1. Lessons from two cases of cyber-crimes in Korea
Why do we need special laws for cyber-crimes? Why do we need a separate definition which means that we have to treat it differently from other crimes? Maybe, using ICT to commit a crime?(except hitting someone with cell phones? Or attacking ICT? (e.g., cutting wires, breaking down mainframes) A third possibility is that we defined it separately because ICT is too powerful a tool of criminality because of the attribution problem and we need to augment our law enforcements(attribution difficult).
It is not that conceptually clear why we need a separate definition. I think that the most compelling rationale for the definition is that we need to prevent what the pre-cyber laws did not prevent such as hacking that does not involve physical intrusions, or that virtual space is protected as well as real space.
However, I want to challenge the stability of the definition by speaking from two cases in Korean experience. One is online opinion rigging. A political activist Druking used thousands of user profiles to comment positively on or recommend news articles favorable for a certain political party or its actions on the country’s most popular portal and automated the process by using a software. He was criminally prosecuted for violating the provision originally meant to prohibit hacking. Such prosecution brushes roughly with international human rights standards under which (1) pseudonymous speech is protected where you received implied consent from people you are impostering, (2) disseminating false information without more (in this case presenting manipulated reputation to online users) is protected, (3) electioneering is protected activity, (4) an online content no matter how popular (even popular to the point of being equated to “a barometer of public opinion”) should not be treated or censored like broadcasting and (5) automating what one can do lawfully should be still considered lawful. All in all, is it also a cyber-crime to build echo chamber and filter bubble?
Another example is the country’s new criminal ban on vicarious gaming, i.e., playing for money for another person to increase the gaming level of that person. Where right to pseudonymous speech should be protected, a legal basis for such law is difficult to fathom. Offline, we let people play for (or in place of) other players freely because the purpose of games (with the exception of official gaming sports) is to enjoy not to compete.
A common lesson from the two cases is that a cybercrime law or prosecution should not expand the notion of illegality just because the user engaged in certain activities using cyber- or automated methods. If we were more precise on why we conceptualized ‘cybercrime’, we might not be having this debacle. What ends up happening with these cases is that the only harm we are protecting is interfering with the portal/game operator’s business model, an area usually left for private litigation.
2. Cybercrime laws may strengthen the authority of investigatory agences
Another big issue with cybercrime laws is that they usually end up strengthening the cybersecurity prevention authorities of certain agencies (e.g., authority to certify all ICT devices used by all government agencies) and unfortunately, they are investigatory agencies, especially outbound intelligence agencies. Now, leaving cybersecurity prevention authority with investigatory agencies is like leaving fish with a cat. As a cybersecurity agency, it will collect all zero days, set security standards on all devices, and therefore will be in a great position to use that vantage point to conduct surveillance.
Korea’s experience with Italian Hacking Team’s RCS revelations brought this issue to the fore. As you all know, Hacking Team’s own invoices ledger were hacked to reveal its RCS customers which included FBI, CIA, Korea’s National Intelligence Services and a host of outbound intelligence agencies including authoritarian governments notorious for surveillance on dissidents and journalists. RCS is a “online surveillance” tool which means it is implanted in people’s devices through hacking and other unlawful methods to extract data without knowledge of the person being surveilled, and the legality of such tools was being debated. Many civil society organizations criticized use of such tools, and Open Net Korea was one of them and we tried to make a software designed to detect whether RCS was or is implanted in people’ mobile phones. We realized that we could not find capable white hat hackers for coding the detection software because most people working in security worked for the companies could not afford to be associated with these efforts critical of NIS’s activities when NIS is the one certifying their products for government procurement — unless their employers were willing to forego government bids.
If a cyber security agency is that powerful, we must find a way to make sure that intent “once good” not corrupt, sometimes supervision has to be close to people as legislators, e.g., National Assembly Intelligence Committee in Korea.
A related point: International standard is that encryption is a human right. Prohibiting encryption above certain strength will paralyze their ability to fight against cyberattacks. Also, prohibiting sale of ‘zero days’ will have the similar result. White hat hackers and black hat hackers are difficult to distinguish. Also, when the government itself engages in hacking for surveillance purposes, these prohibitions on civilian encryption/decryption capacities will only the governmet will sell ‘zero days’ leaving people vulnerable to surveillance.
3. Final Comments
One comment on the Budapest convention: The convention categorizes crimes into cyber-crimes, and for those crimes, requires member states to criminalize them and to streamline criminal procedure to facilitate investigations, etc. The problem is the vagueness of some of the provisions such as “racist/xenophobic crimes”. Such phrase should not be taken literally and only those crimes breaking down and utlilizing unique features of ICT making attribution difficult should be considered racist/xenophobic crimes. Otherwise, forcing the governments to criminalize racism and xenophobia can have unintended consequences vis-à-vis international human rights.
Session description: Countries around the world are adopting cybercrime laws which seriously fail to respect international human rights law. Many such laws problematically duplicate existing rules, use vague or overbroad language and/or fail to provide for appropriate intent requirements. This session will identify relevant standards and better practices for ensuring that cybercrimes laws respect international human rights.
[Related Open Net Actions]
2. Open Net Hosts Press Conference With Leading Experts on Freedom of Speech – Kim Kyong-soo/Druking Case, Bill Proposing to Criminalize Insult of the May 18 Democratization Movement, and Graffiti on the Berlin Wall Located Near Cheonggye Stream Case (2019.4.15.)