Cybercrime and Real Punishment
Pop culture has romanticized a hacker’s image and made it into a sort of a modern day hero that fights abuse of power as seen in V for Vendetta or Mr. Robot. Indeed, hacker movements like Anonymous play a significant role in building democracy, supporting various social changes and the Internet without censorship via Denial of Service (DoS) / DDoS-attacks, doxing and other not strictly legal methods. These deeds, which have an idea behind the activity, are also known as hacktivism, even though not all the hackers share this vision of how their skills should be used.
On the other hand, hackers also break into various systems or websites just to get some money, or distribute malware like worms, Trojans or other computer viruses that steal personal data or bank account information. It’s the other side of the hacker’s world that we all are accustomed to: hackers are criminals that do malicious things.
Finally, some engage in hacking simply because hackers just wanna have fun: someone might find vulnerabilities and use them to change something in the system, for example, leave a picture of a unicorn with a rainbow for a tail on a police department’s web page because it’s downright ridiculous and therefore funny.
Still, no matter the reasons, such activity is definitely a crime under the current legislation of most countries. It’s probably impossible to be a hacker without sometimes asking oneself: whatcha gonna do when they come for you?
Computers, People, and Their Laws
Long before hackers have become the most dreaded menace across all seas of the internet, the very word “hacker” had a different meaning. It came into being in the 1960s in big universities like the MIT, where an enthusiastic person trying to do something unconventional with a computer system was called a “hacker”. Even though the access to the computers and the time of their use were strictly limited in the MIT, those people managed to take a moment for their little experiments. Basically, the hackers culture had been created by highly passionate tech enthusiasts.
A decade later, the term “hacking” has accrued a new meaning of playing with the existing computer or information systems, and bypassing their restrictions. One of the most famous “hackers” of that time was John Draper, who is a great example of how curiosity helps improve one’s skills as well as computer systems and security technologies.
In the 1970s phone networks “communicated” using specific tonal signals, which was quite convenient at that period of time. One day Draper found a toy whistle in a Cap’n Crunch cereal box, and after a few talks with phone phreakers, people who study, experiment with, or explore telecommunication systems, he discovered that the whistle could emit a tone at precisely 2.6 kHz, the same frequency that was used by AT&T long lines. The system used tone of said frequency to indicate that a trunk line was ready and available to route a new call, so the whistle allowed phreakers to call from payphone boxes to other states and cities for free.
The next step was the so-called “blue box”. It emulated the same tonal signals but also could tap into secret communication lines and make a call to the White House or the Pentagon. In 1971, Esquire wrote an article about phone phreaking that was based on John Draper’s comments. Soon after the article had been published Draper and other phreakers were arrested and accused of toll fraud but were released shortly afterwards the arrests as there were no specific laws on cybersecurity.
The term of hacking started accruing negative connotations only in the 1980s. Back then, the U.S. started developing cybersecurity legislation, possibly after a few instances they found outrageous. Thus, Kevin Poulsen and his friends have taken control over phone lines to radio station KIIS-FM 102 to guarantee they win the competition organized by the broadcaster. The friends ensured that they would be the “lucky” 102nd caller and thus won two new Porsches, $20k and two vacations on Hawaii.
After this and several other cases, hackers started to be reasonably associated with crimes. During the 1990s, one of the most famous hackers, Kevin Mitnick, has got two sentences for committed cybercrimes. This period also was somewhat like Hackers Golden Age: computer systems were connected to the internet, websites and programmes were not properly protected, and users had no idea of any hacking methods.
As for now, hackers are like two sides of the Force: there is the Dark side, or so-called “black hats”, that commit crimes for profit or other criminal purposes; and the Light side, “white hat” hackers that act against them and assist in eliminating vulnerabilities in different systems.
Still, the latter can violate laws just like the former, and the law doesn’t make much difference between them. However, there are numerous approaches to deal with this complex matter, and they go all the way down from international conventions to local legislation.
Thus, the Council of Europe has drawn up the Convention on Cybercrime (C3), a multilateral document aiming to regulate cybercrime. The Convention was opened for signature on November 23rd, 2001 in Budapest and came into force on July 1st, 2004. Even though 57 countries have already signed and ratified the Convention on Cybercrime including non-council of Europe states like the USA, Australia, Japan and so on, the text has no clear definition of what “cybercrime” actually is.
Still, unlike the Convention itself, its summary actually gives some sort of a definition, and describes cybercrime as one committed via the Internet and other computer / communication networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security.
However, the C3 isn’t the only source of regulation in this case. Cybercrimes are regulated by a wide range of documents, including international agreements and national laws. International regulation of cybercrimes includes not only C3, however: in several specific cases like recruitment for terrorism via the Internet or stealing money from a bank account for the purpose of terrorism financing, respectively, the Convention on the Prevention of Terrorism becomes applicable.
The most likely targets of cybercriminals are always those who have something to lose, and in the overwhelming majority of cases they are located in the most developed regions of the world, such as the E.U. or the U.S. Their approaches toward tackling cybercrime, however, are extremely different, and so are the results of their efforts.
Diversity in Europe
The EU legislation doesn’t address cybercrimes directly. Several European Directives regulate adjacent questions related to internet activities and are generally applicable to a broad variety of cybercrimes. The main of them are:
- The General Data Protection Regulation (GDPR), which is a regulation regarding data protection and privacy for all individuals within the European Union.
- Measures to counter unsolicited commercial communications (“spam”) is a legal document that contains basic recommendations on how to prevent and counter spam.
- The European Programme for Critical Infrastructure Protection is a programme designed to identify and protect critical infrastructure that, in case of a fault, incident or attack, could seriously impact both the country where it is hosted and at least one other European Member State.
- The Directive on attacks against information systems is a document establishing rules concerning the definition of criminal offences and the relevant sanctions.
Earlier, the European Union had so-called Council Framework Decisions, which were legal document not too dissimilar to EU Directives. Framework Decisions (FD), as well as Directives, set the general direction and goals for improvement but FD were used exclusively in police and judicial co-operation in criminal justice matters (preventing and fighting crimes etc.) However, the Lisbon Treaty abolished framework decisions. Particularly, two main framework decisions Council Framework Decision on combating terrorism and Council Framework Decision on attacks against information systems are no longer in force.
The European Union aimed to strengthen cybersecurity level due to the fact that cyber attacks become a real threat not only to people but also to the states as they are capable of affecting their economies. Shortly after the massive cyber attacks like Petya_A and WannaCry, the European Council asked for the adoption of a common approach to cybersecurity across the EU, following the cybersecurity package proposal with the following main points:
- Building a stronger EU cyber security agency instead of the existing European Union Agency for Network and Information Security (ENISA).
- Proposal to build an EU-wide cybersecurity certification scheme to ensure the high quality of software and cybersecurity services.
- The implementation of the NIS Directive, which aimed to increase the security level of information systems that entered into force in August 2016.
Still, the EU can address only some general matters but the devil is always in the details. The European Union is a union of independent sovereign nations, and therefore each of them is entitled to devise its own measures against crime, which has ambiguous results. According to the research prepared by the Website Builder Expert, the level of cybersecurity in the EU varies significantly. The research found that the most secure countries in the EU are Finland, Estonia, and Germany.
At the same time, the research found that Malta, Greece, and Romania have the lowest level of cyberprotection in the EU. In order to understand what makes up good cyberprotection and what makes it bad, it’s reasonable to take look at the extreme cases. And that’s exactly what we’re going to do now.
As was stated above, Finland has the lowest percentage of cybercrimes vulnerability (29%) even though it has no specific regulations and laws on cybercrime or cybersecurity.
These questions are governed only by several provisions in the Criminal Code of Finland. However, Finland has always been concerned with security, and has enforced so-called Information Security Strategy (ISS) since 2013.
The ISS can tell us a lot about why Finland is so safe. For example, the 3rd Chapter says: “Each ministry and administrative branch is responsible for cybersecurity and disturbance management within their mandate.” It represents so-called “national approach”, where all authorities with no exception take part in maintaining cybersecurity. Moreover, the state also adopted the Implementation Programme for Finland’s Cyber Security Strategy for 2017–2020 (Implementation Programme) to study the existing security gaps and make cybersecurity infrastructure more efficient.
As was said, Finland has no specific laws on the issue, and doesn’t even enforce any reporting requirements to enhance its cybersecurity. Maybe Finland has strict punishments for hackers? Spoiler alert, not really.
The list of cybercriminal activities recognized by the Finnish Criminal Code includes much obvious identity theft, unauthorized wiretapping, and espionage, along with less obvious computer break-ins, tampering with communication channels, and damage to data. However, any of such acts, according to Finland’s criminal code, will result at most in four years of imprisonment but in the majority of cases just entails a fine.
Thus, in 2015, the District Court of Espoo found 17-year-old Julius Kivimaki guilty of more than 50,700 computer break-ins, but hasn’t put him in prison. Mr. Kivimaki received a two-year suspended prison sentence and was obliged to pay 6,588 Euros in fines, the worth of property the hacker obtained through his criminal actions.
Malta also took the 76th place in the Global Cybersecurity Index (GCI) 2017, prepared by the International Telecommunication Union (ITU).
Like Finland, Malta does not have any specific regulations for cybercrimes, except the Criminal Code of Malta (Sub-Title V). Malta also uses the International Organisation for Standardisation Standard 27001 in order to help organize the process of storing and securing the collected information, although this standard does not impose any obligations on public and private entities that store users personal data. The country also has the Malta Cybersecurity Strategy 2016 in place, which is intended to strengthen state’s cybersecurity and combat cybercrimes.
The Criminal Code of Malta criminalizes the following offenses:
- The unlawful use of a computer or other device or equipment to access any data.
- Unauthorized activities that hinder access to any data.
- Unlawful disclosure of data or passwords.
- The misuse of hardware.
The Maltese cybercrime legislation is a little stricter than that of Finland. For example, for identity theft, the criminals can be sentenced to a fine that does not exceed 29,293.73 Euros or to four years in jail at most. A judge may choose to apply both punishments at once, depending on the severity of the specific crime.
In some cases, the punishment may be even more strict if the hacker’s offences:
- Caused serious damage.
- Were committed against a critical infrastructure facility information system.
- Were committed through the misuse of personal data of another person, with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner.
- Actions that maliciously affect any governmental activity or function, or hamper, impair or interrupt in any manner the provision of any public service, whether or not such service is provided or operated by any government entity.
In those cases the minimal fine can’t be lower than 500 Euros and, at the same time, can’t exceed 150,000 euros. The term of imprisonment also may vary from 12 months to 10 years. The judge is can use both fines and imprisonment to punish the offender, if he or she deems it appropriate.
Notably, Malta has stricter laws and more severe punishments, but in terms of cybersecurity it’s still the least secure country in the EU. Therefore, the level of cybersecurity doesn’t necessarily correlate with the legal framework that regulates it. Despite the fact that Finland has very mild punishments for hackers, it takes many actions to make national systems more secure.
As the E.U. is not a federation, the level of cybersecurity may vary from one member state to another, leading to a certain imbalance and urging the European Commission to issue directives that would make security more uniform throughout the union. Across the Atlantic, however, lies a federation that has very strict laws in place to tackle any attempt at committing a cybercrime, sometimes at a terrible price.
America the Strict
Traditionally, the US has been the cradle of innovations in information technologies. The Silicon Valley presented tools that become an integral part of our life, like Google Search Engine or eBay. The internet protocol that connects the whole world also was developed by the Americans. So, the rapid growth of the Internet-related business and e-commerce has given rise to cybercrimes.
The aforementioned GCI 2017 report shows that the U.S. is the second most protected country in the world in terms of cybersecurity. Moreover, it also states the U.S. has the highest scores for the cybersecurity legislation and its enforcement.
The federal cybersecurity legislation includes numerous laws. The most crucial of them are listed below:
- Health Insurance Portability and Accountability Act (HIPAA) obliging health care providers and related business associates to develop and follow the rules that ensure the confidentiality and security of sensitive health data, when it is transferred, stored, or processed.
- Gramm-Leach-Bliley Act is a set of rules to govern financial institutions operations regarding storing and processing their clients’ data.
- Homeland Security Act, which created a special authority, the U.S. Department of Homeland Security that is responsible for fighting cybercrimes and strengthening the domestic cybersecurity.
- Cybersecurity Information Sharing Act (CISA) 2015, the federal law designed to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.
- Cybersecurity Enhancement Act of 2014 that also was prepared to make informational systems more secure.
However, the list could be even bigger. The US has a specific legislation stating the liability for cybercrime. The United States Code (18 U.S.C.) is the main source of the federal cybercrime legislation and you may find the detailed cybercrimes legislation overview here. The 18 U.S.C. was amended several times by the Computer Fraud and Abuse Act (CFAA) and The Identity Theft Enforcement and Restitution Act. According to the U.S.C, cybercrime includes but is not limited to:
- Fraud and related activity in connection with identification documents, authentication features, and information (U.S. CODE § 1028). The unlawful use of personal information will be fined, and those responsible may be imprisoned for 5 to 20 years.
- Fraud and related activity in connection with access devices (U.S. CODE § 1029) will be penalized by a fine or an imprisonment of 20 years at most.
- Fraud and related activity in connection with computers (U.S. CODE § 1030). Punishments could go as far as charging the criminal with a fine and/or imprisoning them for up to 20 years.
- Fraud and related activity in connection with electronic mail (U.S. CODE § 1037). A person that would be found guilty will be punished with a fine and/or sent to jail for 3 to 5 years.
- Sexual exploitation of children (U.S. CODE § 2251). Violators will be fined and sent to jail for not less than 15 years and not more than for 30 years.
- Certain activities relating to material involving the sexual exploitation of minors (U.S. CODE § 2252). Persons found guilty would be fined and/or imprisoned for 5 to 20 years.
- Misleading domain names on the Internet (U.S. CODE § 2252B). Perpetrators will be fined and imprisoned for up to 10 years.
- Interception and disclosure of wire, oral, or electronic communications prohibited (U.S. Code § 2511). A person that conducts an interception and information disclosure of wire, oral, or electronic communication might be punished by the law with a fine and/or sentenced to jail time of up to five years.
- Unlawful access to stored communications (U.S. Code § 2701). This crime will be punished with a fine and/or imprisonment of five years at most. Subsequent offenses will extend the imprisonment to the term that does not exceed 10 years.
Notably, each state can define its own punishment for cybercrime. Considering this, the penalty for criminal activity could be either stricter or milder, which mostly depends on state laws.
Another peculiarity of U.S. cybercrime legislation is the judicial practice. The country is rigidly countering various cybercrime threats, so the courts’ decisions are quite severe. For example, on May 7th, 2018, Romanian citizen Calin Mateias (38) was sentenced to one year of imprisonment and a payment of $29,987 in damages to Blizzard Entertainment as a compensation for the funds spent on countering his DDoS attacks on World of Warcraft servers back in 2010. The U.S. has obtained a hacker’s extradition from Romania and the court judged him according to the state’s laws.
However, the laws and judges aren’t so mild all the time. Aaron Schwartz, the hacktivist and software developer was prosecuted for downloading millions of documents from JSTOR library using MIT Internet connection with an intention to make them freely accessible to a wide audience. Even though the JSTOR refused to sue Mr. Schwartz, the United States attorney for Massachusetts, Carmen M. Ortiz, said:
“Stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.”
Mr. Schwartz was accused of conducting fraud and related activity in connection with electronic mail; and fraud and related activity in connection with computers and several more crimes. Because of that, he was facing 30 to 50 years in jail along with a repayment of around $2 million. Understanding this, Aaron Schwartz has committed suicide.
Thus, even having a good regulatory basis meant for preventing and fighting cybercrimes is not enough. However, the laws force entities, both governmental and private, to develop cybersecurity programmes, implement them, and ensure the safety and privacy of the data in their disposal.
The society and authorities should understand that hackers or malware creators are not always criminal masterminds, or some malevolent force that only damages computer systems.
Many hackers write their code out of a pure curiosity. Some of them even submit their findings to antivirus software developers to help them improve their products. Some developers create malware to educate themselves and find vulnerabilities in particular services’ cybersecurity. In a word, it might be wrong to demonize all hackers because there are certainly some criminals in their midst.
Regardless of the reasons why people hack something, such an activity may lead to unpleasant consequences and a term in jail. So, people who are fond of exploring various systems should better use their skills wisely and don’t push their luck.
Follow us on Twitter to stay tuned on the recent developments in regulation of new technologies, and be the first to read expert opinions.