Compilation of case law on computer crimes or cybercrime
18 March 2020
One of the most important difficulties when studying the phenomenon of cybercrime from a legal point of view and exercising the defense or accusation in cases of computer crimes is the few existing case law and, above all, the serious problems of legal certainty that come from a body of scant precedents, which are not consolidated and sometimes inaccessible to the unification of criteria that the Supreme Court can do.
This is explained not only by the difficulty of the subject but also by the very construction of the criminal offences that abuse of indeterminate legal concepts or stablish very unusual actions or on which the principle of minimis non curat praetor operates, that is to say that the law is not interested in minor matters.
Cybercrime is often expressed in countless minor attacks that make up a very serious but hidden criminal phenomenon. The specific manifestations of this criminality are often of no interest to the law, the law enforcement or the courts. Victims of isolated minor fraud or sabotage (for example, online fraud of a few hundred euros) do not generate any serious investigation, but are the manifestations of organized crime, large and complex machinery of victimization, often controlled from foreign jurisdictions.
CYBERCRIME AND LEGAL CERTAINTY
Since the coming into force of the new “casación” (appeal before the Spanish supreme court) system as per the article 849.1 LECr (Criminal Procedure Law), the Supreme Court has had the opportunity to offer some criteria to unify jurisprudence.
Since SCJ (Supreme Court judgment) 2010/2017 of March 28 (and according to the agreement of the non-jurisdictional plenary of the Second Chamber of the Supreme Court of June 9, 2016), this path of homogenization of the interpretation of criminal regulations has begun, to protect not only judicial review but also the principle of legal certainty and equality in the interpretation of the law.
The new casación is already providing some interpretations that, correct or not, give legal certainty to face the phenomenon of cybercrime.
CASE LAW ON COMPUTER CRIME
I index some court rulings dealing with some of the most significant computer crimes. Apart from judgments of the Supreme Court, those of the minor courts are useful to know the state of the matter or because they address specific matters or controversies.
Regarding cyber-trespassing or hacking (197 bis Criminal Code), there is very little case law, but the ACJ (Appeal Court judgment) of Girona 358/2015, dated June 22, is interesting because it lists some types of security measures (biometrics, firewalls, encryption, passwords, etc. .) that can integrate the elements of the offence: the violation of security measures to enter without authorization a computer system.
Regarding espionage offences (discovery and disclosure of secrets) of articles 197 and following of the Criminal Code, there are different interesting judgments, some of which are from the Supreme Court.
The SCJ of April 23, 2019 deals with the existence or not of authorization for accessing personal or family data. It stablishes that “authorization” is not only having the right to access the data but also to do it “within the functions entrusted”. According to this case-law, an official who had access to our data would be committing a crime if he accesses them for different reasons than those related to his duties.
In the SCJ of April 29, 2019, a distinction is made between sensitive data (the criminal damage will be implicit in the action) and confidential but non-sensitive data (where the possible damage will have to be demonstrated).
In the SCJ of December 19, 2019, all espionage actions are punished separately (adding every and each penalty associated to every victim) without using any rule to reduce the penalty, so the Court asked for a pardon for the convicted due to the disproportion of the penalty resulting.
Related to the interesting controversy on the monitoring of workers by the employers, the key cases that set the three different points of view on the issue are CCJ (Constitutional Court judgement) 241/2012, which established the monitoring criteria related to a dispute of a labor nature, while the SCJ of June 16, 2014 of the Criminal Chamber positioned the debate in a more demanding way, recalling the need for judicial authorization for the investigation of suspected crimes committed by employees. Finally, we have the judgment of the ECtHR Grand Chamber in the Barbulescu case, which is the current benchmark in the matter, very demanding in terms of the protection of fundamental rights.
Regarding fraud and computer scams, the SCJ of December 17, 2008 makes a curious assimilation between the legal requisite of “similar technique” and the simple use of computer equipment, while the recent SCJ of February 10, 2020 speaks of computer scam for the mere use of stolen passwords.
In my opinion, there is still a very common confusion between the different types of frauds (traditional fraud of article 248.1 CC and computer fraud of article 248.2.a CC) that makes it difficult to understand when the element of “deception” has to be demonstrated and when not because the scam is digital in nature and only requires the demonstration of the use of a “computer manipulation or similar technique”.
There is no relevant case law of the Supreme Court on computer damages of the current articles 264 to 264 ter CC. That is one of the most complex situations in my opinion given the complicated incrimination of the conducts that those articles contain. The requirement of a “double severity” (severity of the action and severity of the damage caused) in the sabotage offence (264 CC) really complicates the application of the offence but, conversely, the case law of the Courts of Appeal is convicting for computer damages some actions that theoretically would not have fit in the legal description of the offence.
Some judgments of the courts of appeal deal with some interesting aspects: ACJ Badajoz, 130/2018 of July 23 deals with the existence of an attempt to damage in cases of an easy restoration of the deleted data from backup services; ACJ Lleida, 201/2018 of May 4, talks about the concept of severity of the damage; ACJ Madrid, 23/2017 of January 10 seems to (wrongly) integrate the idea of the damage or injury with that of the just compensation.
Of the few judgments that I know that deal with the offence of computer system interruption (264 bis CC) is the Anonymous case that was solved in the first instance by Criminal Court No. 3 of Gijón, Judgment 224/2016 of July 6 and the solution was of acquittal (confirmed by the Appeal Court).
The difficulty to fit the impersonations of social network profiles on the internet in the crime of usurpation of civil status is unanimous in the case law (for example, ACJ Zaragoza, 106/2018 of April 10), but it is interesting the alternative suggested to fit the action in the crime of forgery in the ACJ Madrid, 461/2017 of May 25.
Regarding child grooming offences of article 183 ter CC, there are also some important judgments of the Supreme Court.
In SCJ 864/2015, of December 10, the Supreme Court validates the “child monitoring” or parental control over the social network accounts of their minor children to prevent the risk of victimization and determines the consumption of the grooming offence within the crime against sexual freedom committed later (only one offence is punishable), even against the literality of the provision that suggest that both offences should be punished. The thesis of the concurrence between grooming (recruitment of the minor) and the sexual crime finally executed (sexual abuse or sexual assault) is also maintained by SCJ 109/2017, of February 22, and has been finally stablished in the non-jurisdictional agreement of the Plenary of the Second Chamber of November 8, 2017.
The crime of stalking has already been addressed three times by the Supreme Court with important judgements that define the fundamental elements of the offence: repetition of actions, aim of persistence and serious damage to the daily life of the victim. They are SCJ 324/2017, of May 8, SCJ 554/2017, of July 12 and SCJ 117/2019, of March 6.
The first judgment on this criminal offence had been issued by the Investigating Court No. 3 of Tudela, Judgment of March 23, 2016 in a plea-bargain proceeding.
SCJ 70/2020 of February 27 addresses for the first time the analysis of the offence of article 197.7 CC, which has been sometimes related to the concepts of sexting or revenge porn. The judgment discusses and establishes a precedent in relation to the content of the disseminated material, the responsibility of the person who disseminates the material and that of third parties who re-disseminate it without having obtained it from the victim directly (e.g. retweets), constituting an interesting approach to this criminal phenomenon.
There are still many unknowns and doubts regarding the interpretation of the law on computer crime that we hope will be solved when judges and tribunals bravely face the task of fighting this phenomenon.