Archive for: Art. 267 CRC

Comparative law – literally, word for word

January 15th, 2009, Tomasz Rychlicki

Recent changes in the Polish Criminal Code regarding “computer crimes” that were introduced by the the Act to amend the Act – the Criminal Code and certain other acts of 24 October 2008, Journal of Laws (Dziennik Ustaw) No. 214, item 1344, which entered into force on 18 December 2008.

Chapter XXXIII. Offences against the protection of information

Article 265. § 1. Whoever discloses or, in violation of the law, uses information which constitutes a state secret

shall be subject to the penalty of deprivation of liberty for a term of between 3 months and 5 years.

§ 2. If the information specified in § 1 has been disclosed to a person acting in the name of or for a foreign entity, the perpetrator

shall be subject to the penalty of deprivation of liberty for a term of between 6 months and 8 years.

§ 3. Whoever unintentionally discloses the information specified in § 1, with which he has become acquainted in the performance of his official function or authorisation delegated to him

shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to one year.

Article 266. § 1. Whoever, in violation of the law or obligation he has undertaken, discloses or uses information with which he has become acquainted with in connection with the function or work performed, or public, community, economic or scientific activity pursued

shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.

§ 2. A public official who discloses to an unauthorised person information which is an official secret or information with which he has become acquainted in the performance of his official duties and whose disclosure can endanger a legally protected interest

shall be subject to the penalty of deprivation of liberty for up to 3 years.

§ 3. The prosecution of the offence specified in § 1 shall occur on a motion of the injured person.

Article 267. § 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic or bypass, electronic, magnetic, information or other special protection for that information

shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.

§ 2. The same punishment shall be imposed on anyone, who without being authorised to do so acquires access to whole or part of an information system.

§ 3. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.

§ 4. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1-3 discloses to another person.

§ 5. The prosecution of the offence specified in § 1–4 shall occur on a motion of the injured person.

Article 268. § 1. Whoever, not being himself authorised to do so, destroys, damages, deletes or alters a record of essential information or otherwise prevents or makes it significantly difficult for an authorised person to obtain knowledge of that information,

shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.

§ 2. If the act specified in § 1 concerns the record on an electronic information carrier, the perpetrator shall be subject to the penalty of deprivation of liberty for up to 3 years.

§ 3. Whoever, by committing an act specified in § 1 or 2, causes a significant loss of property

shall be subject to the penalty of deprivation of liberty for a term of between 3 months and 5 years.

§ 4. The prosecution of the offence specified in § 1-3 shall occur on a motion of the injured person.

Art. 268a. § 1. Whoever, without being authorised to do so, destroys, damages, removes, changes lub makes an access to data difficult or in a significant way disrupts or prevents from the automatic process, gathering or transmission of such data,

shall be subject to the penalty of deprivation of liberty for up to 3 years.

§ 3. Whoever, by committing an act specified in § 1, causes a significant loss of property

shall be subject to the penalty of deprivation of liberty for a term of between 3 months and 5 years.

§ 3. The prosecution of the offence specified in § 1 or 2 shall occur on a motion of the injured person.

Article 269. § 1. Whoever destroys, deletes or changes a record on an electronic information carrier, having a particular significance for national defence, transport safety, operation of the government or other state authority or localgovernment, or interferes with or prevents automatic collection and transmission of such information

shall be subject to the penalty of deprivation of liberty for a term of between 6 months and 8 years.

§ 2. The same penaly should apply to a person who commits offences mentioned in § 1, by destroying or replacing the information carrier or by destroying or damaging a device serving for automatic processing, gathering or transfering of information data.

Art. 269a. Whoever, without being authorised to do so, by transmission, destroy, removing, damaging or changing information data, in significant manner disrupts the work of a computer system or a teleinformatic network,

shall be subject to the penalty of deprivation of liberty for a term of between 3 months up to 5 years

Art. 269b. § 1. Whoever, produces, acquires, sells off or makes available to other persons devices or computer software adapted to perform a crime mentioned in art. 165 § 1 pt 4, art. 267 § 2, art. 268a § 1 or § 2 in connection with § 1, art. 269 § 2 or art. 269a, and computer passwords, access codes or other data that allow for the access to information stored in a computer system or teleinformatic network,

shall be subject to the penalty of deprivation of liberty for up to 3 years.

§ 2 In case of a conviction for an offense referred to in § 1, the court rules the forfeiture of items, and may decide their forfeiture if they were not the property of the perpetrator.

Here is also one ODT, 14KB, file with both versions. Please send your comments regarding the translation.

Categories: Art. 267 CRC | Polish Criminal Code | Polish law | computer crime | computer law | legal regulations on computers networks | legal research | telecommunication law.

Protecting trade secrets in Polish law

October 9th, 2008, Tomasz Rychlicki

I wonder from time to time, whether it is an effective way to write complex studies on the law in the form of a post which is available on a website. The text of such note is formatted in HTML and accessed from a browser, etc. I mean posts or entries which are longer than five sentences, i.e. more or less scientific articles with proper footnotes, etc. Unfortunately, I am not convinced of arguments that publications with a high content of text, which is formatted in the browser window, is the proper way to write and discuss about the law. I think that reading is simply too uncomfortable. On the other hand, a large amount of text can be defined by the CSS with the appropriate format for printing. Alternatively, one may give links to documents that you will be allowed to print… but the latter solution is without a doubt less professional. At the same time, let me try to write something a little bit longer. The subject is Polish regulations on trade secrets.

I. Definitions.
There is no definition of “trade secrets” in Polish law. However, there are regulations that allow for very effective protection.
A. Act on Combating Unfair Competition – CUC – (in Polish: Ustawa o zwalczaniu nieuczciwej konkurencji) of 16 April 1993, Journal of Laws (Dziennik Ustaw) No 47, item 211, with later amendments.

Article 11
An act of unfair competition is the transfer, disclosure or use of third party information, which is company confidential or their receipt from an unauthorised person, if it threatens or violates the interests of the entrepreneur.
2. The provisions of section 1 shall also apply to the person who has been rendering work based on employment contract or another legal relation, for the period of three years from its expiration, unless the contract stipulates otherwise or there is no longer secrecy.
3. The provisions of section 1 shall not apply to the person who, bona fide, by way of a legal operation against payment, acquired the information constituting a business secrecy. The court may oblige the acquirer to the appropriate remuneration for its use, nevertheless for a period not longer than duration of secrecy.
4. Company confidentiality is understood to include the entrepreneur’s technical, technological organisational or other information having commercial value, which is not disclosed to the public to which the entrepreneur has taken the necessary steps to maintain confidentiality.
(…)
Chapter 4
Penal provisions
Article 23.1. Every person, who contrary to her obligation towards the entrepreneur discloses to another person or uses in her own economic activity information which is a business secrecy, shall be liable to the fine, probation or imprisonment up to 2 years, provided it is to the significant detriment of the entrepreneur.
2. The same sanctions shall apply to the person, who having acquired illegally the business secrecy, discloses it to another person or uses in her own economic activity.

It is noteworthy that definition of “company confidentiality” provided in article 11(4) CUC explicitly included “trade secrets” term before amendments in 2002. The CUC protection of “company confidentiality” can be enforced in civil or crminal proceedings. However, regulations afforded in the CUC basically apply only to relations between entrepreneurs (commercial relationships).

B. The Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, Journal of Laws (Dziennik Ustaw) No 16, item 93, with later amendments.

Article 72 [1]. § 1. If during the negotiations, a party has provided information as confidential, the other party is required not to disclose and not to transfer of such information to others and not to use such information for its own purposes, unless the parties otherwise agreed.
§ 2 In the event of failure of performance or improper performance of duties as described in § 1, the entitled person may demand from the other party to undo the damages or to return profits received by the other party.

C. The Criminal Code – CRC – (in Polish: Kodeks Karny) of 6 June 1997, Journal of Laws (Dziennik Ustaw) No 88, item 553, with later amendments.

Chapter XXXIII. Crimes against protection of information
(…)
Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.

I guess, I do not need to add that these aforementioned regulations are the basic. There are some other legal acts that govern specific fields of law. For instance the Act on Acountancy, the Code of Commercial Companies, the Code of Labour, the Act on Banks Law etc.

Categories: Art. 267 CRC | Polish Act on Combating Unfair Competition | Polish Civil Code | Polish Criminal Code | Polish law | regulations | review | trade secrets law.

Penalizing SQL injection techniques in Poland

October 6th, 2008, Tomasz Rychlicki

Polish criminal law has provisions, which in theory would serve to criminalize conducts related to “cracking” actions.

Chapter XXXIII. Crimes against protection of information
(…)
Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.

Provisions of article 267 were used against Mateusz M. He was charged with use of methods known as SQL injection, in conjunction with Article 267 § 1. However, the District Court in Głogów VI Wydział Grodzki in a judgment of 11 August 2008, act signature VI K 849/07, found Mateusz M. not guilty.

The court held that the actions of the accused fail to comply with the statutory elements (…) Overcoming (breaching) security occurs when the offender destroys, removes the security, or when the impact on the security temporarily removes the protective function. (…) The person who gained access to sensitive information, but did not break any security measures will not bear the criminal responsibility.

I have to add that there are pending amendments to the Polish Criminal Code provisions regarding aforementioned regulations. Piotr Waglowski provides more details about this case. As regards legal issues on cracking I already wrote posts entitled “Who will be guilty?” and “Legal hacking“.

Categories: Art. 267 CRC | Polish District Court | Polish courts | Polish law | computer law | criminal law | legal regulations on computers networks.

Who will be guilty?

April 15th, 2008, Tomasz Rychlicki

There is a short article availabe at www.wired.com website where you may read about some thoughts of Harry Sintonen regarding security of couple of websites. As from the media point of view the most spectacular cross-site scripting attack concerned CIA’s website. But I found on Harry’s list other addresses that are worthy a short notice here, for instance, the official website of the European Parliament. You may ask why? Because there is another article available at www.gazeta.pl website (in Polish language) where Waldy Dzikowski (the chief of Platforma Obywatelska’s parliamentary club) tells about how he opts about electronic elections to the European Parliament which will be held in another thirteen months. I have to admit that I am not sure who is supporting Mr Dzikowski because there is always someone who has the interest to supply the Republic of Poland with e-voting infrastructure or as Witold Drożdż from the Ministry of Interior and Administration said “technical and organization” infrastructure. When I think about such problems as faced by the CIA or European Parliament websites then I instantly wonder if someone can assure me about security and what is even more important about the lack of frauds in the process of electronic voting? Of course, we have proper crminal provisions against crimes aimed at voting process in the Criminal Code – CRC – (in Polish: Kodeks Karsny) of 6 June, 1997, Journal of Laws (Dziennik Ustaw) No 88, item 553, with later amendments.

Chapter XXXI. Crimes against elections and referendum
Art. 248.
Article 248. Whoever, in connection with elections to the Sejm, Senate, election of the President of the Republic of Poland, elections to European Parliament, local elections or referendum:
(…)
3) damages, hides or forge reports or other election or referendum documents,
(…)
4) interferes or allow to interfere with the collecting or counting votes
(…)
5) gives another person unused voting card before an end of voting or gets an unused voting card from another person in order to use it in voting,
- shall be subject to the penalty of deprivation of liberty for up to 3 years.
(…)
Art. 250a. § 1. Whoever, being entitled to vote, gets financial or personal benefits or requests such benefit for voting in a given way, shall be subject to the penalty of deprivation of liberty for a term of between 3 months up to 5 years.
§ 2. The same penalty should apply to a person which gives financial or personal benefits to a person entitled to voting in order to induceaby such person to vote in a given way or for voting in a given way.

Art. 251. Whoever, in violation of regulations on secrecy of votiong, against the will of a voter, acquaints with the content of a vote, shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.

As you can see there are some possibilities. There are also “anti-compromise” regulations (sic!)

Chapter XXXIII. Crimes against protection of information
(…)
Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.
(…)

Art. 268a. § 1. Whoever, without being authorised to do so, destroys, damages, removes, changes lub makes an access to data difficult or in a significant way disrupts or prevents from the automatic process, gathering or transmission of such data, shall be subject to the penalty of deprivation of liberty for up to 3 years.
(…)

Art. 269.§ 1. Whoevery, damages, removes or changes information data of particular importance for country’s defences, safety of transportation, function of governmen administration, other state’s organ or state’s institution or local government albo zakłóca disrupts or prevents from the automatic process, gathering or transmission of such data, shall be subject to the penalty of deprivation of liberty for a term of between 6 months up to 8 years
§ 2. The same penaly should apply to a person who commits offences mentioned in § 1, by destroying or replacing the information carrier or by destroying or damaging a device serving for automatic processing, gathering or transfering of information data.

Art. 269a. Whoever, without being authorised to do so, by transmission, destroy, removing, damaging or changing information data, in significant manner disrupts the work of a computer system or a teleinformatic network, shall be subject to the penalty of deprivation of liberty for a term of between 3 months up to 5 years

Art. 269b. § 1. Whoever, produces, acquires, sells off or makes available to other persons devices or computer software adapted to perform a crime mentioned in art. 165 § 1 pt 4, art. 267 § 2, art. 268a § 1 or § 2 in connection with § 1, art. 269 § 2 or art. 269a, and computer passwords, access codes or other data that allow for the access to information stored in a computer system or teleinformatic network, shall be subject to the penalty of deprivation of liberty for up to 3 years.

This list is really long right? I asked my Polish readers if they know any cases regarding such crimes. I guess we have a really small percentage. The question is, if it’s a really small percentage of crime detection or just such crimes itself?

Categories: Art. 267 CRC | Art. 269 CRC | Polish Criminal Code | Polish law | computer crime | computer law | democracy | e-voting | legal regulations on computers networks.

Legal hacking

April 7th, 2007, Tomasz Rychlicki

In 2004, Jerome Heckenkamp gained unauthorized access (colloquially, he hacked) to servers of corporations such as Qualcomm, Cygnus Solutions and eBay. Evidences of his actions were gathered also by a campus network administrator where Jerome’s computer was connected. He got them by hacking into the Heckenkamp’s Linux box. Judge Sidney R. Thomas ruled in United States v. Heckenkamp, 2007 U.S. App. LEXIS 7806 (9th Cir. 2007), PDF file, that such actions were justified and did not violate the Fourth Amendment provisions.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Jeffrey Savoy’s “hacking searches” were acknowledged as “special needs” exception and therefore the FBI was not required to obtain a search warrant. Jerome Heckenkamp was convinced based on regulations included in 18 U.S.C.S. § 1030(a)(5)(B) – Computer Fraud and Abuse Act (CFAA) of 1986, Pub. L. No. 99-474, 100 Stat. 1213 (Oct. 16, 1986) amending Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-473, 98 Stat. 1837 (Oct. 12, 1984).

In Polish law so-called “hacking” crimes are penalised by provisions included in the Criminal Code – CRC – (in Polish: Kodeks Karny) of 6 June 1997, Journal of Laws (Dziennik Ustaw) No 88, item 553, with later amendments.

Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.

In the international legal context such crimes were first covered by the Council of Europe Convention on Cybercrime signed in Budapest on November 23, 2001, CETS No. 185. The United States was one of 30 countries that signed the Convention on November 23, 2001. On August 2, 2006, the US Sentat ratified it.

You may find more information about the Fourth Amendment at findlaw.com website.

Categories: Art. 267 CRC | Convention on Cybercrime | European Convention on Human Rights | Polish Criminal Code | Polish law | US law | computer crime | criminal law.