10 Digital Crimes

Digital crimes” here are defined as offences committed by digital means or in digital ways, i.e. not necessarily against or with the help of the Internet (see KAPO ZH, Department of Cybercrime).

In Switzerland, there are only a few criminal law norms that refer directly to the digital world, e.g. unauthorised data acquisition pursuant to Art. 143 of the Swiss Criminal Code (CC), unauthorised access to a data processing system pursuant to Art. 143bis CC and data corruption pursuant to Art. 144bis CC. However, there are also standards outside the Criminal Code which concern the digital world and the violation of which is also punishable by law. These can be found in particular in the Lauterkeitsgesetz (UCA) (see in detail 07 Competition law in the digital world), e.g. spamming pursuant to Art. 3 para. 1 lit. o UCA and the mandatory references in e-commerce pursuant to Art. 3 para. 1 lit. s UCA, the violation of which is punishable under Art. 23 UCA.

However, for most offences committed in the digital world, the traditional standards that have long been used in the analogue world can be applied. Thus a fraud according to Art. 146 CC in the digital world does not differ in principle from a fraud in the analogue world. In both cases, an essential element is “fraudulent misrepresentation”. Only in the event that the deceived person is not a human being, but a data processing system, there is a special offence in Art. 147 CC.

It would go beyond the scope of this teaching aid to open up here all possible offences which are committed by digital means or by digital means. In the following we take up some of the most common crimes in the digital world.

Hacking

It is difficult to find a general, uniform definition of “hacking”. Based on the corresponding verb in the English language, to hack, we believe that criminal hacking includes unauthorized entry into a computer or network as a primary offence. In this sense, intrusion means that a computer or a network is particularly secure.

In our opinion, hacking in this sense is an offence both in Art. 143 Criminal Code (unauthorized data acquisition) and in Art. 143bis CC (unauthorized intrusion into a data processing system), although case law and doctrine generally speak only of the latter article of the “hacking offence” or “hacking article”.

Pursuant to Art. 143 CC (Unauthorised Data Acquisition), anyone who, with the intention of unjustly enriching himself or another person, acquires data stored or transmitted electronically or in a comparable manner for himself or herself or for another person, which is not intended for him or her and is particularly protected against unauthorised access, is punishable by imprisonment of up to five years or a fine. This is an official offence, i.e. an offence that must be prosecuted officially. The only exception is that unauthorised data collection to the detriment of a relative is only prosecuted on application.

According to Art. 143bis CC (Unauthorised penetration into a data processing system), anyone who unauthorisedly penetrates a third-party data processing system, which is particularly protected against access, by means of data transmission equipment, is punishable by imprisonment of up to three years or a fine. Any person who places on the market or makes accessible passwords, programs or other data which he knows or must assume are to be used for the commission of a criminal offence pursuant to this Article shall be punished by imprisonment of up to three years or a fine.

Art. 143 and 143bis CC differ essentially in that the offender has an intention to enrich the facts of Art. 143 CC, while he penetrates a data processing system without intention to enrich the facts of Art. 143bis CC. The latter is then only a so-called endangerment offence, which is included (consumed) in the application of Art. 143 CC. This can also be seen in the level of penalties, which can be higher in the case of the intention to enrich.

Phishing

The term phishing refers to attempts to access the personal data of an Internet user via fake websites, e-mails or short messages and thus commit identity theft. The aim of fraud is to use the data received to commit account looting, for example, and to harm the person in question. This is a form of social engineering in which the good faith of the victim is exploited. The term is an English artificial word, which is based on fishing, figuratively fishing for passwords with bait. The spelling with Ph- comes from hacker jargon. We have published here an example of phishing, which was aimed at PostFinance customers. Using a fake e-mail with a PostFinance look, the scammers are demanding that the addressees send the corresponding credit card data for a “security procedure” under the pretext that their credit card has been blocked. Typically, phishing e-mails imitate the corporate design of the relevant department, for example using the same company logos, fonts and layouts. As a rule, the addressee is requested to transmit data from credit cards or even e-banking logis, by means of which the fraudsters subsequently make themselves known to the addressees’ assets. (Source: https://de.wikipedia.org/wiki/Phishing).

Prima vista one could think that phishing is a classic fraud according to Art. 146 CC, since in particular the typical element of fraudulent deception is obviously fulfilled. Art. 146 CC, however, additionally demands that the person concerned, based on a corresponding error, damages himself and directly on his own property. This is not the case with phishing, in particular by e-mail or SMS, since the perpetrator carries out the corresponding subsequent actions himself.

According to prevailing doctrine and case law, phishing is generally assessed as fraudulent misuse of a data processing system and the perpetrators are convicted in accordance with Article 147 of the Swiss Criminal Code. Pursuant to Art. 147 of the Swiss Criminal Code, anyone who, with the intention of unlawfully enriching himself or another person, interferes with an electronic or comparable data processing or data transmission process by incorrect, incomplete or unauthorised use of data or in a comparable manner and thereby causes a transfer of assets to the detriment of another person or conceals a transfer of assets immediately thereafter shall be punished.

Password Sharing und Identity Theft

Although nobody talks about it, not even the providers concerned, it most likely happens very often. Particularly within a family and among friends, the access data of Internet services and thus the corresponding digital identity are exchanged (known in the USA as “password sharing”). The question is whether this is permitted under civil law, but also under criminal law. This is determined by the corresponding terms of use. As a rule, these prohibit the disclosure to unauthorized third parties. However, there are also licenses or subscriptions that allow use by several persons. Providers often solve the problem of multiple use technically, for example by restricting simultaneous use to a certain number of devices. A login with another device is therefore not technically possible. If the access data are passed on to unauthorised third parties, this is a breach of contract according to Art. 97 of the Swiss Code of Obligations (CO) and the provider can claim damages in the event of fault. In this case, the terms of use also regularly provide for the account to be blocked. Under criminal law, the unauthorised use of a digital service that is accessible to anyone for a fee is a so-called “obtaining by fraud of a service” pursuant to Art. 150 of the Swiss Criminal Code (CC) (BSK StGB, Weissenberger, Art. 150 StGB, N 41). The offence is on the same criminal level as fare evasion on public transport (which is regulated in the same article). Since the offerers fear probably a negative Publicity, they cut in such a case surely the account off, will probably however rather no announcement give. In any case, I am not aware of any such case in Switzerland. In addition, only the person who uses the foreign identity will be punished, but not the person who passed it on.

Legally far more problematic is the disclosure, theft (identity theft) and unauthorized use of login data for digital services and databases that are only available to a limited circle of users. This generally applies to e-mail servers (in particular BGer 6B_615/2014, 6B_456/2007), but in my opinion also to social media platforms such as Facebook and Instagram, as well as access to employer systems where employees can log on. If an intention to enrich exists, this behavior is punishable according to Art. 143 CC, namely by office, to the detriment of relatives only on request. If there is no intention of enrichment, the offence according to Art. 143bis CC (also so-called hacker offence) can only be punished on application. In this context, the disclosure of login data may also be punishable by law.

Data falsification

If data are falsified in digital form, this can be a document falsification according to art. 251 CC. In accordance with this article, a person will be punished if he forges or falsifies a document with the intention of damaging someone’s property or other rights or of obtaining an unlawful advantage for himself or another, forges or falsifies a document, uses another person’s genuine signature or hand signal for the production of a false document or incorrectly notarises or has notarised a legally significant fact or uses a document of this kind for deception. Pursuant to Art. 110 para. 4 CC, documents within the meaning of this article are writs which are intended and suitable to prove a fact of legal significance. Records on image and data carriers are equivalent to the written form if they serve the same purpose. Documents within the meaning of Art. 251 CC thus also include PDF documents and e-mails (BGE 137 IV 168 ff.; BGE 6B_130/2012, Erw. 5.4).

Forbidden depictions of violence and forbidden pornography

Forbidden depictions of violence

Pursuant to Art. 135 of the Swiss Criminal Code, anyone shall be punished who makes sound or picture recordings, illustrations, other objects or demonstrations which, without having any cultural or scientific value worthy of protection, portray cruel acts of violence against humans or animals and in so doing seriously violate, produce, import, store, market, advertise, exhibit, offer, show, make available or make accessible the elementary dignity of the human being, acquires himself or herself by electronic means or otherwise procures or possesses such objects or demonstrations. Possession also exists when the will to rule is expressed by downloading relevant data onto a data carrier, since or insofar as the user indicates that he wants to fall back on these images again. Correctly, however, the acceptance of a possession of images in the cache memory is excluded. According to the Federal Court’s case law on Art. 197, para. 3bis of the German Criminal Code (CC), this includes, for example, providing permanent and unlimited access to a website with prohibited images so that the perpetrator can freely dispose of the data, or leaving an e-mail sent on the perpetrator’s initiative with a criminal data attachment in the input memory. The targeted storage of illegal files, on the other hand, is prohibited (BGE 131 IV 20 ff., Art. 197 No. 3bis StGB; Andreas Donatsch, OFK-StGB, StGB 135 N 11 f.).

Forbidden pornography

Pursuant to Art. 197 of the Swiss Criminal Code, anyone who offers, shows, provides, makes accessible or disseminates by radio or television pornographic writings, sound or image recordings, illustrations, other objects of such kind or pornographic presentations to a person under the age of 16 will be punished. Anyone who informs visitors to exhibitions or demonstrations in closed rooms in advance of their pornographic character remains unpunished. Any person who recruits a minor to participate in a pornographic performance or who induces them to participate in such a performance shall also be punished. In addition, anyone who produces, imports, stores, markets, advertises, exhibits, offers, shows, leaves available, makes available, acquires, procures or possesses himself by electronic means or in any other way by objects or demonstrations in the aforementioned sense which involve sexual acts with animals or violence among adults or which do not actually involve sexual acts with minors shall also be punished. Finally, anyone who imports, stores, acquires, procures or possesses objects or demonstrations in the aforementioned sense that involve, consume or produce for their own use, or otherwise procure or possess objects or demonstrations that involve sexual acts with animals or violence among adults or that do not actually involve sexual acts with minors shall be punished. Minors of more than 16 years of age shall not be liable to prosecution if they produce, possess or consume objects or demonstrations in the aforementioned sense by mutual consent. Objects or performances in the aforementioned sense are not pornographic if they have a cultural or scientific value worthy of protection.

[Further discussion to follow]

Personality disabilities

[Text to follow]

Infringement of intellectual property rights

[Text to follow]

Law enforcement in the digital world

The Achilles’ heel of prosecution in the digital world is prosecution itself. In Switzerland, this is essentially the responsibility of the cantons. However, criminal prosecution in the digital world requires very specific know-how and appropriate technical means. In addition, many crimes in the digital world typically have a foreign dimension. In this respect, smaller cantons in particular are overburdened, even though they are constantly upgrading in this area. After all, they receive support from the Federal Office of Police fedpol (see also www.fedpol.admin.ch/fedpol/de/home/kriminalitaet/cybercrime.html), in particular from its Coordination Unit for Combating Internet Crime (CYCOS) and from the Federal Reporting and Analysis Centre for Information Assurance (MELANI).