1. Does accessing a Facebook account fall within the provisions of art. 360 of the Criminal Code?
Deed committed out of curiosity by a student at the Faculty of Engineering. Through criminal sentence no. 38 of 21.02.2019, pronounced by the County Court of Arad1 the defendant was sentenced to 1 year and 4 months imprisonment for the crime of illegal access to a computer system, provided for by the provisions of art. 360, par. 1 and 3 of the Criminal Code, noting that the defendant accessed without having the right – without having the consent of the account holder – the Facebook account of the aggrieved party, provided that access was restricted to users other than the account holder, without the consent of the account holder. The defendant knew the aggrieved party, sometime before the incident he had helped her change her accesspassword to her personal e-mail account, circumstance in which he knew the security questions. His motivation was just curiosity to see how easily a Facebook account can be accessed. In fact, he acknowledged this before the Judge.
As it is about accessing a service of the information society, I believe that we cannot talk about accessing an information system in this particular situation. However, the doctrine admits that the Facebook account is created and hosted on a „virtual machine” (on a server) and, through his action, the student intentionally accessed the server area allocated to the account of the aggrieved party, situation in which the provisions of art. 360 par. 1 and 2 Criminal Codedo apply. However, regarding par. 3 of art. 360 of the Criminal Code, it could be retained if there was an actual violation of security measures, but not in the event that the perpetrator accesses the computer system through already known access credentials.
In this context, I anticipate that at the appropriate time, the legislator will consider the criminalizing of illegal access to an electronic communications service or to an information society service in order to eliminate possible inconsistencies or ambiguities.
2. What does “obtaining computer data” mean?
Within a procedure of notifying the court with a plea agreement, the defendant was sentenced to 6 years in prison under the aspect of committing the crime provided by art. 360 par. 1, 2 and 3 of the Criminal Code, consisting in the fact that „he entered the office of the aggrieved party (…) and stole a wallet containing the amount of 185 lei and a BCR bank card; (…) After stealing the wallet, finding inside a bank card and a document containing the PIN code attached to the card, in the time interval 15.49 – 15.51, repeatedly, at short intervals, used the electronic payment instrument without right, respectively performed from an ATM three cash withdrawal operations, thus stealing the amounts of 1,000, 2,000 and 2,000 lei (in total the amount of 5,000 lei)”. In addition to the offense of illegal access to a computer system, the defendant was charged with, among other things, the offense of fraudulently conducting financial transactions.
Of course, given the recognition procedure, the motivation of the court, at least regarding the retention of art. 360 par. 2 of the Criminal Code, is missing2. The „visual capture of data” displayed by the ATM was probably taken into account, but this was not the intention and purpose of the defendant, who allegedly committed the crime of illegal access to a computer system, regardless of whether or not the data was displayed on the screen; thus, compared to the factual situation retained in the charge of the defendant, I consider that the variant from par. 2 of art. 360 of the Criminal Code was wrongly retained, and the correct solution would have been to restrain only the incriminated crime in the standard version (art. 360 paragraph 1 of the Criminal Code).
An interesting and different factual situation, from the perspective of art.360 para. 2 of the Criminal Code, is also the one retained in the Criminal Sentence no. 1 / PI of 03.01.2020 pronounced by the County Court of Timiș consisting in „unauthorized access to a computer system by using a computer program to which access is prohibited (POS systems) for certain categories of users in order to obtain computer data.”3, whereas „software” is a „set of instructions that can be executed by a computer system to achieve a given result”4, such as operating systems, antivirus programs, etc., and not a computer system.
Is the POS an information system within the meaning of art.360 of the Criminal Code?
Another case in which the first court wrongly ordered the change of the legal classification retaining the accusation brought against the defendant, including par. 2 in art. 360 of the Criminal Code was remedied by the court of judicial control5, considering that „the first instance erroneously assessed that the situation of an ATM – device that always requires the entry of a PIN code, and if it is correct, allows direct access of the person who entered it to the computer data related to the bank account of the cardholder – would be the same as that of a POS device, intended exclusively for making payments to merchants and which, regardless of the need to enter or not a PIN code, allows only one payment, without the person using the bank card gaining direct access to the computer data held by the bank. It follows, therefore, that in the case of the unauthorized use of an authentic bank card in a POS device belonging to a merchant for the purpose of making payments, this is not intended to obtain computer data, as this type of operation is not in a position obtaining such data. In this context, the Court reiterated that the person using the card on a POS device can only obtain in this way a payment and never access to computer data.”. The solution of the court of judicial control of detention in charge of the defendant is only the standard version of the crime provided by art. 360 Criminal Code is correct. Of course, the crime of fraudulent financial transactions was also detected in the case.
An even more interesting situation is the one retained in the content of the criminal Sentence no. 235 / F of 14.02.2019 of the County Court of Bucharest, in which although the defendant tried to make payments with two previously stolen bank cards he failed because one of the two electronic payment instruments did not have sufficient funds and access to the other was blocked, being convicted for two offenses of illegal access to a computer system provided by art. 360 par. 1 Criminal Code to 3 years imprisonment each6. Given that the defendant used the two bank cards in the same context and in the same circumstance, I consider that in this case the continued form of the crime of illegal access to a computer system should have been retained. In this case, it was necessary to retain the continued form also with regard to the offenses of attempting to carry out financial operations fraudulently.
Also, in a similar case, I was struck by the reasoning of the court: „In this case, the qualified version of the crime of illegal access to a computer system will be retained. Par. 2 will be retained because the deed was committed in order to obtain computer data, consisting of computer data found on the server of the bank issuing the card that allows checking the balance of the bank account to which the bank card is attached, and checking the validity of the card .Par. 3 will be noted as the computer system of the POS and the card issuing bank is restricted through internal procedures for legitimate users of bank cards and, in addition, in the case of transactions by typing the PIN code there is an additional restriction generated by entering the code correct. Thus, the aggravated form will be retained even when the disregard of the restriction is facilitated by the deficiencies of the protection system, which allow the easy evasion of the protection. The removal of the requirement to enter the PIN code for contactless payments under 100 lei was made as a result of a standard provision of the bank, tacitly accepted by the injured party, a circumstance that cannot be retained in favour of the defendant.”7 „7 nine contactless payments to the POS machine of the commercial unit where she was employed, in the amount of 650 lei, an amount she appropriated in cash from receipts, accessing without right the computer system of the card issuing bank, but also of POS acquis.” The court’s view that the concepts of „access to the POS computer system” și „contactless payment” are equivalent is erroneous.
From a technical point of view, although the POS can be considered an information system, I appreciate that the interpretation of the courts is exaggerated, being able to create unwanted precedents in the sense of considering that any interaction with an electronic equipment would represent the crime of illegal access to computer system on the grounds that that device functions as a computer system. In this case, I consider that it would have been necessary only to detain the offense of carrying out financial operations fraudulently (art. 250 of the Criminal Code).
4. Does In dubio pro reo apply in the field of cybercrime ?!
The solution of the High Court of Cassation And Justice pronounced by a decision8 by which the defendant was sentenced, among other things, to 6 months imprisonment for the crime of illegal access to a computer system, prev. of art. 42 of Law no. 161/2003, with the application of art.41 para. (2) of the Criminal Code previously and art. 5 of the Criminal Code, keeping in mind that he would have used without right the bank card of his deceased grandmother, accessing a computer system (ATM). The defendant defended himself by stating that his grandmother gave him the card to use from the beginning, that he went with her to the bank to open the account and that he had power of attorney on the account, and the fact that he had the right to use it also resulted from the fact that he had the PIN code. In support of his claims, he requested the taking of evidence (hearings of witnesses, requesting documents from the banking unit), which were rejected. He also stated that the legal framework that was withheld from him is specific to those who clone cards and steal money from the account holders, without right, which has nothing to do with the current situation. The High Court rejected the defendant’s defences, holding the defendant in charge „illegal use of a bank card belonging to his deceased grandmother, illegal access to the ATM and financial operations.”. Although the court’s reasoning frequently includes the phrase „illegal use of a bank card”, along with „fraudulent financial transactions”, the first does not represent a distinct crime, but a manifestation of the crime provided by art. 250 Criminal Code. It is interesting that the Supreme Court invoked in support of the solution the lack of relevance of the quality of sole heir of the defendant and the agreement given by the grandmother to use the card since there were no documents on the record of the cardholder’s death and use of the card, by knowing the security element by the defendant appellant, although the evidence previously requested by the defendant to be administered in the case was rejected. I note that the court’s presumption of the crime of illegal access to a computer system was one of guilt, a presumption extracted from the whole factual situation that outlined the commission, both objectively and subjectively, of the crimes of complicity in computer fraud and computer fraud, but also performing financial operations fraudulently.
A recent conviction was upheld by the Ploiești Court of Appeal by Criminal Decision no. 299 of March 25, 20209 under the aspect of committing the crime provided by art. 360 para. 1 and 3 of the Criminal Code – 18 material acts and the crime of computer fraud (art. 249 Criminal Code) – 18 material acts, consisting in the fact that the defendant, as a counselor in the Treasury, „Accessed without right, the computer system of the Boldești Scăieni Treasury, by logging in to the TREZOR application, where he had a“ creative ”user account with the TREZ13 ID and related password (which according to internal rules was updated / changed twice a month) and validated these fraudulent transactions, using the user account “confirming” with the SEP ID 01 and the corresponding password he held.” The financial transactions for payments from the accounts of some clients were carried out without their consent or approval to a bank account opened by her husband.
Since other relevant details regarding the factual situation are not presented in this case, at least under the aspect of the crime provided by art. 360 of the Criminal Code, I appreciate that the court correctly retained in the charge of the defendant the provisions of the standard version of the crime provided by art. 360 of the Criminal Code, as the banking official is authorized by the employing banking unit to access (use) the computer system for a certain (legal) purpose and based on an approved working procedure. Any other banking operation performed in excess of the limits set by the employer is an illegal act (manifested by exceeding the limits of the authorization), especially if it overlaps with others, for example with material acts limited to the crime of computer fraud. Regarding the retention of the aggravated variant (art. 360 par. 3 of the Criminal Code), I consider that it was not required, since it does not appear that the defendant violated / evaded any security measure, having a user account and the corresponding password in the current year of its activity.
It is observed from the judicial practice that the scope of protection that the legislator understood to grant to the computer systems would be apparently much wider, there being cases in which the judicial bodies analyse potential incriminations of the legal norm in particular situations.
It is very important that cybercrime legislation receives increased attention in order to really respond to the need for social protection according to the rule of criminalization, while avoiding exaggerated and forced interpretations of the rule of law.
It is obvious that if all the technical data that are limited to the material element of computer crimes are not understood by someone who applies or uses such computer systems and / or computer programs are very difficult to understand, and the lack of technical information to the level of legal practitioners can have serious consequences, because a magistrate who convicts instead of acquitting commits a miscarriage of justice.
1. County Court of Arad, Criminal sentence nr. 38 from 21.02.2019, available here: http://rolii.ro/hotarari/5c9c36c1e490098c0900003a.
2. County Court of Cluj, Criminal sentence nr. 344 from 23.12.2019, available here: http://rolii.ro/hotarari/5e4df379e490099c22000038.
3. County Court of Timiș, Criminal sentence nr. 1/PI from 03.01.2020, available here: http://rolii.ro/hotarari/5e34e676e49009e41e00004b.
4. Source: (c) 2018 dr. Maxim DOBRINOIU, Nicolae Titulescu University of Bucharest, available on www.e-crime.ro.
5. County Court of Appeal Bucharest, Criminal Section II, Criminal sentence nr. 675 from17thMay 2019, available here: https://www.jurisprudenta.com/jurisprudenta/speta-15mbq13o/.
6. County Court of Bucharest, Criminal sentence nr. 235/F from 14.02.2019, available here: http://rolii.ro/hotarari/5c80873be49009281b000042
7. County Court of Bucharest, Criminal sentence nr. 111 from 28.01.2020, available here: http://rolii.ro/hotarari/5e38d8a3e49009801c00002c.
8. High Court of Cassation and Justice, Criminal Section, Decision nr. 19/A/2020 from 22 January 2020, available here: http://www.scj.ro/1093/Detalii-jurisprudenta?customQuery%5B0%5D.Key=id&customQuery%5B0%5D.Value=157728.
9. Court of Appeal Ploiești, Criminal Decision nr. 299 from 25 March 2020, available here: http://rolii.ro/hotarari/5ea78cede49009381d000036.