Computer law is a relatively new field, although the practice of law enforcement regarding computer crimes is emerging, in this area there are still many circumstances that are not regulated by law. The first article that opens the chapter of the Criminal Code of the Russian Federation on computer crimes is Art. 272 of the Criminal Code of the Russian Federation Illegal access to computer information. This is one of the articles establishing punishment for hacking. But the specifics of criminal prosecution in Russia are such that it is often not malicious hackers who are subject to criminal prosecution, but ordinary users by an absurd accident - a gift for the brutal Russian justice system.
What is unauthorized access to computer information
According to the Federal Law “On Information, Information Technologies and Information Protection,” access to computer information means searching and obtaining any information in any form and from any source, subject to compliance with the requirements established by law.
Restriction of access to computer information can be established on the basis of federal laws, for example “On State Secrets”, “On Personal Data”, “On Trade Secrets”, etc. Of course, such information requires protection from unauthorized access. Access to such information by a person who does not have permission or authority to do so will circumvent the protection and will be considered unauthorized access. CRIMINAL LAWYER call now: ☎ 8 (495) 532-75-40
Commentary to Art. 272 of the Criminal Code
1. The subject of the crime is computer information protected by law (note 1 to the article). Such information, as a rule, represents information about persons, objects, facts, events, phenomena and processes on external media, in computer memory or a computer network. Information is protected by law insofar as the person does not have access rights to this information; the nature of the information, its protection by legislation on copyright and related rights, legislation on state secrets, etc. does not matter.
2. The objective side of the crime is characterized by unlawful access to legally protected computer information. Access to information involves obtaining a real opportunity to familiarize yourself with, change, move or delete information in the absence of properly obtained rights to perform all or a number of these actions. In most cases, the receipt of the corresponding rights is evidenced by the consent of the owner of the information, expressed either directly in the form of opening access to otherwise inaccessible information (providing a login, password, etc.), or implied in relation to specifically unprotected information. In this case, access rights may be limited to the ability to review, review and copy information; in this case, other actions with information should be considered illegal access.
3. Gaining access to information is not enough to recognize a crime as completed. It is necessary that the consequence of actions committed during unauthorized access is the destruction, blocking, modification or copying of information. For the content of these actions, see the commentary to Art. 159.6 CC; blocking should be understood as restricting access to information to other persons without deleting it; “modification” means any change in information; Copying should be understood as creating a copy of information on external media or another computer.
4. Actions regarding information with limited access (information constituting state secrets, commercial, tax or banking secrets, etc.) should be qualified according to the totality of Art. 272 of the Criminal Code and the corresponding other elements of the crime.
For what actions is liability provided under Art. 272 of the Criminal Code of the Russian Federation
Under illegal access to computer information according to Art. 272 of the Criminal Code of the Russian Federation refers to unlawful access to computer information if this act entailed the destruction, blocking, modification or copying of computer information. That is, to form a crime under Art. 272 of the Criminal Code of the Russian Federation requires such signs as illegal access to computer information and if certain consequences occurred as a result of this access. This is a simple composition provided for in Part 1 of Art. 272 of the Criminal Code of the Russian Federation, liability for which is up to two years in prison. Belongs to the category of a crime of minor gravity. The subsequent parts 2, 3 and 4 of the article provide for qualified offenses - causing major damage or committed out of selfish interest (Part 2), by a group of persons by prior conspiracy or by an organized group, or using official position (Part 3), if the acts entailed grave consequences , or created a threat of their onset (Part 4). The composition provided for in part two already belongs to the category of moderate severity and provides for a maximum punishment of up to four years of imprisonment, the third and fourth parts belong to the category of serious and provide for a maximum punishment of up to five and up to seven years, respectively.
Features of computer fraud (Article 159.6 of the Criminal Code of the Russian Federation)
Lawyer Antonov A.P.
The peculiarity of this type of fraud is that it can only be committed using computer technology. The crime includes a wide range of actions, namely the theft of someone else’s property or the acquisition of rights to someone else’s property by entering, deleting, blocking, modifying computer information or otherwise interfering with the functioning of means of storing, processing or transmitting computer information or information and telecommunication networks. Due to the fact that we are talking about a specific area and the legislator uses special terms, it is first necessary to understand them. According to the note to Art. 272 of the Criminal Code of the Russian Federation, computer information is understood as information (messages, data) presented in the form of electrical signals, regardless of the means of their storage, processing and transmission. In accordance with paragraph 4 of Art. 2 of the Federal Law of July 27, 2006 N 149-FZ “On information, information technologies and information protection”, an information and telecommunication network is a technological system designed to transmit information over communication lines, accessed using computer technology. Based on Art. 6 of this Law, information resources are owned by legal entities and individuals, are included in their property, and are subject to civil legislation. Modification of computer information also means a change in the software through which information is collected, stored, processed, transmitted, and a change in the information array itself. According to the Resolution of the Plenum of the Supreme Court of the Russian Federation dated November 30, 2017 N 48 “On judicial practice in cases of fraud, misappropriation and embezzlement” within the meaning of Art. 159.6 of the Criminal Code of the Russian Federation, interference in the functioning of means of storing, processing or transmitting computer information or information and telecommunication networks recognizes the purposeful impact of software and (or) software and hardware on servers, computer equipment (computers), including portable (portable) laptops , tablet computers, smartphones - equipped with appropriate software, or on information and telecommunication networks, which violates the established process of processing, storing, transmitting computer information, which allows the culprit or another person to illegally take possession of someone else’s property or acquire the right to it. As an example, consider the following situation. Citizen P., by entering, deleting, blocking, modifying computer information (hacking passwords, changing logins, accessing the Bank-Client system), committed the theft of funds from the current account of LLC B in the amount of 25 million rubles, which he disposed of at his own discretion, transferring them to the settlement accounts of third-party organizations controlled by him. It is also worth noting that fraud committed through unauthorized access to computer information or through the creation, use and distribution of malicious computer programs will most likely be additionally qualified under Art. Art. 272 (“Illegal access to computer information”), 273 (“Creation, use and distribution of malicious computer programs”) or 274.1 (“Unlawful influence on the critical information infrastructure of the Russian Federation”) of the Criminal Code of the Russian Federation. Thus, we are talking about elements of a crime adjacent to the one under consideration. Moreover, in the case of fraud in the field of computer information, depending on the specific situation, practice follows the path of imputation and Art. 159.6, and Art. 272 of the Criminal Code of the Russian Federation (or Art. 273, 274.1 of the Criminal Code of the Russian Federation). Article 272 of the Criminal Code of the Russian Federation provides for criminal liability for unlawful access to computer information. In this case, a prerequisite for liability is the presence of consequences in the form of destruction, blocking, modification or copying of computer information. As we see, it is the nature of the consequences that distinguishes Art. 159.6 from Art. 272 of the Criminal Code of the Russian Federation. If we are talking about taking possession of someone else’s property, then qualification is carried out according to Art. 159.6 of the Criminal Code of the Russian Federation. If, in the process of theft of property, destruction, blocking, modification or copying of computer information occurs, then the actions of the perpetrator are additionally qualified under Art. 272 of the Criminal Code of the Russian Federation. At the same time, as we have already indicated, practice follows precisely this path. For example, to steal funds from an “electronic wallet,” you first need to obtain an access code to this wallet. If a person hacks it using technical capabilities and steals funds, the actions will be qualified under Art. Art. 159.6 and 272 of the Criminal Code of the Russian Federation. Practice follows the same path if the theft of property occurs with the help of malicious computer programs (Article 273 of the Criminal Code of the Russian Federation). Our advice is the following. In order to prevent a company from becoming a victim of computer fraud, it is necessary to pay special attention to information security, namely to have highly qualified IT specialists, as well as specialists in the field of information security and reliable software. It is important to carefully select persons who have the right to access closed files, the Bank-Client system, and also have information about the corresponding passwords. If doubts arise about the employee’s reliability, measures should be taken to change access passwords and exclude from his functional responsibilities work with confidential information, in particular with the organization’s current accounts. Managers and owners of companies are recommended to personally constantly monitor transactions related to the movement of funds through current accounts, as well as information about persons who have access to them. As qualifying features of this crime, the legislator establishes the commission of these actions: - by a group of persons by prior conspiracy, as well as causing significant damage to a citizen; - by a person using his official position, in large amounts, from a bank account, as well as in relation to electronic funds; - by an organized group or on a particularly large scale.
Still have questions for your lawyer?
Ask them right now here, or call us by phone in Moscow +7 (499) 288-34-32 or in Samara +7 (846) 212-99-71 (24 hours a day), or come to our office for a consultation (by pre-registration)!
Arbitrage practice
Criminal cases under Parts 1, 2 and 3 of Art. 272 of the Criminal Code of the Russian Federation, courts in most cases consider them in a special manner (Chapter 40 of the Code of Criminal Procedure). The defendant declares his agreement with the charge brought against him and asks for a verdict without examining and evaluating the evidence. In such cases, the court is limited to examining mitigating and aggravating circumstances.
In some cases, courts, at the request of investigators, issued decisions to terminate cases with the imposition of a criminal law measure in the form of a court fine in the amount of 20 thousand rubles.
A unique judicial practice includes a criminal case against M., whom the investigation exposed for illegal access to the victim’s email and his account in a network computer game, and for the theft and sale of virtual game assets. In this case, the investigation qualified M.’s actions under Part 2 of Art. 272 of the Criminal Code as unlawful access to computer information committed out of selfish interest. After all, the accused actually unlawfully obtained the password to the user’s game account, blocked access to mail and account, caused damage to the victim, and did it out of self-interest.
The court ruled to terminate the criminal case against the perpetrator on the basis of Art. 25 of the Code of Criminal Procedure of the Russian Federation in connection with reconciliation with the victim. The court indicated that the defendant was accused of committing a crime of medium gravity for the first time, was not convicted, fully admitted guilt in committing the crime, repented, reconciled with the victim and compensated the latter for material damage. The victim stated in court that he had no material or moral claims against the defendant.
Controversial and erroneous practice under Art. 272 of the Criminal Code of the Russian Federation is largely due to the fact that investigative bodies and courts ignore the explanations of the Plenum of the Armed Forces of the Russian Federation and incorrectly or excessively impute charges for this crime due to a lack of understanding of its essence.
The established judicial practice can be called controversial in terms of qualifying the actions of persons who copy expensive software products and then use means of hacking their protection in order to gain full access to the program. For example, the investigation accused the leading engineer of the enterprise of copying counterfeit copies of expensive computer programs “KOMPAS-3D V 18.1” and Microsoft Office Enterprise 2007 on the Internet. Then he copied and used malicious files “Key.txt”, patch.msp and Materials.exe, which gave him “the ability to work with the software product in a fully functional mode in a manner not provided by the copyright holder.”
The investigation qualified the citizen’s actions not only under Part 2 of Art. 146 of the Criminal Code - illegal use of objects of copyright or related rights, as well as the acquisition, storage, transportation of counterfeit copies of works or phonograms for sales purposes, committed on a large scale. In addition to this composition, the investigation also brought charges under Part 1 of Art. 272, part 1 art. 273 CC. Charge under Art. 272 of the Criminal Code, the investigation justified the fact that the culprit modified computer information by his actions, and the charge under Art. 273 of the Criminal Code in that it neutralized the means of protecting the software product by malicious programs. of the Russian Federation for reconciliation with the copyright holder of one of the programs. The court justified this decision by the fact that the defendant fully agreed with the accusation, repented of his crime, compensated the victim for the harm, stopped using unlicensed software, cooperated with the investigation, and himself informed law enforcement officers of the circumstances of receiving unlicensed software. The court decision does not contain information about reconciliation with the copyright holder of the second program (Microsoft Office Enterprise 2007).
The case on charges under Art. 272 and 273 of the Criminal Code, the court dismissed it due to active repentance, essentially justifying this in the same way as it justified the dismissal of the case due to reconciliation with one of the victims
The courts made the same conclusions in other similar criminal cases.
In such situations, the actions of the perpetrator are fully covered by Art. 146 of the Criminal Code of the Russian Federation. If a person uses programs to break the security of a specific software product in order to use it in his professional activities, but then does not forward the counterfeit product and malicious files to others, then he is only committing a violation of the copyright of the copyright holder. Hacking a licensed program in this case acts as a method of committing this crime. Articles 272 and 273 of the Criminal Code rather protect against the creation and replication of malicious programs (viruses), software methods of overcoming (including remote) protection of means of storing and processing legally protected computer information for the purpose of copying, destroying, blocking and modifying it.
Illegal opening of bank accounts
In one of the criminal cases, the investigation accused the head of the mobile group of a separate structural branch of the FSUE Russian Post of unlawfully using the software of PJSC Post Bank and opening five current accounts, registering them without the consent of clients, for which she received additional monetary reward from the bank in the amount of 100 rubles. for every account. The investigation considered that since the citizen entered personal data of persons who were not clients of the bank, this resulted in a modification of the bank's client database.
The investigator qualified the actions of the culprit under Part 3 of Art. 272 U RF. He petitioned the court to terminate the criminal case against the accused and impose a court fine. The court granted the petition, dismissed the case and imposed a court fine on the perpetrator.
In this case, the qualification of the actions of the perpetrator under Art. 272 of the Criminal Code is controversial, since she did not make any modifications to the bank’s software itself. Her actions only led to the distortion of the bank's customer database and the payment of bonuses to her for opening accounts. The actions of the accused could rather be regarded as a crime under Art. 165 of the Criminal Code of the Russian Federation “Causing property damage by deception or abuse of trust”, if the amount of damage caused was at least 250 thousand rubles.
Position of the Plenum of the RF Armed Forces
The Plenum of the RF Armed Forces has not yet adopted a separate resolution on the practice of applying Art. 272 of the Criminal Code of the Russian Federation. Only in the resolution of November 30, 2017 No. 48 “On judicial practice in cases of fraud, misappropriation and embezzlement” of the Supreme Court o.
In practice, the crime provided for in Art. 272 of the Criminal Code of the Russian Federation, serves as a “companion” of crimes not only under Art. 159.6 of the Criminal Code, but also under Art. 137 of the Criminal Code “Violation of privacy” and Art. 138 of the Criminal Code “Violation of the confidentiality of correspondence, telephone conversations, postal, telegraph or other messages.” Sometimes in criminal cases we are talking about an ideal set of crimes. At the same time, the lack of clarification on how to apply Art. 272 and 273 of the Criminal Code of the Russian Federation, leads to problems during judicial review, as well as to clearly erroneous court decisions regarding the qualification of the act.
Evidence in the case
Standard set of evidence in criminal cases under Art. 272 of the Criminal Code of the Russian Federation includes:
1. confessional testimony of the suspect (accused);
2.testimony of the victim or a representative of the victim, if the victim is a legal entity;
3.testimony of witnesses;
4.protocols of inspection of the scene of the incident (with a photo table) and objects (documents);
5.decrees on the recognition and inclusion in the criminal case of material evidence in the form of computer equipment and its components;
6.record of search of the home;
7. conclusions of information technology and information technology forensic examinations;
8. conclusion of a fingerprint forensic examination;
9. conclusions of complex computer-technical and forensic author's examinations (identification of the person who wrote a specific computer program);
10. conclusion of a forensic accounting examination.
