Computer crimes, case VI K 849/07

October 6th, 2008, Tomasz Rychlicki

On August 11, 2008, the District Court in Glogów (VI Wydzial Grodzki) issued an important ruling case file VI K 849/07, regarding a man accused by the prosecutor of using computers to breach electronic security of a company server and database which allowed him to obtain information not intended for him (personal data) thereby acting to the detriment of the business. Mateusz M. was accused by the prosecutor based on regulations provided in Artice 267 §1 of the Polish Penal Code.

Chapter XXXIII. Crimes against protection of information
Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.

Mateusz M. had browsed through an internet company website and found that the service contained serious programming errors. He put into the login form a string of signs as follows “‘ or 1 = 1” (and repeated this operation in the password field), which resulted in him being signed/logged into a random user account which allowed him to gain access to several user accounts and their personal data. Mateusz M. decided to exploit this opportunity and made contact with company’s representatives. He informed them that he detected a gap in their website security which allowed him entry to the marketing database of firms owned or connected with the company which operated this online database. In the meantime, Mateusz M. checked other websites and online services created by the same authors of the first website. He has also found that all of them contained the same programming errors because all these websites were built using the same content management system (CMS). Mateusz M. was invited by the company to sign a contract to remove these programming errors. He was also presented with a non-disclosure agreement (NDA), which he signed. However the NDA’s date was set prior to the date he had detected the programming errors and this was used by the company to enable the police, who were co-operating with the company, to arrest Mateusz M.

During the pre-trial proceedings the court’s expert in the field of information technology stated that in his opinion Mateusz M. had used “a form of attack on the company’s database called SQL Injection”; the aim of such an attack is “to extract confidential information from the database and to disrupt its operation”. In the course of the proceedings before the court, the District Court in G#x142og1ow allowed the counsel for the defence to admit evidence of another expert.

The second expert provided the court with an opinion that by introducing a string “‘ or 1 = 1” Mateusz M. had not made any breach of the database, he did not crack any password allowing for access to the database, he did not type or insert any software code and Mateusz M. had not affected the functioning of the database in any way. According to the second expert, Mateusz M. had not removed the database security, and he had not changed the password access, nor did he create any new accounts in the database. In this expert’s opinion, the introduction of the said string by Mateusz M. should be considered as an “SQL Injection” method that was used to circumvent the protection of a database, but that it was permitted by the improper and inadequate protection scheme applied to the database by its creators. The “Sign in” form of the database was designed in such a way that merely typing any string of characters was permitted as an input of data for this type of form. The database authors had not implemented any solutions to verify whether the database stored a user name or password attached to such a string, and as it had not, the database did not generate a proper error message

The court held that the action of the accused failed to comply with the statutory elements of Article 267. In the court’s opinion, breaching security occurs when the offender destroys or removes the security, or when the impact of the offender’s action on the security temporarily removes its protective function. Thus a person who gains access to sensitive information without breaking any security measures is not criminally responsible.

The court ruling acquitted the accused of all the charges based on art.632(2) Polish Criminal Proceedings Code, and the court held that the costs of wrongful prosecution were to be covered by the state. This decision was final and consequently there are pending amendments to the Polish Criminal Code relating to the aforementioned regulations.