damage for Deutsche Telekom and its harmed clients is estimated at more than 100 million DM for 1994.[16]
2. Computer Sabotage and Computer Extortion
a) Today in the field of computer sabotage, a similar "popularization" as in the field of computer manipulations occurs: Beside the formerly predominant major cases of sabotage[17] which only rarely appear in the today's statistics, there are massive damages to personal computers caused by virus programs and worm programs.[18] These programs are spread especially through illegally copied software or in networks, and therefore constitute a considerable share of the total number of computer crimes.
Computer viruses are programs which spread in other programs of a computer system and - possibly with a delay of time - often cause damages. The number and the variety of viruses in circulation has increased in recent years. In some cases, the original software as issued by the producing company was already infected with a virus.
While viruses only spread in "host programs", worm programs attack foreign computer systems independently. Widely known became the "Internet-worm" of an American student, which blocked approx. 6,000 computers of the Internet network within a few days in 1988.[19]
The above mentioned merging of computer and telecommunication systems leads to the fact that acts of sabotage are increasingly being directed against telephone lines and other data lines. In the field of computer sabotage, the same development as in the sphere of the above mentioned manipulations and in the cases of hacking and espionage (which are to be examined in more detail below) is occurring.
The latest example for sabotage in the field of data lines is an attack on the network of Deutsche Telekom in February 1995: The offenders cut seven underground glass fibre cables and thus interrupted approx. 7000 telephone and data lines around Frankfurt/Main airport. In a letter a group called "Keine Verbindung e.V." claimed responsibility and declared that they had wanted to disturb the deportation of persons seeking political asylum.[20]
b) The cases of computer sabotage constitute a serious problem especially due to the fact that the economy, the administration and frequently also the individual citizen depend to a high degree on the functioning of modern computer and communication systems.[21] This dependency of the information society on computer systems makes computer extortion a dangerous form of attack. The victim is threatened with the destruction or the sabotage of his computer systems and data stocks.
An example for such a computer extortion is the case of an American scientist who distributed more than 20,000 floppy disks which supposedly contained information about the AIDS-virus, but encoded the user's hard disk when calling the stored programs. By a corresponding announcement on the screen, the users were asked to transfer an amount of at least 189 US $ to a bank account in Panama in order to obtain the code for decoding the hard disk.[22]
a) The term "computer hacking" traditionally describes the penetration into computer systems, which is not carried out with the aims of manipulation, sabotage or espionage, but for the pleasure of overcoming the technical security measures. In practice, this kind of offense can be frequently found.[23] As far as damage is concerned, a differentiation must be made: In numerous cases, the attacked computer user is not actually harmed, but only endangered. Contrary to this, considerable damages occur in other cases especially when the perpetrators later use their knowledge for committing espionage and sabotage. In any case the "formal sphere of secrecy" or the integrity of the concerned computer systems is violated.
The most severe case of sophisticated "hacking" involved a group of German teenagers. They had managed to get access to various American computer systems and then sold the knowledge obtained in their data-journeys to the former Soviet secret service KGB. The case was discovered because one of the hackers sought help at the author's former Bayreuth chair, and a deal was agreed on with the prosecution authorities: The hacker revealed his knowledge and the investigation against him was suspended. The case was of particular interest because information on new techniques of computer manipulation was revealed in the course of this proceeding.[24] The resolving of this case confirms the effectiveness of a "self-revelation" for cases of hacking already called for before.[25]
b) Recent developments of telephone and telecommunications technology have led to the fact that nowadays, hacking does not only affect classic computer systems but increasingly also telephone lines, answerphones and voice-mail-systems. By using the "blue boxes" and signal devices described above, young "telephone hackers" dial themselves into the local telephone exchanges of the telephone company and are thus able to listen in on the digitally led conversations in the respective part of town.[26] In the US, besides other confidential information, especially the numbers of telephone access cards (so-called calling cards) are listened in on, which are then resold. The digital ISDN-network and the combination of telephone and computer technology will make new forms of crimes possible in future.
An example for the new form of telephone hacking is a 1992 case: Young Germans penetrated into the speech computer of the Barclays Bank in Hamburg to which the clients of the bank reported the receipt of their credit cards including the corresponding secret personal identification numbers as well as announcements in case of loss or - by giving the respective secret number - when asking for an increase of their credit limits.[27]
a) Computer espionage - only rarely appearing in official statistics[28] - constitutes a special danger compared to classic economic espionage, because in computer systems, huge quantities of data are stored in an extremely narrow space, and the data can be copied quickly and easily with the help of modern technology - also via data telecommunication. The objects of the offense are especially computer programs, data of research and defense, data of commercial accounting as well as addresses of clients. As the modus operandi, the simple copying of data is predominant; however, the theft of data carriers, the evaluation of "remaining data" or the absorbing of electromagnetic emissions are also effected. Besides young hackers and competing business enterprises, secret services appear which in recent years have increasingly been dealing with economic espionage. The case of the "KGB hacking" presented above illustrates the close connection between hacking and computer espionage.
A Japanese case from 1988 shows the possibility of using computer viruses for computer espionage: In this case, a computer virus penetrated into a network of personal computers, collected secret numbers of other network users and then wrote these numbers down on a "black board" of the network in an encoded form for the perpetrators.[29]
b) With data processing and telecommunication growing together as well as with the digitalization of telecommunication, the line between traditional computer espionage and telephone monitoring becomes less clear. In the case of telephone tapping, the criminals today penetrate the telephone exchanges of the telephone companies especially via normal data lines. Car phones, directional radio stations and satellite connections are particularly easy to attack in case of uncoded communication.
In Germany, these techniques of bugging telephones were used especially by the State Security Service of the former GDR: The telephone numbers of politicians, of members of the secret service and of other important bearers of secrets of the Federal Republic were registered as target numbers, so that the telephone communications of these persons were automatically recorded.
Massive measures of listening in on telephone conversations are also carried out by the American National Security Agency (NSA). According to published reports, the NSA is said to run more than 2,000 installations for bugging telephones world-wide, which can supervise up to 54,000 telephone conversations at the same time.[30]
5. Software Piracy and other Forms of Product Piracy
a) The unauthorized copying and use of foreign computer programs - often called theft of software or software piracy - at first involved, in accordance with the historic development of computer technology, the copying of individual software which frequently contains important internal company know-how. Therefore software theft overlaps with computer espionage in many cases.
The German "debit collection program case" is an example for the copying of individual software which led to the first decision of the Federal High Court of Justice concerning the possibility of copyright protection: Because of the copying of its central computer program and the following low-price sales by the perpetrator, the enterprise affected got into a situation that threatened its existence.[31]
Standard software is sold on a massive scale today, and as far as the number of crimes is concerned, presently the predominant offense is the illegal copying of standard software especially for the use in personal computers. Just how wide-spread this phenomenon is can be shown by the fact that in Europe, on average only 0.5 computer programs are sold per personal computer in use.[32] The industrial organisation "Business Software Alliance" estimates the market share of illegally copied software at, e.g., 40% in the USA, 76% in Germany, 81% in Japan and 98% in Thailand.[33] Therefore, the total damage of software piracy is - with a rising tendency - very high.[34]
A German case from 1994 shows the high resulting damages and also illustrates the careless handling of security measures by program distributors and the proneness of new forms of distribution to misuse: During the biggest German computer fair, a software dealer had distributed 280,000 free copies of a CD-ROM, which contained programs worth more than 100,000 DM. Each program was protected by a code which should only be communicated to the CD-user in the case of concluding a contract. However, young hackers succeeded in "cracking" the code and the program protection of the CD-ROM.[35]
Software piracy in the field of standard programs does not at all represent just a trivial offense of young PC-users. The software industry now increasingly takes legal action against enterprises that use unlicensed software. In these cases, often only a fraction of the installed programs is licensed. For example, during a police search at a company in northern Germany, the police found that only nine out of 58 installed programs were licensed.[36] In this case, 100,000 DM were paid for further licenses and compensation for damages.
In recent years, the distribution forms of software piracy have changed a lot: The illegal sale of computer programs that predominated in the eighties has been considerably reduced due to the corresponding prosecution practice in this field. By now, the predominating forms of distribution are the sale of programs in the so-called "ant trade" at flea markets (that is run and organized by gangs) as well as the proliferation of unauthorized copies via mailboxes (which in Germany partly operate online with more than 15 telephone connections at the same time).[37] Moreover, the practice of software piracy is characterized by dealers who produce and sell illegal copies of standard software in large numbers. This software is often distributed as an "extra" to the hardware.[38]
b) The high value of data in the information society leads to the fact that besides the illegal use of computer programs, also data banks and other data collections are increasingly used illegally. Today the illegal copying of data (characterized as "downloading") affects both the hosts of online-data banks and the distributors of off-line-data banks.
In the field of culture, the merging of data processing and data communication as well as the digitalization in the distribution of cultural products (e.g. the sale of compact discs with music and films) show the common roots of software, music, video and multimedia piracy in the "informatized" society.[39] The connections between software piracy and other forms of product piracy become evident with the new devices for playing and producing compact discs which, in the age of "multimedia", contain computer programs, data banks, books, music and television films.
The unauthorized copying of computer chip topographies in the technical sector is another phenomenon to be mentioned.
Today, computer crime does not only concern violations of privacy and property, but it is also directed against other objects of legal protection. In recent years, the first cases occurred in which information glorifying violence or information of racist or pornographic content was distributed with the help of computers.
In the USA, the Ku Klux Klan, the White Aryan Resistance, skinheads, and other neo-nazi organizations already realized in the eighties that it was much more effective to work with electronic communication than with traditional "newsletters". These groups used electronic communication systems mainly to distribute the names of Jewish "opponents" and to give advice for the use of violence.
In Germany, right-wing extremist as well as left-wing extremist organizations first used mailboxes and other electronic communication systems at the beginning of the nineties. Right-wing extremist organizations especially used the so-called "Thule-Network", which consists of about 10 mailboxes. In these mailboxes, information about right-wing extremist organizations and corresponding propaganda material is stored. The electronic means of communication are used for the communication within private groups of users as well as for informing the public. Increasingly video games in which the user fights against foreigners and ethnic minorities serve as propaganda material for young people. In the video game "Concentration Camp-Manager" - currently distributed mostly via mailboxes - the player must decide whether e.g. a Turkish worker is first to be sent to work in a mine or whether he is to be gassed immediately. Left-wing extremist groups (particularly from the anarchistic autonomous scene and from the sphere of the so-called Red Army Fraction) distribute their plans of action especially via the mailbox-network "Spinnennetz (cobweb)", which is included in an international exchange of information via the "European Counter Network (ECN)".[40]
Law enforcement authorities presently face considerable problems in monitoring these electronic communication systems and in preventing the sale of the above mentioned video games mentioned above. First searches of mailboxes of the "Thule-Network" were carried out by the state criminal agencies of Baden-Württemberg and Hesse at the end of 1994.[41]
The use of information services of the Internet for the dissemination of pornography and National Socialist propaganda was shown by preliminary investigations of the public prosecution authorities of Munich and Mannheim against CompuServe and other service-providers. In these proceedings, the main legal issue is if and to what extent service-providers are obliged to control the content of the data transferred by them.[42]
Numerous other cases involve the use of computer technology in traditional crimes. E.g., the computer manipulations described above did not only serve the purpose of gaining pecuniary benefits, but were also used for attacks on life - as in the case of the manipulation of a flight control system or of a hospital computer. In the field of organized crime, too, the use of computers gains increasing importance.
An example for the spreading of computer crime in traditional fields of offenses is the manipulation of a British hacker, who in 1994 accessed the information system of a Liverpool hospital because he simply wanted to see "what mess can be caused with the computer". Among other things, he changed the medical prescriptions for the patients: A nine-year-old patient who was "prescribed" a highly toxic mixture stayed alive only because a nurse re-checked the prescription.[43]
In the meantime, the possibilities of computer sabotage have also been recognized in the military sector. "Strategic Information Warfare" has become a form of potential warfare of its own.[44]
The dependency of military systems on modern information systems became evident in 1995 when a "tiger-team" of the US Air Force succeeded in sending seven ships of the US Navy to a wrong destination due to manipulations via computer networks.
There is no need to point out possible manipulations in a nuclear power station in order to stress that meanwhile, computer misuse has become a global threat and that the security of modern computer systems has gained central significance for the information society of our days.
Summing up the previous development and especially the recent changes of computer crime, the introductory notion of an accelerated adaptation of crime to information technology is confirmed. Also in taking a look at future developments, three points must be emphasized:
- Today, computer and telecommunication technology have spread into nearly all areas of life. Thus new computer crimes have become possible. In future, this development will go even further: With the backing of the US Federal Government, the Internet is at present being built into an "information superhighway" where pieces of music and movies can be retrieved by private homes. Defense systems, nuclear power stations, traffic control systems and other control systems are increasingly being shaped by computer technology as well. The information society will thus depend even more on information technology. Computer crime has thus become more diverse and more dangerous.
- The computer, which in the 1950s and 1960s was still an exclusive "device of power" in the hands of the state or of particular enterprises, became available for every citizen because of the increase in performance and the corresponding price drop of personal computers. This led to changes both on the side of the criminal and on the side of the victim of computer offenses: Computer crimes can nowadays be committed by everybody. They also threaten - just as the other dangers of the "risk society" - every citizen.
- Electronic data processing - as a consequence of a permanent "miniaturization" of its components - has grown together with telecommunication. Computer crimes are increasingly committed via telecommunication networks - also from abroad. New patterns of committing offenses developed, such as, e.g., telephone misuse, communication offenses or manipulations via the Internet. Computer crime has thus become more mobile and more international.
Because of this development, the security of computer systems and the prevention of computer misuse have become the central questions of today's information society. The following second part of this article analyzes how the law - and criminal law in particular - has taken up this challenge and how it has adapted to meet the latest developments.
In most industrialized countries, the law adapted to the new challenges of the information society by a multitude of new laws. However, throughout the world, the confusing diversity of the new legal regulations can be traced back to six groups of issues, which led to various reform waves: A first reform wave of the 1970s and 1980s concerned the protection of privacy (infra A). A second wave of reforms emerged at the beginning of the 1980s along with the fight against specific forms of economic crime committed with the help of computers (infra B). In the course of the 1980s, a third wave of reforms provided for numerous legal amendments improving the protection of intellectual property in the field of information technology (infra C). In the 1980s and 1990s, the first legislative measures were taken that were dealing with the fight against pornography and other communication offenses in computer networks. For the 1990s, we can perceive the beginning of another wave of reforms in the field of procedural law (infra E). A last body of issues - discussed in particular in the 1990s - concerns the setting-up of requirements for and prohibitions of security measures (infra F).
In numerous Western legal systems, the first "computer-specific" reforms of law during the 1970s and 1980s concerned the protection of personal rights and privacy in particular. The relevant legislation was a reaction to new challenges to privacy by the increasing possibilities of electronic data processing to gather, store, connect and transfer personal data. The traditional provisions for the protection of secrecy only covered part of the personality right and proved to be far too narrow for a protection against the new dangers.
A differentiation in criminal data protection law which can be found in all countries today results from this historic development: Traditional offenses for the protection of secrecy (e.g. for doctors, lawyers or public officials) can still be found in the core of criminal law, i.e. the Criminal Code. The general data protection laws - which were given rise to by the use of computers - contain criminal provisions that at first only referred to electronically stored data, but which have increasingly been extended to manually processed data in recent years as well. These general provisions are completed by data protection regulations for specific fields, which partly contain special criminal provisions, but which partly only refer to the criminal provisions in the general data protection laws. Personal data receive indirect criminal protection by general criminal provisions that are not limited to personal data.[45]
In the federal system of the Federal Republic of Germany, the first state data protection statute came into force in Hesse in 1970; the other states followed soon after. The Federal Data Protection Act was passed in 1977 and was revised in 1990, extending the criminal provisions. Numerous regulations for specific fields followed, which applied the general principles of data protection law to special fields.
Statutes with important regulations for specific fields were, e.g., the Statistics Act,[46] the 10th Book of the Social Security Code[47] and the Framework Registration Act of 1980,[48] the new Population Census Act of 1987,[49] since 1989 several new Police Acts of the states,[50] in 1990 the Act Concerning the Federal Agency for the Protection of the Constitution and other laws on the secret services,[51] in 1991 the Data Protection Regulation on Postal Services, Postal Bank Services and Telecommunications[52] as well as - also in 1991 - the Act Concerning the Documents of the Former East German State Security Service ("STASI").[53] The Act Against Illegal Drug Trafficking and Other Forms of Organized Crime of 1992[54] as well as the Money Laundering Act of 1993[55] and the Crime Prevention Act of 1994[56] also contain specific data protection regulations. The "Census-Decision" of the Federal Constitutional Court of 1983 contributed more than anything else to this development, because it stated that any interference with the citizen's right to "informational self-determination" (which was for the first time acknowledged by the decision) required an explicit legal basis.[57]
In other countries, there was a parallel development. Corresponding data protection statutes were mostly passed in the years 1977 to 1981, 1988 and 1992. We can therefore speak of an international wave of reform, which clearly shows the common problems of all national legal systems.
Regulations to mention are in particular those of Sweden of 1973, the US of 1974 (in a special statute), Denmark, France, Norway and Austria of 1978, Luxembourg of 1979, Iceland and Israel of 1981, Australia of 1982, San Marino of 1983, Great Britain of 1984, Canada of 1985, Finland of 1987, Ireland, Japan, and the Netherlands of 1988, Iceland of 1989, Slovenia of 1990, Portugal of 1991, Belgium, Switzerland, Spain, Slovakia and the Czech Republic as well as Hungary of 1992.[58]
The harmonization of national laws was considerably strengthened by the activities of international organizations. Especially important are the Convention of the Council of Europe and the OECD-Guideline of 1980 as well as the UN-Guidelines and the draft EC-Directive of 1990 respectively 1992.[59] A comparison of the different international activities and the national legislation shows that national laws were not passed after the international recommendations, but to a considerable degree at the same time. In other words: The recommendations and the guidelines of, most importantly, the European Council, the OECD and the UN were not so much effective because of their authority, but it was the exchange of thoughts and the cooperation of the competent representatives of the countries during the preparation of the recommendations that were decisive.[60]
The analysis of the still existing differences between the national legal systems shows - in particular in criminal law - an important difference between the European and the Anglo-American data protection laws: Whereas Anglo-American law uses criminal provisions only reluctantly, European data protection laws also impose an accessory criminal sanction on most violations of provisions of purely civil and administrative nature. The classic ultima-ratio-function of criminal law and the requirements of certainty for blanket criminal provisions are strong arguments against the European concept. Europe therefore needs a decriminalization which limits criminal law to clearly determinable and grave violations of data protection. Corresponding resolutions were adopted during the AIDP-Colloquium on Computer Crime in Würzburg in 1992 and during the 15th International Conference on Criminal Law in Rio de Janeiro in 1994.[61]
The second reform wave of computer-specific legislation developed at the beginning of the 1980s as a reaction to computer-related economic crime. Legal amendments became necessary because new forms of computer crime posed a threat not only to the traditional objects of criminal law protection, but also to intangible goods (e.g. bank deposit money or computer programs), and they were accompanied by new forms of committing the offense (e.g. computer manipulations instead of deceiving a human). In order to avoid an extension of the wording of already existing offenses, many countries passed new laws for the fight against computer-specific economic crime and also provided for new offenses for the prevention of unauthorized access to computer systems.
In Germany, the Second Act for the Prevention of Economic Crime of 1986 provided for reform measures in the most important areas of crime mentioned above: For the prevention of manipulations, sabotage and espionage, the relevant traditional objects of criminal protection were also protected against new, "technical" forms of violation. As a reaction to "hacking", the formal sphere of secrecy in the area of DP was acknowledged as a new object of legal protection, and the action of "unauthorized acquisition" of data was penalized.
In order to cover computer manipulations, the existing loopholes of punishability in the field of theft, embezzlement, fraud, defalcation and forgery of documents were closed by the two new offenses of computer fraud (section 263a Criminal Code) and the falsification of data of probative value (section 269 Criminal Code). For the prevention of sabotage actions, the offense of damage to property (section 303 Criminal Code) was completed by the offenses of alteration of data (section 303a Criminal Code) and computer sabotage (section 303b Criminal Code). The protection against economic espionage was shifted to an earlier stage by tightening section 17 of the Unfair Competition Act. Penetrating into foreign computer systems (so-called "hacking") was fought by the creation of a new provision against the spying of data (section 202a Criminal Code).[62]
The development in other countries was parallel. An "international wave of reform" emerged in particular from 1985 onwards.
Corresponding laws were passed in almost all States of the US since 1975, in different provinces of Australia in 1979, in Great Britain in 1981, in 1984 on federal level in the US, in Denmark and Canada in 1985, in Sweden in 1986, in Australia, Japan, Norway, and Austria in 1987, in the former GDR, in France and Greece in 1988, in Great Britain in 1990, in Finland, Portugal and Turkey in 1991, in Switzerland and Spain in 1992 as well as in France, Italy, and in the Netherlands in 1993.[63]
Important contributions for achieving greater uniformity of law were made by the works of the OECD of 1985, of the Council of Europe of 1990 as well as of the EC, the UN and the AIDP of 1992.[64] In this context, too, an analysis of the procedure of reception shows that the recommendations of the international organizations were effective not just with their adoption, but already by the common consultations of the involved lawyers.
Today, the only important noticeable difference between the various national laws is that some countries - such as Japan and Austria[65] - do not have special criminal law provisions against hacking (i.e. the mere penetration into foreign computer systems). A corresponding criminal offense would be desirable in accordance with existing international recommendations.[66]
C. Protection of Intellectual Property
In the course of the 1980s, various legal amendments led to an improved protection of intellectual property in the field of information technology. After computer programs had been excluded from patent protection throughout the world in the 1970s, various countries at first passed new laws which assured a civil law copyright protection for these programs. At the same time, more severe provisions of criminal copyright law entered into force in numerous legal systems. Since 1984 additional laws for the protection of topographies of semiconductor chips were passed.
The historic development of German law clearly shows the reactions of the legislator which rapidly followed one another: In Germany, important laws for the prevention of software piracy were the Copyright Amendment Act of 1985,[67] the Second Act for the Prevention of Economic Crime of 1986,[68] the Victims Protection Act of 1986,[69] the Product Piracy Act of 1990[70] as well as the Second Copyright Amendment Act of 1993,[71] which was passed as a consequence of the EC-Directive of 1991. In most Western countries, the development was similar.
a) In many countries, the copyright protection by civil law was improved by legal clarifications.
Corresponding reforms were carried out on the Philippines in 1972, in the US in 1980, in Hungary in 1983, in Australia, India, and Mexico in 1984, in France, Great Britain, and Japan in 1985, in Brazil, Canada, and Spain in 1987, in Denmark and Israel in 1988, in Columbia and Sweden in 1989, in Chile, Norway, and in former Czechoslovakia in 1990, in Finland in 1991, in Denmark, Great Britain, Italy, Norway, and Switzerland in 1992, and in Austria, Cyprus, Germany, Greece, and Sweden in 1993.[72] Reform plans are currently being discussed in Belgium, France, the Netherlands, and Poland.[73]
In the field of copyright protection by civil law, an analysis of national laws and of the activities of international organizations with respect to time shows that there has been an extension of copyright protection since 1984 which was not directed by international organizations. This development was triggered by the pressure of economic interest groups - supported by multinational corporations - in all industrialized countries. A further harmonization of copyright protection by civil law was then initiated by the EC-Directive on the Legal Protection for Computer Programs in 1991.[74] Detailed suggestions for supplementing the Berne Convention are currently being discussed.[75]
b) An international tightening of criminal copyright law can be observed in a number of countries since 1981.
Reforms to mention are in particular those in Italy of 1981, in Great Britain of 1982, in Sweden and in the US of 1982, in Finland of 1984, in, Denmark and France of 1985, in Canada of 1987, in Great Britain of 1988, in Hungary of 1992.[76]
This tightening of criminal law was not so much based on the activities of international organizations, but on the new need for protection in the information society, which brought about - against the background of a changed Zeitgeist - an improved protection of intellectual property by criminal law.
c) The development concerning the legal protection of topographies was different. The EC-Directive on Legal Protection for Topographies of 1986 - influenced by American pressure - forced the Member States of the European Community to rapidly pass corresponding laws. American "pressure" that was exerted by a strong requirement of mutuality in the American Semiconductor Chip Act was effective in other countries, too.
Corresponding laws were passed in the US in 1984, in Japan in 1985, in Sweden in 1986, in Denmark, France, Germany, Great Britain, Japan, and the Netherlands in 1987, in Austria and Spain in 1988, in Australia, Italy, and Portugal in 1989, in Belgium and Canada in 1990, in Finland and Hungary in 1991.[77]
The passing of semiconductor chip laws in the Member States of the European Union after 1986 shows that the possibility of the European Community to pass binding directives leads to a new age of legal harmonization and a ius commune in Europe.[78]
d) The same development could also be shown in the field of general product piracy. In the future, a further harmonization and extension of legal protection will also be achieved by the EC-Directive for the Legal Protection of Data Banks that was passed in 1996[79] and does not have to be discussed in detail at this point. The changes presented above have already illustrated the major lines of reform: The protection of intellectual property both by civil law and by criminal law was extended considerably in the whole world during the last decade. In this field, the law has reacted to the shift from the industrial to the information society in a remarkable manner.
At the end of the 1980s and in the 1990s, a new complex of issues surfaced in the field of substantial law. The dissemination of pornography, racist statements as well as information glorifying violence, in particular via the Internet, raised the question as to what extent these offenses could be confronted with the help of criminal law. For that purpose, two legal issues have to be distinguished: a) the first one concerns the criminal liability of the author of the respective statements, and b) the second one is about the additional liability of the service-provider[80] whose networks and servers are abused by third persons.
a) The general criminal liability of the author of pornographic and racist statements is regulated differently in the individual legal regimes. Whereas, e.g., in Germany, the use of symbols of National Socialist organizations is punished under section 86a German Criminal Code, the US lacks a corresponding criminal provision. With respect to the Internet, there is the additional problem that the general criminal offenses of the national legal regimes partly require a dissemination of these statements by "publications" which are defined as corporeal objects. In order to be able to apply the traditional criminal law provisions to new media, the German legislator added a subsection 3 to section 11 German Criminal Code in 1974, which states that "sound and image carriers, depictions and other representations" shall be deemed "publications" if this subsection is referred to in another criminal law provision.[81] For the near future, another extension of the term "publication" in section 11 subsection 3 German Criminal Code is planned with regard to the new information and communication services.[82]
In many other legal systems, the situation is similar, partly because of the interpretation of traditional criminal law provisions by the courts,[83] partly because of new legal regulations.[84]
b) The criminal liability of the author of such statements must be distinguished from the issue of an additional co-liability of service-providers for the statements disseminated via their computer systems and data networks. In Germany, the latter question is currently being examined in the course of various criminal investigations, in particular by the public prosecution authorities of Munich and Mannheim.[85] Legal literature mostly denies a co-liability of the service-provider because the service-provider can only be accused of not exercising a sufficient amount of control: However, a ("guarantor's") duty to control the content of the networks does not exist under criminal law.[86] In Germany, a solution of this issue is currently under consideration (on the federal level) in the draft "Information and Communication Services Act" and (by the Länder) in the "Convention on Media Services". In this context, the Federal Government attributes particular importance to a voluntary self-control by the content-providers and network-operators.[87]
In other countries, also an even further-reaching liability of the service-provider is supported, partly on the basis of an interpretation of existing laws, partly on the basis of new legal regulations. A corresponding liability on the basis of traditional criminal law provisions exists, e.g., in Switzerland, if the service-provider obtains knowledge of the existence of illegal content in his network and, nevertheless, does not deny access to such content.[88] In the US, a statute-based criminal liability was introduced with the "Communications Decency Act" of 1996.[89] The incompatibility of the CDA with the fundamental right of freedom of speech (1st Amendment to the American Constitution) has just recently been determined by a US federal court.
c) An international standardization of "communication offenses" and the liability of service-providers has not occurred so far. However, such standardization would be essential to prevent service-providers from relocating to so-called "oasis countries" and thus creating "computer crime havens" as well as distortions of competition. Therefore, initiatives of the European Union, the Council of Europe, the OECD, the G7 countries or the United Nations are needed.
Another current reform wave concerns procedural law. The subject of these reforms is, however, not limited to procedural problems of computer crime only. Mostly on the occasion of investigations into white collar crime, prosecuting authorities have to analyse computer-stored book-keeping data. In addition to this, perpetrators in the field of organized crime increasingly make use of computer systems and transfer data to computers abroad via telecommunication networks in order to render access more difficult for the prosecution authorities. Therefore, the use of computers in almost all areas of life frequently confronts prosecution authorities with computer-stored means of evidence, even on the occasion of investigations into "classic" forms of crime.
- Legal problems mainly occur in the areas of statutory powers of prosecuting authorities and the corresponding passive duties of witnesses. In many countries, problems exist with the questions of whether and to what extent prosecuting authorities have the right to search computer systems, to seize data, to intercept and record telecommunication between computers, to have access to telecommunication data and to electronically supervise computers. A particular problem represents the access to data which are stored at another location, possibly even abroad, in a telecommunication network that branches out in all directions.[90]
- As to the duties of witnesses to active cooperation, it is questionable whether a user of a computer is already obliged to provide a printout of encrypted data by the "traditional" duties of witnesses or whether a new statutory power in criminal procedural law is needed for this purpose.[91]
- Additional problems are those of data protection in criminal procedure[92] and - mainly in Anglo-American law - rules of evidence concerning the admissibility of computer data in court.[93] Further problems are the applicability of national criminal law for offenses in international data networks as well as the national borders for investigative actions.[94]
Corresponding reform laws were therefore enacted in several countries since 1984. On the international level, a work-group of the European Council has dealt with these questions.[95] Hence, the development of this fourth reform wave of computer-related criminal law reforms has not finished yet, but has only just begun.
Reform laws in this field were enacted in Great Britain in 1984, in Denmark in 1985, in the United States in 1986, in Canada in 1988, in Germany in 1989, and in the Netherlands in 1993.[96] Most of the cited laws introduced new procedural powers for the prosecuting authorities, but there is a lack of thorough consideration and of a uniform dogmatic concept also with regard to legal policy. This lack may result in serious disturbances of the complicated balance between the necessary powers of intervention of the prosecuting authorities on the one hand and civil liberties on the other hand.
F. Legal Regulations on Protection Measures
The possibility of manipulations in data networks has led to the additional question as to what extent legal regulations on security measures are necessary. Three different questions must be distinguished: (a) duties to implement protection measures, (b) prohibitions of certain protection measures, and c) consequences of possible manipulations for the use of electronic contracts.
a) A general duty to implement safeguard measures for the protection of data processing systems does not exist for the private sector (unlike the situation in the public sector). In a free society and market economy, the individual citizens are free to decide whether they want to protect their individual interests or at least their computer systems by costly measures or whether they are ready to accept the risk of an "electronic burglary".
However, this principle is not valid if the lack of safeguard measures does not only lead to the infringement of interests of the respective computer user, but also infringes the interests of third parties. In these cases, the legislator demands adequate measures for the protection of these persons (who in most cases cannot decide themselves about the implementation of safeguard measures) and for the protection of general interests (e.g. the interest of a functioning network). Such duties exist above all for companies that process personal data of third parties, e.g., insurance companies or credit inquiry agencies. In so far, reference can be made to the general explanations above concerning the field of data protection (criminal) law.[97] In Germany, there are in particular specific provisions for the respective fields, e.g., for the protection of telecommunication secrecy (section 10a subs. 1 Telecommunications Installations Act),[98] for the protection of the public telecommunications network against damages by "terminal equipment" (section 2a Telecommunications Installations Act) and for the secrecy of the telecommunications supervision (section 12a Telecommunications Supervision Ordinance).[99] Corresponding regulations are planned for the future Telecommunications Act and the new Telecommunications Services Companies Data Protection Ordinance.
The development in other countries was parallel as far as the general provisions of data protection law are concerned.[100]), pp. 309 et seq. (Comparative analyses and an international co-ordination are still lacking for specific regulations in the respective fields. Starting in the middle of 1996, the author is going to carry out a research project on behalf of the EC Commission, which will be dealing with these questions.)
b) Prohibitions of security measures can serve the protection of public interests on the one hand and the protection of third party interests on the other hand: General prohibitions of security measures for the protection of public interests are discussed in particular in the field of cryptography in order to allow law enforcement authorities and secret services to listen in on data communication. In Germany, however, there has not been any general prohibition to use cryptography-software so far. However, the export of encoding programs to non-EU countries is subject to a duty of authorization under the EC-Regulation on "dual use" goods, which is in force in all EU member states since July 1st, 1995.[101] In the US, encryption has not been regulated so far either, and is moreover discussed controversially. However, the export of encoding technologies also requires a public license.[102] Contrary to that, encoding programs may in general not be used in China, France and Russia without public authorization.[103] A group of experts of the European Community is currently dealing with a co-ordination of the relevant questions.
These prohibitory provisions protecting the public interests must be distinguished from the ban of supervisory measures in the interest of third parties. Such provisions must in particular be considered if personal activities of internal or external users of a computer system are recorded for safety reasons. The scope of relevant cases ranges from the recording of attempts to get unauthorized access to a computer, via the recording of connection data at the router, to the content supervision of discussion forums and electronic mail. In Germany, the respective supervision measures are not covered by the provisions of the Criminal Code, but only by general and specific data protection laws. Specific German regulations can mainly be found in section 14a Telecommunications Installations Act, in the Deutsche Telekom Data Protection Ordinance[104] and in sections 3 et seq. Telecommunications Services Companies Data Protection Ordinance.[105]), pp. 313 et seq. (Comparative studies as well as an international co-ordination are still lacking in this field.)
c) The manipulation possibilities described above lead to the additional question as to what extent contracts concluded via data networks should be recognized. In practice, the use of digital, encoded signatures tries to safeguard that a document originates from a certain person (authentication) and that it cannot be falsified.[106]) p. 259/260; Witte, CR 1993, 243, 244. (Legal regulations concerning certain encoding procedures do not exist in Germany at the moment.[107]) pp. 139 et seq. However, the Federal Government wants to establish harmonized security criteria together with the groups of industry concerned. An adaptation of the Civil Code is being examined. Issues to be addressed are in particular whether the stringent formal requirements of civil law (conclusion of written contracts) are still reasonable for modern transactions or whether paperless transactions make special legal regulations necessary. Comparative studies do not exist for the relevant questions. On the supranational level, the European Commission has proposed a directive on consumer protection in the conclusion of contracts via a distance. For specific contracts on the exchange of goods and services, it is planned to allow the consumer to withdraw from the contract within a minimum delay of seven days.)[108].
The development in the areas discussed above can largely be summarized by the following three statements:
- The legislator reacted rapidly - in four waves of computer-related reforms - to the new forms of information technology crime. These law reforms also included - mainly in the area of data protection and copyright protection of computer programs - measures belonging to administrative law and to civil law. However, the emphasis of legal reactions for the prevention of computer crime was put on criminal law.[109]
- The reactions of the legislators were similar in most Western countries. International organizations - especially the OECD, the European Council, the EC, the WIPO and the AIDP - supported the national law reforms from the beginning and created a high level of harmonization. Pressure by industry - which was effective all around the world - also contributed to this legal harmonization.
- The legislator solved the emerging problems rapidly, but in an "ad hoc" manner and in an isolated way. Basic considerations about the function of criminal law in the information society and about the connections between the particular law reforms hardly took place.
III. Paradigm-Shifts and Perspectives
The preceding analysis of the most important offenses and of the legal problems of computer crime has shown a wide range of different problems which were all caused by computer technology, but which were solved in legal practice without a solid basic concept. The scientist cannot be satisfied with this pragmatic handling of singular questions. The sum of individual cases and questions makes him ask for the underlying powers, the change of paradigms, and the prospects which are analyzed in the last part of this article.
This last part mainly deals with three fundamental changes: the development from the industrial to the information society and the resulting information law (infra A), the developing risk society and the ensuing changes of criminal law (infra B), as well as the loss of importance of national borders and the international harmonization of law (infra C).
A. Information Society and Information Law
The most important power underlying the illustrated changes is the present development from the industrial to the information society. This development has rightly been called a "second industrial revolution" by economists and sociologists. While the characteristic of the first industrial revolution during the 19th and 20th century was the replacement of manpower by machines, the characteristic of this second phase of industrial development consists in the shifting of human intellectual activity to machines. The economic and social effects of this new development will, therefore, surpass the changes caused by the first industrial revolution by far. This development to an information society is especially characterized by the fact that beside material objects, immaterial assets like, e.g., deposit money, copyrights, business secrets and other forms of know-how increasingly gain importance. Information has not only become a new value, but a factor of power and a potential danger.
2. Consequences in the Legal System
The analysis of the existing reform laws in the second part of this article has shown that this social change of paradigms[110] - from material to immaterial values - has already reached criminal law. However, a general theory referring to the protection of information is still missing.[111]
For this reason, the theory of "information law" or "law of information technology" developed in the author's inaugural lecture at the University of Bayreuth[112] outlines a general theory concerning the legal status of information and takes these changes into account. In accordance with the findings of cybernetics and computer science, this theory evaluates information as a third basic element next to matter and energy:[113] Information is a new economic, cultural, and political good, but it also creates a special potential danger. The new theory of "law of information technology" realizes that the modern information technology increases the significance of information: Information becomes an active factor which causes changes in automatic data processing systems without any human involvement; systems of information technology replace human decisions.
This new aspect of "(criminal) information law" shows in particular that the legal assessment of material and immaterial goods must be different.
- A first aspect deals with the protection of the "proprietor" or "possessor" of material or immaterial goods. In contrast to corporeal objects which, as a rule, are exclusively assigned to certain persons, information is rather a "public good" which, in an open society, must flow freely and must therefore not be protected by rights that exclude all others. These basic principles of "freedom of information" and "unrestrained flow of information" are an essential prerequisite for a free economic and political system.[114]
- Another particularity of the legal assessment of immaterial goods follows from the fact that protection of information must not only take into account the economic interests of the proprietor, but at the same time also the interests of those who are concerned by the content of the piece of information. The new requirements for the protection of privacy in the field of electronic data processing resulted from this aspect of information which does not exist with regard to material objects.
- With the increasing importance of information, rights giving access to information gain significance - not only for criminal prosecution authorities but also (e.g. in data protection law) for the citizen (so-called "access to information rights").[115] Thus, it becomes obvious that legal rules for information cannot be developed by way of analogy from provisions on corporeal objects, but that they need their own independent basis and theory.
For criminal information law, the consequences of this general theory are evident: A limited protection of the creator of information, the protection of the citizen concerned by information, as well as the access to information are also to be guaranteed by criminal law - in so far as other measures are not sufficient. "Intellectual property", "privacy" and "access to information rights" describe the new objects of legal protection, which have not only provided the basis for the previous reform legislation, but which can, in the information society of the 20th century, rightly claim protection by criminal law as well.
B. Risk Society and Changed Risk Control
The increasing significance of information in the post-industrial information society described above is mainly caused by the development and expansion of information technology. The development of the technological society and of technology law is, therefore, the second major force of change behind the singular questions analyzed above. Since the 1980s, sociologists and lawyers have been discussing the social impact of modern technology under the term of "risk society".[116] A presentation of this academic discussion must, therefore, necessarily precede an analysis of how far the ascertained changes of general technology are valid also in the field of information technology.
Since the eighties, the discussion about the risk society in Western countries focused on the general technology dangers of chemistry, nuclear energy, genetic engineering and of other installations with possible harmful impacts on man and nature. The actual changes dealt with in the discussion can be traced back to three main aspects:
- New risks with greater impacts arise which cannot be limited in space, time or with regard to the group of persons affected.
- In many fields,[117] risks have acquired a "social dimension" and cannot be traced back to individually responsible persons.
- The complexity and the speed of development of social and technological changes are increasing.[118]
2. Consequences in the Legal System
The resulting legal changes - until now especially discussed in environmental law - can be reduced to three lines of development as well:
- With respect to greater risks, an improved crime prevention by social politics, but also a more powerful state and intensified legal control are called for. Repressive controls are replaced - also in criminal law - by preventive regulations with more intensive interventions.[119]
- The social dimension of risks leads to risk communities, solutions by insurance law, new objects of legal protection and strict liability. It is especially controversial in how far criminal law can solve the problems mentioned. On the one hand, wider rules of imputation and protective concepts are called for, on the other hand, a reduction of criminal law is demanded as it is regarded inappropriate for the regulation of social dimension risks and for a risk balance independent of fault because of its classic needs for imputation.[120]
- Because of the greater complexity and dynamism, the law makes more and more use of indefinite legal terms, of blanket clauses and dynamic references. Legislation by private organizations (especially so-called self-regulation) increases.[121] Apart from this, the correlation between different fields of law becomes closer; new intermediate fields emerge.[122]
3. Information Technology as Part of the Risk Society
The analysis in the first part of this paper has demonstrated that most changes of the risk society also occur in the field of information technology: Small alterations of data can move large amounts of deposit money. Computer sabotage - for example in banks or with flight control systems - affects the most vital parts of the modern economy. Complexity and speed of development are growing. Accordingly a lot of the general findings and controversies concerning the "law of the risk society" apply to the field of information technology as well:
- The future information society requires mainly non-criminal measures for the prevention of computer crime. Technical security standards that include access control systems, instructions for the system users concerned and appropriate general conditions of civil and administrative law are much more important than criminal law provisions.[123]
- However, at the same time an adaptation of criminal law to the new risks is necessary: The general reproach of an over-criminalization by the protection of collective interests as well as the use of "per se bans" and strict-liability offenses of "risk criminal law"[124] is not justified in this analyzed field of information technology. The presented analysis of "information law" has shown that the introduction of new objects of legal protection by the reform laws - especially intellectual property and the citizen's right to privacy - is justified by new needs for protection in the information society. Problems of imputation of the risk society as well as the resulting "per se bans" can hardly be noticed in the field of criminal information law. Only in the field of criminal data protection law is there an over-criminalization, which is however not due to the creation of new collective objects of legal protection or "per se bans", but to disregarding the classic ultima-ratio principle of criminal law.
- Legal regulations must not concentrate on coincidental technological changes as was done in various formulations of the 2nd German Act for the Prevention of Economic Crime. What is necessary is structural thinking and a description of the functions thus resulting to law which can also deal with a changed technology.[125]
Summing up the discussion about the consequences of the risk society, one can say that the development of crime and law in the field of information technology disproves for this particular sector the global, general criticism of a too far-reaching "risk criminal law". The new criminal provisions and likewise the new procedural powers of intervention for criminal investigations in the field of information technology are predominantly justified by the social changes presented. Legal policy must nevertheless accept the reproach that non-criminal measures have been neglected and that a partly insufficient legal technique has been used.
C. Global Society and International Legal Harmonization
The third general line of development behind the problems described here is the loss of importance of national borders and the corresponding international harmonization of law. The coming together of the citizens of the world - in general related to a greater mobility - can be seen in the field of computer crime particularly with the use of international telecommunication networks: The mobility of data in these networks makes it possible to commit a crime with the help of a computer of which the results take place abroad. Data can be transferred via international networks in a split second without any control possible.
Different national laws for the prevention of computer crime would therefore necessarily lead to "data havens" or "computer crime havens",[126] which would then entail national restrictions to the free flow of information. Such national barriers would not only be inefficient because of the existing possibility of using international telecommunication networks for an encoded transfer of data abroad. National restrictions and supervision would moreover endanger the citizens' right to privacy and the business secrets of enterprises and would hinder the economic development of an international information market. If we want to characterize the changes analyzed with some catchwords, we must add the catchword "global society" to the terms "information society" and "risk society".
For this reason the international harmonization of information law by the EC, the Council of Europe, the OECD, the UN, the WIPO and the AIDP has to be welcomed and to be carried on. Furthermore, in a time of radical changes with new dangers of informatics and technology, a strengthening of contacts among the single nations is necessary.
The criminological part of this paper has shown that the spreading of computer technology into most areas of life, especially the increasingly close relationship between data processing and data telecommunication technology, has made computer crime more diverse, more dangerous, and more international. The legal part of the article could trace back the multitude and the complexity of the resulting legislative reactions to six groups of problems and "waves" of reform: the protection of privacy, the fight against computer-related economic criminal law, the protection of intellectual property, the fight against pornography and other communication offenses, the reform of procedural law as well as new regulations concerning safeguard measures and the recognition of an electronic signature.
These developments of crime and the law are based on the underlying social changes and shifts of paradigms which will continue to exert crucial influence on our law in future:
- The emergence of the information society with its new objects of protection under criminal law,
- The changes of the risk society in which non-criminal measures deserve greater attention but in which measures of criminal law and criminal procedural law will also play an important role, as well as
- The growing together of the citizens in a "global society" in which new challenges can only be coped with by means of international cooperation.
These changes entail a loss of power of the classic national state both in favor of regional and supranational governmental organizations as well as in favor of multinational companies. Therefore, the effective protection of the citizen in the newly emerging information and communication society is only possible if these basic changes are considered and shaped positively. We need an intensified cooperation of national states and supranational organizations, new prevention and prosecution measures of information technology, as well as adequate control strategies of data protection law.
[1] Updated and extended version of an article in the German language published in Computer und Recht (CR) 1995, pp. 100 et seq.
[2] Cf. Sieber, Computerkriminalität und Strafrecht, 1st edition 1977, 2nd edition 1980, pp. 1/39 et seq., 2/97 et seq. (Japanese translation by Noriyuki Nishida and Atsushi Yamaguchi, 1986 and 1988).
[3] Cf. Sieber, The International Handbook on Computer Crime, 1986, pp. 26 et seq. (French translation "La délinquence informatique" by Sylvie Schaff and Martine Briat, 1990); Sieber, The International Emergence of Criminal Information Law, 1992, pp. 6 et seq.
[4] In Germany, the share of data protection infringements compared with the total number of computer crime cases registered by the police just amounted to about 1 % in 1993. Cf. Federal Criminal Agency (ed.), Police Criminal Statistics of 1993, 1994, table appendix 01, sheet 18, key figure 7280 as well as Möhrenschlager, in: Sieber (editor), Information Technology Crime, 1994, p. 200.
[5] Cf. already John Stuart Mill, On Liberty, 1859; Popper, The Open Society and Its Enemies, 2 vol., 1945.
[6] Cf. for this case van der Merwe, in: Sieber (editor), Information Technology Crime, 1994, p. 423.
[7] Cf. for the last two cases Sieber, The International Handbook on Computer Crime, 1986, pp. 23 et seq.
[8] For computer manipulations outside economic crime cf. infra I C.
[9] Cf. for the last two cases Sieber, Computerkriminalität und Strafrecht, 2. ed. 1980, pp. 58 et seq., 61 et seq.
[10] Cf. for this case Yamaguchi, in: Sieber (editor), Information Technology Crime, 1994, p. 307.
[11] Cf. for this (1995) "Datenschutzberater", vol. 10, p. 23.
[12] In Germany, the number of card misuses was five times bigger than the number of traditional manipulations in 1993, card misuses thus being responsible for more than two thirds of the computer crimes. In Japan, 1,081 cases of card misuses were counted in 1990 compared to 77 cases of other computer crimes. Cf. for this Federal Criminal Agency (ed.), Police Criminal Statistics of 1993, 1994, table appendix 01, sheet 10, code figure 5163 and 5175; as well as Möhrenschlager and Yamaguchi, in: Sieber (ed.), Information Technology Crime, 1994, pp. 200 et seq., 305 et seq.
[13] Cf. Yamaguchi, in: Sieber (ed.), Information Technology Crime, 1994, p. 307.
[14] Cf. for the Japanese case Yamaguchi, in: Sieber (ed.), Information Technology Crime, 1994, p. 307.
[15] Cf. for this case Kertész / Pustazai, in: Sieber (ed.), Information Technology Crime, 1994, pp. 251 et seq.
[16] Cf. "DIE WELT" of March 19, 1994, p. 12., as well as "Frankfurter Allgemeine Zeitung (FAZ)" no. 289 of December 13, 1994, p. 22 and no. 5 of January 6, 1995, p. 4; "Focus" no. 50 of December 12, 1994, pp. 244 et seq. The German Telekom reacted to the shown cases with measures of public security of which the essential parts are individual invoicing, special warning reports in case of an increase of the telephone costs and the setting up of a center for network security in Darmstadt; cf. for this "Computer Zeitung", no. 3 of January 19, 1995, p.6.
[17] In the German statistics of 1991, only 1-2% of all the cases of computer crime registered were cases of computer sabotage. Cf. Federal Criminal Agency (ed.), Police Criminal Statistics of 1993, 1994, table appendix 01, sheet 14, code figure 6742; and Möhrenschlager, in Sieber (ed.), Information Technology Crime, 1994, pp. 200 et seq.
[18] In the Netherlands, statistics for computer viruses reveal that these cases of sabotage amount to almost a third of the total number of computer crimes. Cf. Kaspersen, in: Sieber (ed.), Information Technology Crime, 1994, p. 347 (with explanations about the groups of crimes on p. 345).
[19] Cf. for this case Hafner / Markoff, Cyberpunk, 1991, pp. 251 et seq.
[20] Cf. for this "FAZ" No. 28 of February 2, 1995, p. 1 and No. 29 of February 3, 1995, p. 1.
[21] This dependency also leads to the high total damages which in different statistics are described as a consequence of computer breakdowns. Thus the total damage which occurred in Austria for private enterprises due to computer breakdowns in 1988 amounts to 1,500 million schilling, cf. Schick / Schmölzer, in: Sieber (ed.), Information Technology Crime, 1994, p.22. In France the corresponding total damage adds up to 10,400 million francs in 1991, of which 5,900 millions are caused by wilful damage actions, 2,700 millions are caused by accidents and 1,800 millions are caused by false operations and programmings, cf. Francillon, in: Sieber (ed.), Information Technology Crime, 1994, p.173.
[22] Cf. for this case Kaspersen, in: Sieber (ed.), Information Technology Crime, 1994, pp. 351 et seq.
[23] In a Dutch statistic of 1991, the cases of hacking amount to approx. one fifth of all computer crimes. Cf. Kaspersen in: Sieber (ed.), Information Technology Crime, 1994, p. 347 (with explanations about the groups of crimes on p. 345). The twilight zone of hacking is very large, because the respective attempts of getting access often cannot be registered and traced back.
[24] Cf. for this case Hafner / Markoff, Cyberpunk, 1991, pp. 139 et seq.
[25] Cf. Sieber, Informationstechnologie und Strafrechtsreform, 1985, pp. 54 et seq.
[26] Cf. "Focus" no. 17/1993, p. 106.
[27] Cf. "Der Spiegel" No. 34/1992, pp. 206 et seq.
[28] In the German statistics of 1991, 1% of the cases of computer crime can be assigned to computer espionage. Cf. Möhrenschlager, in: Sieber (ed.), Information Technology Crime, 1994, pp. 200 et seq.
[29] Cf. Yamaguchi, in: Sieber (ed.), Information Technology Crime, 1994, p. 307.
[30] Cf. García, 38 (1991) UCLA Law Review, pp. 1043 et seq. (at p.1055).
[31] Cf. Sieber, Computer und Recht 1986, pp. 699 et seq.
[32] Cf. also Schick / Schmölzer, in: Sieber (ed.), Information Technology Crime, 1994, p. 30.
[33] Cf. "Newsweek" of June 29, 1992, pp. 44 et seq.
[34] E.g. in Austria, the total damage caused by software piracy (without damages caused by violations of semiconductor protection) is estimated at 3000 million schilling: Cf. Schick / Schmölzer, in: Sieber (ed.), Information Technology Crime, 1994, p.30. In Canada, the losses caused by software piracy are estimated at 200 million dollars: Cf. Piragoff, in: Sieber (ed.), Information Technology Crime, 1994, p. 87. In Germany, the Union of the Software Industry estimates a business loss to the extent of 1.5 billion US $ due to Far Eastern illegal copies; cf. "Handelsblatt" No. 2 of January 3, 1995, p.1. Therefore the share of software piracy in computer crime is very high: In Germany, it amounts to more than 10% in 1991 and to almost 10% in the Netherlands. Cf. for the corresponding statistics Möhrenschlager, in: Sieber (ed.), Information Technology Crime, 1994, pp. 200 et seq.; Kaspersen, loc. cit., p. 347 (with explanations about the groups of crimes on p. 345).
[35] Cf. for this von Gravenreuth, CR 1995, p. 122 (at p. 124).
[36] Cf. "Handelsblatt" of November 7th, 1994, p.16.
[37] Cf. von Gravenreuth, CR 1995, pp.122 et seq.
[38] Cf. for Canada Piragoff, in: Sieber (ed.), Information Technology Crime, 1994, p. 87.
[39] Cf. for this also Braun, Produktpiraterie, 1993, pp. 11 et seq., and CR 1994, pp. 726 et seq.
[40] Cf. Anti-Defamation League of B''hai B'rith, Hate Groups in America, 1988; Maegerle / Mletzko, Terrorism / Extremism / Organized Crime 1994, no. 5, pp.1 et seq.; Federal Ministry of the Interior (ed.), Report of the Protection of the Constitution 1993, p.23, pp.147 et seq.; Möhrenschlager, in: Sieber (ed.), Information Technology Crime, 1994, p. 108; Werthebach, NWVBl. 1994, 201 (203); Response of the Parliamentary State Secretary Lintner of April 21, 1994 to questions of the Member of Parliament Böhm, Bundestagsdrucksache 12/7357; "PC Computing", December 1989, pp.146 et seq.; "Focus" No. 4/1995, pp. 52 et seq.; for the "Thule-Netz" cf. also CHIP no. 3/1994, pp. 82 et seq.
[41] "Computer Zeitung" No. 46 of November 17, 1994, p. 20.
[42] Cf. for this as well as for the service-providers' limited actual possibilities of control Sieber, JZ 1996, pp. 429 et seq., 494 et seq.
[43] Cf. for this case "Der Spiegel" No. 9/1994 of February 28, 1994, p. 243.
[44] Cf. Arquila / Ronfeldt, Cyberwar is Coming!, Comparative Strategy, vol. 12 (1993), pp. 141 et seq.; Molander / Riddile / Wilson, Strategic Information Warfare - A New Form of War, 1996 (edited by the National Defense Research Institute RAND, Santa Monica/Ca).
[45] Cf. esp. for hacking and for economic espionage infra II B.
[46] Act on the Statistics for Federal Purposes of 22 January 1987, Federal Law Gazette (BGBl.) I, p. 462.
[47] 10th Book of the Social Security Code of 18 September 1980, BGBl. I, p. 1469; amended by the 2nd Act for the Amendment of the Social Security Code (2. SGBÄndG) of April 26, 1994, BGBl. 1994 I, p.1229.
[48] Framework Registration Act of 16 August 1980, BGBl. I, p. 1429.
[49] Act on a Census of Population, Professions, Buildings, Housing and Workplaces (Population Census Act) of 8 November 1985, BGBl. I, p. 2078.
[50] Cf. the First Draft for an Amendment of the Model Draft of a Uniform Police Act of the Federation and the Regions (VEME PolG) of 12 March 1986, sections 8a - d, printed in Kniesel / Vahle, Vorentwurf zur Änderung des Musterentwurfs eines einh