1. A few cybercrime cases that could make us think...
Bogdan Manolea
www.legi-internet.ro
Defcamp
30 noiembrie 2013 - București

2. About me
●
Writing for over 10 years about Laws & Internet
●
Some minimal programming skills (from BASIC to HTML)
or Internet tools (including Gopher and Telnet :p)
●
●
Don't feesasssakjd the INTERNET !
XXXXXXXXX
Interested in digital civil rights (Executive Director ApTI,
member EDRi, supporter EFF)
–
Freedom of Expression
–
Privacy online
–
Open copyright (e.g. Creative Commons, Open data, Open
Education Resources)

3. What is this?

4. Fork and Cybercrime

5. New law ?
Using a fork with an ATM is a crime
and is punished with 3 years
imprisonment

6. Current law
Law 161/2003
Art.42 – (1) The access, without right, to a
computer system is a crime and is punished
with imprisonment from 6 months to 3 years.
Accesul, fãrã drept, la un sistem informatic
constituie infractiune si se pedepseste cu
închisoare de la 3 luni la 3 ani sau cu amendã.

7. CoE Cybercrime convention
●
There will be considered a criminal offense
“when committed intentionally, the access to
the whole or any part of a computer system
without right.”
●
For this crime it is not necessary to by-pass
security measure

8. EU Directive
●
Article 3 (...)when committed intentionally, the
access without right, to the whole or to any
part of an information system, is punishable as
a criminal offence where committed by
infringing a security measure, at least for
cases which are not minor.

9. Computer system
●
"computer system" means any device or a
group of interconnected or related devices,
one or more of which, pursuant to a program,
performs automatic processing of data;

10. Without right
●
Current Romanian law
For the purpose of this title, a person acts without right in
the following situations:
a) is not authorised, in terms of the law or a contract;
b) exceeds the limits of the authorisation;
c) has no permission from the qualified person to give it,
according to the law, to use, administer or control a
computer system or to carry out scientific research in a
computer system.

11. What is “without right”
●
●
EU directive
"without right" means conduct referred to in
this Directive, including access, interference,
or interception, which is not authorised by the
owner or by another right holder of the system
or of part of it, or not permitted under national
law.

12. What does access means?
●
●
●
"Access" comprises the entering of the whole or any
part of a computer system (hardware, components,
stored data of the system installed, directories, traffic
and content-related data). However, it does not include
the mere sending of an e-mail message or file to that
system.
"Access" includes the entering of another computer
system, where it is connected via public
telecommunication networks, or to a computer system
on the same network, such as a LAN (local area
network) or Intranet within an organisation. The
method of communication (e.g. from a distance,
including via wireless links or at a close range) does
not matter.
Unauthorized access – term used in US

13. Definitie Kerr - Acces
●
●
●
The user accesses a computer each time the
user sends a command to that computer,
command which is being executed.
Access is any successful interaction with the
computer
Kerr, Orin S., "Cybercrime's Scope: Interpreting
'Access' and 'Authorization' in Computer Misuse
Statutes" . NYU Law Review, Vol. 78, No. 5, pp. 15961668, November 2003 Available at SSRN:
http://ssrn.com/abstract=399740

14. Practical cases

15. Practical cases

16. Practical Cases
●
●
A user looks over the
should of another
user
A user accesses the
files in a network

17. Practical Cases
●
●
●
Data breach at the Blueair website in 2006
Directly accessible via a link
Information published on several blogs:
http://eblogs.ro/sorin/2006/12/16/interne
tul-e-vorba-doar-de-cine-invinge-si-cinepierde/
 http://www.zoso.ro/2006/12/blueair-noizburam-cu-datele-dvs.html
–

19. Electronic Passport
●
●
Who owns it?
Who has the right to
access it?

20. Access to an IT system
●
●
●
●
A system administrator is hired by a company
as an technical administrator (for tax purposes)
In practice, he has access to all its IT systems
with a root access
Legally, there is no document which says the
rights of this person in relation to the IT system
One day the company decides to give up to his
services and acuses him of access without right
to its computer system

21. These are just a few cybercrime
cases that could make us think....
●
●
●
The definition of the illegal access to an
information system can be very large...
It is up to the law enforcement and judges to
make the distinction between real and fake
cases.
But a stupid criminal case is a hassle for
anyone involved...

22. But it should be wiser...
●
To try change the law
–
–
Maybe it needs to be a crime only if security measures are is
by-passed
–
Maybe we need to have a research exemption
–
●
Maybe it needs to be a crime only if there is a financial damage
involved (like in R. Moldova)
Maybe the computer system admins need to have obligations
(or be more responsible) as well in regards to keeping their
systems secure
It can be done! But first we need to identify publicly the
problems

23. Bogdan Manolea
Multumesc !!!