Подписаться на новости Версия для печати

Liability for computer crime in Russia

© 2003, Victor Naumov


A computer crime is an extremely versatile and intricate phenomenon. By objects of such criminal offences could be either hardware (computers and peripheral units) as the material objects, or computer software and databases, for which the hardware is the surrounding. Thereby, a computer can serve either as an object or as a tool of transgression.

All the attempts to suppress the computer crime have been inexpedient until 1st January 1997, when the new Criminal Code of the Russian Federation (RF CC) was enforced. In spite of explicit public threat, such encroachments were not illegal, i.e. they did not fall under criminal jurisdiction.

The situation has changed after 24 May 1996, when the State Duma of the Russian Federation adopted the Russian Federation Criminal Code.

The structure of the computer crimes (i.e. the list of elements featuring a socially harmful action as a certain crime) is stated in Chapter 28 of the Criminal Code, which is headed 'Crimes in a computer information sphere'. This Chapter comprises three articles: 'Unauthorized access to a computer information' (Article 272), 'Creation, use and spread of detrimental computer programs' (Article 273) and 'Infringement of operating rules of a computer, a computer system, or a computer network' (Article 274).

Let us give thorough consideration to all the three articles of the RF Criminal Code, concentrating, thus, on the basic elements of the computer crime, i.e. infringements of legally protected rights and interests in information computer systems, which fall within jurisdiction of criminal legislation.

Unauthorized access to computer information (Article 272 of the Criminal Code)

Article 272 of the Criminal Code stipulates liability for an illegal access to a computer information (information recorded to a machinery carrier, a computer or a computer network), if demolition, block, modification, copying of information or operating irregularities of computation systems have been caused.

This Article implies a protection of author's right of immunity of information in a system. Any owner of a computation system (a computer or a computer network) or that one purchased the right to use a computer may be the owner of the information computation system, while legally using services of processing of information.

Crimes should be punished according to Article 272 of the Criminal Code if imply an illegal access to protected computer information, e.g. break and enter to the computer system by special technique or software enabling to overcome all alarm systems, unauthorized using of valid passwords, or masking under the name of an authorized user, theft of information carriers, provided that security measures have been taken, and the action aforesaid caused demolition or block of information.

The access to a protected computer information shall be recognized wrongful if an offender is not authorized for receipt of and operation with this information or a computer system.

A causal connection between an unauthorized access and occurrence of consequences stipulated by Article 272 is of importance, so that mere temporal coincidence of irregularities in the computer system, which could result from the defects or just errors in the computer programs and wrongful access, does not entail criminal liability.

An unauthorized access to a computer information is deliberate one. Committing this crime, a person consciously breaks and enters the computer system foreseeing probable or unavoidable consequences stipulated by law, but either desires and consciously admits or does not care of those.

There may be any motifs and purposes to this crime, including a mercenary one, as well as an intention to obtain any information, to make harm or to test own professional abilities. We have to stress an accuracy of actions of the law maker, who eliminated a motive and a purpose from the list of necessary elements of the aforementioned crime, so that Article 272 of the Criminal Code could apply to various computer offences.

The Article comprises two parts, first of which stipulates as severe punishment to the lawbreaker as two years long deprivation of liberty. One of the representative examples of application of this article is the criminal case tried by Moscow court in 1991. The case dealt with a larceny of 125.5,000 USD from Foreign Economic Bank of the USSR and with preparation to larceny of more than 500,000 USD. Another case evidences the attempt to grand larceny (total 68 billion Rbl) committed in September 1993 from the Head Cash Office of the Central Bank of Russia in Moscow. The next case took place in 1990. Thus, a computer program for transfer of komsomol members' dues at one of domestic enterprises was so developed, that deductions have been made not only from the salary of komsomol members, but also from the salary of all the staff members under 28 years old. Total of sixty seventy people suffered that time. Today this crime would be qualified in terms of Part 1 of Article 272 of the Criminal Code.

The second part of Article 272 enhances criminal liability up to five years long deprivation of liberty for the crime committed by a group of people, by the one misusing his official position, or by those having free access to information computation system.

According to criminal legislation, the persons achieved 16 years old could be by subjects of the computer crime. However, the second part of Article 272 stipulates an additional inherent feature of a subject of crime, assisting in commitment of this offence, i.e. an official position, as well as free access to a computer, a system of computers or a computer network.

Article 272 does not cover the event when wrongful access resulted from casual handling. If this is the case, a significant layer of possible offences and even deliberate actions is truncated, because the intent of the lawbreaker would be unlikely proved by investigations. For instance, in the Internet, where millions of computers are networking, one could easily and involuntarily break and enter to the protected area of information, while switching from one computer to another to implement any specific operation.

Creation, use and distribution of detrimental computer programs (Article 273 of the Criminal Code).

The Article stipulates criminal liability for creation or modification of computer programs known to bring to unauthorized destruction, block and modification or copying of information, operating irregularities in information systems, as well as for using of such programs or machinery carriers with such programs.

The Article protects the rights of owner of the computer system for immunity of information contained in the system.

Under detrimental programs in the context of Article 273 of RF Criminal Code the programs shall be understood which have been purposely developed to damage normal operation of the computer programs. Under the normal operations, those enlisted in the program's specifications shall be understood, which these programs have been designed for. The most widely spread detrimental programs are computer viruses and logic bombs.

To make somebody criminally liable under Article 273, no any negative consequences should necessary been caused to the owner of information. The fact sui generis of creation of the programs or modification of existing programs known to cause negative consequences enlisted in the Article is rather sufficient.

Publication, reproduction, distribution and other manner to put programs in use are understood by using the program. The program could be recorded to PC memory, to material carrier, distributed via networks or sent to other persons.

Criminal liability under this Article shall arise immediately upon creation of a program, irrespectively whether this program was in use or not. In terms of Article 273, availability of original texts of virus programs is already a ground for institution of criminal proceeding. One should take into account, that in some instances using of such programs is not subject to criminal liability. It concerns to activity of licensed companies developing antiviral programs

This Article consists of two parts distinguishable from each other by the lawbreaker's relevance to the committed actions. The crime stipulated by Part 1, Article 273 could be committed only deliberately. Moreover, the lawbreaker ought to be sure, that creation, use or distribution of detrimental programs has to bring to violation of immunity of information. Thereto, the purposes and motifs do not effect on qualification of attempts in the context of this Article, so the noblest inspirations (e.g. the efforts towards environmental safety) do not release from liability for the crime per se. The heaviest punishment for an offender in this event will be deprivation of liberty up to three years long.

The second part of Article 273 admits the great harm caused by reckless disregard as an additional qualifying feature. While committing the crime stipulated by the second part of this Article, an offender is aware that he creates a harmful program, uses or distributes such a program or its carriers. Meanwhile, he either foresees the great harm to be, but groundlessly hopes to prevent it, or does not foresee it, though ought to if was sufficiently careful and long-sighted. This legal norm is to be expected, since only high skilled programmers are capable of development of detrimental programs. Their professional skill enables to foresee a diversity of the potential consequences of using of such programs, e.g. human death, harm to people health, real threat of war or other calamity, and malfunction of transportation systems. In this part, the Court can impose the maximal sentence up to seven years of deprivation of liberty.

If the offensive actions bear signs not only of the crime stipulated by Article 273 of the Criminal Code, but also of another crime (murder, demolition of the property), the offender will be liable for total of the committed crimes.

Violation of operating rules of a computer, a system of computers or a computer network (Article 274 of the Criminal Code)

Article 274 of the Criminal Code makes a person having an access to a computer, a system of computers or a computer network liable for infringement of operating rules, demolition, block or modification of legally protected information, provided that such an infringement caused a substantial harm.

The Article protects the owner's interest of computational system's correct maintenance.

Naturally, this penal norm does not contain certain specifications, referring, therefore, to departmental rules and regulations specifying operating procedure, which should be established by an authorized person and reported to users. This Article does not extend to the Internet, but only to local networks of organizations.

Under the legally protected information, this one shall be understood, for which the special acts stipulate peculiar legal assistance.

A causal connection should be proved to exist between the fact of infringement per se and caused substantial harm. Above that, the occurred consequences should be exactly proved to result from violation of the operating rules.

Determination of a substantial harm, in terms of this Article, is a process of evaluation. Accordingly, the court evaluates a harm caused in each individual instance proceeding from merits of a case. However, it is clear that a substantial harm should be less severe as compared to serious consequences.

The violator of the operating rules is a person having an access to a computer system, who ought to obey the specified technical regulations.

The lawbreaker commits the offence deliberately. While infringing the operating rules, he foresees possible or unavoidable wrongful effect to information, and also a substantial harm to be, but desires or consciously admits such harm or does not care of its occurrence. Such the offences are to be punished most severe by deprivation of right of taking certain posts or occupations up to five years.

The second part of Article 274 stipulates liability for reckless infliction. For instance, in compliance with this Article the actions should be qualified of a staff member of the transport control system, who installed to the computer an infected program without preliminary antiviral checking, thereby inflicted a serious transport accident.

Legal authorities proclaimed the facts of unauthorized access to the computer of the Computational Centre of Russian railroads and also to electronic information concerning registered dwelling and non-dwelling premises in local administration of many towns. Today such offences are to be penalized according to Articles 272 or 274 of the Criminal Code, depending on actions of the offender and on the operating rules of a certain network.

It is necessary to note that the elements of offences, stipulated by Articles 272 and 274 of the Criminal Code, are very similar from the technical standpoint. A minor diversity implies authorized or unauthorized access to a computer, to a system of computers or to their network. Article 274 of the Criminal Code refers the reader to operating rule of the computer system, whereas Article 272 denotes irregularity in operation of the computer system as one of the consequences, that from the technical standpoint is a backward from operating rules and regulation. Therefore, it seems to be reasonable to join these similar crimes by law.

Thus, some shortcomings in the wording of articles and ambiguous qualifications in addition to impartial complexity of the computer technique and difficulties in gathering of evidence hinder effective criminal prosecution of unlawful acts committed in the sphere of the computer technology.


Published: Decemner, 6, 2003