1. The concept of the crime of illegally obtaining computer information system data and illegally controlling computer information systems 1. Origin of legislation According to CNNIC statistics, in January 1996, the China Public Computer Internet (CHINANET) national backbone netw

1. The concept of illegally obtaining computer information system data and illegally controlling computer information systems

1. Origin of legislation

According to CNNIC statistics, in January 1996, China Public Computer Internet (CHINANET) national backbone network was completed and Officially opened, the nationwide public computer Internet network began to provide services, and China's Internet network took off from then on. In the subsequent " Criminal Law " of 1997, in order to adapt to the changes of this era, computer crime crimes were also formulated accordingly. At that time, because private computers had not yet been widely used by the whole people, the Criminal Law only stipulated two computer crime crimes, the crime of illegal intrusion into computer information systems and the crime of damaging computer information systems, which pointed to the type of crimes. is a relatively specific act of illegally intruding into computer information systems in the fields of national affairs, national defense construction, and cutting-edge science and technology, and acts of destroying computer information systems. However, intrusion and control of private computers of ordinary people have not yet been included in the scope of criminal sanctions.

As more and more private computers begin to spread across the country, some intrusion and control behaviors directed at private computer systems have gradually become more prominent: crimes of creating and spreading computer viruses, intruding and attacking computer information systems are growing rapidly, and illegally obtaining computer information Crimes involving system data and illegal control of computer information systems are increasing day by day, and phenomena such as the production and sale of hacking tools and the reselling of computer information system data and control rights are even more common. Taking into account the strong sense of insecurity that such cases may cause to private computer users and their serious social harm, the judicial authorities believe that it is necessary to use criminal law to regulate such cases in practice. The expanded use of larceny was a normative approach that was widely attempted at that time. However, such a treatment model is not the right treatment after all. For some criminal objects such as account names and passwords that cannot be evaluated for specific property value, it is inevitably too far-fetched to regulate the crime of theft. Conviction and sentencing lack legal basis and are widely controversial. Therefore, after the "Criminal Law Amendment (7)" officially came into effect in 2009, the "Criminal Law" added new crimes such as illegally obtaining computer information system data and illegally controlling computer information systems; providing intrusion and illegally controlling computer information system programs and tools; The crime is used to maintain the security of computer information systems and combat computer network crimes in the private sector.

2. Understanding of the crime

According to the provisions of the second paragraph of Article 285 of the current "Criminal Law", the crime of illegally obtaining computer information system data and illegally controlling computer information systems refers to "violating state regulations and intruding into computers other than those specified in the preceding paragraph. The information system or other technical means are used to obtain the data stored, processed or transmitted in the computer information system, or the computer information system is illegally controlled, and the circumstances are serious." From a practical perspective, the behavior patterns of this crime mainly include the following two types:

The first is to obtain relevant data in the computer information system through intrusion or other technical means. To understand this crime model, the first thing to clarify is the specific behavioral manifestations of "intrusion" and "other technical means". According to the qualitative aspect of "Prosecution Case No. 36: Case of Wei Menglong, Gong Xu, and Xue Dongdong Illegal Obtaining Computer Information System Data" in the "Notice of the Supreme People's Procuratorate on Issuing the Ninth Batch of Guiding Cases of the Supreme People's Procuratorate", " The concept of "intrusion" should refer to the act of illegally entering a computer information system against the victim's will. Its manifestations include not only using technical means to destroy system protection and entering the computer information system, but also including entering the computer information system without obtaining the victim's authorization, and also including entering the computer information system beyond the scope of the victim's authorization.More generally speaking, "intrusion" can be using technical means such as cracking passwords to break through, traverse, bypass or lift the security protection system of a specific computer information system without the consent of others, and enter the system without authorization, or it can also be the intrusion of data. Physical copying and duplication, setting up fake websites, tricking users into entering account numbers, passwords and other information, or unauthorized login to the computer system. Intruding into a computer information system and then downloading its stored data can be considered as illegally obtaining computer information system data. Another form of behavior of

is to achieve illegal control of other people's computer information systems. Regarding the understanding of "illegal control", there are no particularly clear provisions in the current judicial interpretations and laws and regulations. However, the "Supreme People's Court's Notice on Handling Criminal Cases Endangering the Security of Computer Information Systems" published in the 19th issue of "People's Justice (Application)" in 2011 In the article "Understanding and Application of the Interpretation of Several Issues in Case Application Law", the Supreme People's Court based on the legislative background and legislative purpose, "forming a botnet by controlling a large number of computer information systems" as the main example of illegal control of computers. Under the concept of botnet, "control server (Control Server)" refers to the central server for control and communication. The "control" behavior of the botnet is mainly through one-to-many distribution to a target website. Denial of Service (DDos) attacks, or using service requests to exhaust the system resources of the attacked network, making the attacked network unable to process requests from legitimate users. By deducing and understanding from this concept, it is not difficult to identify that the concepts of control and transfer of control in the "Interpretation" and its "Understanding and Application" are not the same as the aforementioned behavior patterns of intrusion and data acquisition, but a kind of A higher degree of resource occupation leads to a large proportion of legitimate users' control rights being deprived and even exclusive use by attackers. If we compare the concepts of "control" and "intrusion" in crimes involving computer information systems, control The concept should be later than the intrusion on the timeline, and have higher rights to use the computer system than the intrusion. After

has achieved the above-mentioned behavior constitution, if the social harm of the behavior reaches the level of "serious circumstances", it may be included in the scope of criminal sanctions. According to the "Supreme People's Court and Supreme People's Procuratorate's Notice on Handling Computer Harm Harm" "Interpretation of Several Issues on the Application of Laws in Criminal Cases of Information System Security", the "serious circumstances" of this crime can be roughly divided into the following categories: First, obtaining ten sets of identity authentication information for online financial services such as payment and settlement, securities trading, and futures trading. The second is to obtain more than 500 sets of identity authentication information other than the preceding paragraph; the third is to illegally control more than 20 computer information systems; the fourth is to illegally gain more than 5,000 yuan or cause economic losses of more than 10,000 yuan. And when the quantity or amount reaches more than five times the aforementioned four stipulated standards, it constitutes a "particularly serious case", and the corresponding sentence will be raised from "fixed-term imprisonment of not more than three years or criminal detention" to "seven years of more than three years" Imprisonment of not more than 1 year.”

2. Current Difficulties in Practice

When this crime was established, the number of judgments in practice was very small, and the judgments published on the Internet were mainly scattered in some serious hacking cases, computer virus cases, and some more serious financial identity information thefts. cases, and often constitute means and ends in criminal acts of credit card fraud. After 2016, as the concept of network virtual property gradually gained attention, cases of "account theft" related to online game accounts began to be regulated with this type of crime. After 2020, the intensity of combating computer network crimes has been further strengthened. Cases that use this crime to intrude on camera systems to snoop on privacy appear sporadicly. Except for some cases of invading cameras and recording other people's privacy for dissemination and trafficking, it is only used for personal use. There are also legal cases where people are punished for watching.

However, the existing problem is that in the cases of purchasing camera permissions for voyeurism disclosed on the Internet, when there is no other resale, diffusion, etc., and it is only used for personal viewing, the court has not yet determined the behavior of the perpetrator. Uniform standards. For example, in the case of "Gu Fujie illegally obtained computer information system data and illegally controlled computer information system", the presiding court held that the defendant's behavior constituted the crime of illegally obtaining computer information system data, and the password of another person's camera system account illegally obtained was determined to be someone else's. Identity authentication information, and based on the standards of Article 1, Paragraph 2 of the "Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Laws in Handling Criminal Cases Endangering the Security of Computer Information Systems" (whether more than 500 sets of identity authentication information were illegally obtained) It was judged that the circumstances were serious and should be subject to criminal prosecution. In the case of "Hu Yongyong and Wu Ziyang's crime of illegally obtaining computer information system data and illegally controlling computer information systems", the trial court held that the defendants illegally obtained the cracked ID account of the camera equipment in the victim's home through purchase and exchange from others. and password, and add it to the "Yunshitong" APP on your mobile phone. The act of illegally snooping on other people's privacy constitutes control of the camera, and the "Several Laws of the Supreme People's Court and the Supreme People's Procuratorate on the Application of Criminal Cases Endangering the Security of Computer Information Systems" should be applied. The standard of Article 1, Paragraph 3 of "Explanation of the Problem" (whether more than 20 computer information systems were illegally controlled) determines whether the behavior meets the prosecution conditions of "serious circumstances".

What needs to be emphasized is that although the two criminal acts of illegally obtaining computer information system data and illegally controlling computer information systems are both stipulated under the second paragraph of Article 285 of my country's "Criminal Law", the essence of the two acts There is an obvious difference.

Illegal acquisition of data and illegal control of computers are pure computer crimes. They are supplementary crimes and downstream crimes of illegal intrusion into information systems. Each has its own independent scope of protection and legislative purpose. The former emphasizes computer intrusion and the acquisition of personal information, while the latter pays more attention to the illegal occupation of other people's computer control rights or operating resources. If intrusion is also interpreted as illegal control, the content of the law will be ignored, exceeding the textual meaning of intrusion and expanding the scope of intrusion. Therefore, the interpretation of "illegal control" should be strictly limited to the scope of demonstrable control behavior. If the perpetrator has committed intrusion or even intruded multiple times, it should not be deemed that the perpetrator has illegally controlled the system.

There is still some controversy in current practice regarding the characterization of the aforementioned cases of voyeurism by invading other people’s cameras, and because there are few public precedents in voyeurism criminal cases, it is even impossible to summarize the so-called "majority opinion" in practice. However, it is still necessary to clarify the characterization of this type of behavior, because illegal behavior is determined based on illegal acquisition of data, and the perpetrator will only be sentenced when he obtains more than 500 sets of personal information; and if illegal behavior is determined based on illegal control of a computer , if the number of controlled computers exceeds 20, it will meet the standard for criminal prosecution. This may lead to a huge difference in the criminal law evaluation of the defendant's illegal behavior in the same case between "not constituting a crime" and "the circumstances are particularly serious" under different standards for identifying the nature of the behavior.

3. Case study

Let’s analyze this real case: The defendant illegally obtained the account and password of other people’s webcam equipment such as Yunshitong through social platforms, and added the above account and password through Yunshitong and other software, and realized the control of others Based on the viewing of camera content, the public prosecution office initially believed that the defendant's behavior was illegal control of other people's cameras, which constituted the crime of illegal control of computer information systems, and the number of logged-in cameras was used as a criterion to evaluate the number of computer information systems he illegally controlled. .

The author believes that the public prosecution agency may have overlooked the difference between illegally obtaining computer information system data and illegally controlling computer information systems in handling this case, resulting in an inaccurate characterization of this case.

First of all, the defendant’s illegal behavior in this case did not reach the level of “control”. From the analysis of the identification criteria for illegally obtaining computer information system data or illegally controlling computer information systems in "serious circumstances" in the "Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases Endangering the Security of Computer Information Systems", in the case of illegal In terms of criminal standards for obtaining information, it either corresponds to the acquisition of a relatively large amount of data information, such as obtaining more than 500 sets of identity authentication information; or it directly corresponds to the perpetrator's illegal economic gain and the victim's property loss or the high possibility of property loss. , such as illegal gains of more than 5,000 yuan or economic losses of more than 10,000 yuan; obtaining more than ten sets of identity authentication information for online financial services such as payment settlement, securities trading, and futures trading, etc. In contrast, the criminal standard for controlling computer systems only requires controlling more than 20 computer systems, which is far lower than other quantitative requirements for obtaining information. Therefore, in order for the various forms of criminal behavior under this interpretation to satisfy the basic legal principle of "same punishment for the same crime", the social harm of several listed situations should at least be equal. In other words, the number of criminal offenses for illegally controlling other people's computer systems is lower than illegally obtaining computer data, so the corresponding harm to a single society should be higher than simple data acquisition. This is consistent with the "control" and "intrusion" mentioned above. The understanding of the relationship between them is consistent. Some opinions believe that the identification of illegal control in this crime does not need to meet the standard of exclusive control, but the author believes that it should be a reasonable requirement for the illegal controller to meet the standard of "equal use" with the legal owner of the computer system.

Starting from the legislative purpose, taking a typical hacker attack to control a computer information system as an example, if the defendant's illegal behavior is to meet the standard of "control", an acceptable basic situation is that when the "controller" and "others" When "users" issue different instructions at the same time, the computer system should follow the instructions of the "controller" to give feedback. However, in this case, the perpetrator can only watch the recording content of the camera, and cannot perform any corresponding operations in terms of camera switching, direction and angle, system management, addition and deletion of stored data, etc., and cannot refuse normal operations of legitimate users. . Even as long as legitimate users pay a little attention and set up a simple and necessary privacy protection measure such as "change the initial password" for their cameras, the defendant's data acquisition channel will be cut off. It is extremely far-fetched to think that such usage behavior meets the standard of "control".

Secondly, it is inappropriate to evaluate the social harm of the defendant's behavior based on the number of cameras logged on. Such cases all use an APP as a medium to watch the images in the camera after binding a certain account and password. From the perspective of the path into the camera system, a few camera device numbers correspond to one camera channel, and in most cases One camera device number corresponds to multiple camera channels. Therefore, in this case, it may happen that the defendant only obtains a set of identity authentication information, and after entering a system, it corresponds to multiple camera devices. But what needs to be made clear is that the head of the research office of the Supreme People's Court and the Supreme People's Procuratorate said in response to a reporter's question on "Interpretations on Several Issues Concerning the Application of Laws in Handling Criminal Cases Endangering the Security of Computer Information Systems" that computer systems should be capable of automatically processing data. Functional systems include network equipment, communication equipment and automation control equipment. Cameras are not affiliated with any of the three listed equipment.Therefore, it should be understood that for several computer system crimes stipulated in Article 285 of the Criminal Law, the criminal objects they directly point to are independent computer systems one after another, objects protected by the law. It is also the privacy and normal operation ability of the computer system, rather than the protection of input and output devices of systems such as cameras. In the same way, when judging the social harm or seriousness of computer information system crimes, we should focus on the number of computer systems affected, rather than the specific number of cameras logged in. In this case, the defendant used a set of accounts and passwords to enter a camera system, which can constitute a criminal unit. Regardless of whether the criminal unit corresponds to one or multiple input and output devices, since these input and output devices do not establish independent new systems, the victim is still a computer system. Therefore, when judging the specific culpability of this crime, we should not focus on the number of cameras that the defendant actually watched and logged in, but should focus on the number of account and password sets that the defendant obtained that can enter the computer system. In the case where the account name and password are the same If so, the social harm of the defendant's behavior should be determined based on the number of computer information systems that the defendant actually accessed.

Finally, from the perspective of crime composition , this case is more consistent with illegally obtaining computer information system data. The defendant in this case achieved snooping on the privacy of others by purchasing the username and password of the camera device number. Although snooping into privacy is unethical and even constitutes a crime, it is not a social interest that is infringed by this type of crime and is enough to be evaluated as a crime. From the perspective of the background and legislative evolution of the crime of illegally obtaining computer information system data and illegally controlling computer information systems in my country's Criminal Law, it should be clear that the main behavior regulated by this statute is the illegal exploration of other people's private information. , that is, illegally discovering for yourself or others data that does not belong to you and that others have undergone special security processing to prevent illegal acquisition. To put it more generally, the reason why the perpetrator is punished by criminal law is not only because of viewing other people's privacy without permission, resulting in the infringement of personal sensitive information, but also because of the improper use of data in other people's computer systems. Interception, resulting in the destruction of the social value of "maintaining the privacy and security of personal computer systems". This is consistent with the concepts of computer crimes in various countries around the world. For example, the German Criminal Code provides such provisions in Article 202 of the crime of illegal exploration of data in Chapter 15 "Infringement of Private Life and Secrets". In this case, the perpetrator's infringement of legal interests that can be evaluated as a crime is not the invasion of other people's privacy or the seizure of control of personal computer systems, but the illegal acquisition of the account names and passwords of other people's camera equipment. This is The fundamental illegality of intruding cameras to spy on privacy. According to the "Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in Handling Criminal Cases Endangering the Security of Computer Information Systems", the account number, password, password, digital certificate , etc. illegally obtained by the perpetrator, All fall under the category of "identity authentication information".

In addition, the defendant in such cases purchased the account and password to log into the camera with the purpose of snooping on other people's privacy. The specific method was to obtain the account password through software to illegally invade and obtain image data containing the victim's privacy. The perpetrator's subjective intention lies only in illegally obtaining the victim's private image data information, not in illegally controlling the entire imaging system. Objectively speaking, the actor only illegally obtained computer data information and achieved personal viewing. There was no more operational control over the entire imaging system to bring it to a certain active state. Therefore, in general, whether from the perspective of consistency of culpability or consistency of subjectivity and objectivity, it is more accurate to identify the perpetrator's behavior as the crime of illegally obtaining computer information system data.

About the author

Yu Xingquan is the executive director of the Criminal Committee of Dacheng Law Firm.He has been practicing law for more than 20 years, focusing on economic crimes and job-related crime cases, paying attention to the crime phenomenon of corporate executives, and has handled a large number of criminal cases involving corporate executives. He has published many professional articles such as "The Rule of Law is the Best Business Environment", "The Current Judicial Dilemma of Private Entrepreneurs from a Lawyer's Perspective", "Legal Qualitative Issues in Electronic Transactions of Postal and Currency Cards", and is the author of "Essence of Unit Crime Practice". untie".

Ma Shengkun, Master of Criminal Law, School of Criminal Justice, China University of Political Science and Law, majoring in occupational crimes and economic crimes.