Doreen Tu — Computer Crimes in Taiwan (October 26, 2010)
ø
On October 26, 2010 Taiwanese prosecutor and Berkman Fellow Doreen Tu presented on web exceptionalism and the evolving treatment of computer-related criminal offenses in Taiwan. Doreen’s lively and thoughtful presentation offered interesting insights into the practice of law in Taiwan, on a subject of transnational import — as criminal impulses increasingly find their outlet online.
[Apologies to all — and especially Doreen — for the delay in writing up these notes. Brad A.]
In 2003 Taiwan amended its Criminal Code to add a new chapter describing computer-related crimes. Prior to these amendments, Taiwan prosecuted computer-related offenses under the existing laws, which for the most part were adequate to reach online conduct of concern to prosecutors. A series of criminal complaints in the early 2000s put this assumption to the test, and ultimately the state determined that it needed computer-specific crimes on the books.
Doreen asked: do we need to define specific “cybercrimes,” or are cybercrimes simply an online manifestation of ordinary criminal conduct, albeit accomplished with different tools (and against different targets)?
For a period of time, the principal “cybercrimes” that had the attention of prosecutors in Taiwan were crimes with obvious “hard-copy” analogues that perpetrators had carried over onto the Internet. The existing Criminal Code was appropriately enforced against online instances of fraud, illegal gambling, child pornography and copyright infringement. Efforts to prosecute unauthorized access to or destruction or deletion of electronic data required a further analytical step: the law was required to treat electronic data as “property” or “documents.” Nonetheless, once this interpretation took hold, the state could bring appropriate charges under the existing laws proscribing vandalism or theft.
Then “Lineage” came along to challenge this paradigm. Lineage is a popular online computer game, and Doreen credits it for triggering the 2003 amendments to the Taiwanese Criminal Code. The game originated in South Korea — we’ve translated the title to mean “Lineage,” whereas in Chinese the game’s title means “Heaven.” The game made a splash in Taiwan around 2000. It requires a user ID and password, and through gaming effort players obtain “virtual property” (e.g., weapons, jewelry) that can be traded among the players. These properties are valuable enough — that is, they require enough of an investment of in-game time and effort to acquire — that they have real-world value to the players. As a result, websites have appeared to facilitate exchange of Lineage properties.
One especially valuable Lineage resource is the invisibility cloak, about which Doreen tells the following story:
A teenage Lineage player traded for an invisibility cloak. He later entered his user ID and password into Lineage, logged into the game, and found that he did not have it anymore. It had vanished. The player took his complaint to prosecutors. “My invisibility cloak was stolen,” the youth told the Prosecutor on Duty, a colleague of Doreen’s. The Prosecutor on Duty had no idea what to make of this, but following the investigator’s handbook, he asked appropriate questions, including “Where did you last have it?” “Heaven,” the complainant answered. This answer did little to relieve the PoD’s confusion.
A cascade of similar complaints to Doreen’s office — each involving lost or stolen Lineage artifacts — followed. A common element emerged: all of the victims had been playing Lineage in the same Internet café. Investigators came to understand that a single perpetrator had infected the machines, managed to obtain the user IDs and passwords Lineage players had entered at the cybercafé’s terminals, and, having appropriated the online identities of the users, disposed of their Lineage properties.
Prosecutors struggled to identify appropriate criminal charges for this conduct. The “invisibility cloak” was an “electromagnetic record,” and therefore a form of property under Taiwanese law. A theft charge would stick, as a legal matter. And yet the government came to realize that the Criminal Code did not describe offenses that would reach the conduct prosecutors wanted to punish — namely, the infection of the café’s computers with malware and the abuse of third-party user authentication information. Infecting a computer with the malware necessary to swipe the ID information would not qualify as “destruction” of or damage to property sufficient to support a vandalism charge. Likewise, there was no specific criminal charge available under Taiwanese law to punish the unauthorized access to another person’s Lineage account. You could use that unauthorized access that to accomplish theft (as here), or, conceivably to defraud a third party. But the access itself was no crime.
Nor was the Criminal Code written to punish other, more advanced forms of cybercrime, like a distributed denial-of-service attack.
Lawmakers responded with the 2003 amendment introducing Chapter 36 (“Offenses Relating to the Use of Computers”) into the Criminal Code. Doreen displayed translations of Chapter 36’s six articles. I couldn’t type fast enough to transcribe them, but here are two I found elsewhere on the Net:
Article 358: “Unauthorized access to another’s computer or related equipment by means of the use of another’s confidential account number code, or by circumventing protective measures, or the act of discovering and exploiting loopholes in a computer system shall be punished by up to three years in prison, jail or fines of up to NT$100,000, or both.”
Article 359: “Unauthorized acquisition, deletion, or alteration of the electromagnetic records of other’s computer or related equipment resulting in damage to the public interest or the interest of an individual person is punishable by up to five years in prison, jail or fines of up to NT$200,000, or both.”
The introduction of Chapter 36 reflects lawmakers’ judgment that the Internet is exceptional. It was not enough just to punish the theft of a virtual cloak of invisibility under the existing provisions of law: the manner in which the theft was accomplished, i.e., through the use of computers, cried out for legal treatment.
Doreen considers another, more recent example. In April 2008 “Bahamut,” another important online game, with some 2.5 million users, was overcome by a DDOS attack. Bahamut’s principals received the following anonymous message by email the next day, written in simplified Chinese characters (suggesting that the message came from Mainland China):
“Sorry for launching the attack yesterday. It revealed the vulnerabilities of your website. We are the unofficial agent of World of Warcraft, and we’d like to know if we can place an advertisement on your website.”
Understanding that the Taiwanese government is not in a position to investigate crimes committed in Mainland China, Bahamut never filed a complaint with the police. Doreen points out that, again, an obvious “offline” crime — blackmail — could be charged on these facts.
Likewise the Zeus Botnet, which resulted in banks loses billions of dollars earlier this year: this was a simple case of fraud, but accomplished online, with computer code, on a massive scale.
Doreen describes the challenges Taiwan faces with respect to Internet crimes. First, the perpetrators of online crimes are easily hidden — and they may conduct criminal enterprises from remote locations, perhaps abroad. Second, online crime is more difficult to investigate. Warrants are difficult to obtain, and there is too little cross-border cooperation. Third, systems are insecure: small and medium-sized companies do not have competent IT managers.
Doreen explains that Taiwan proposes to tackle this last problem legislatively: a new data protection law recently issued, imposing a legal obligation on companies to protect personal data on their servers. Laws like these turn out attention to the most important question we face on this subject: who should share the responsibility to protect cyberspace? At the government level, criminal and administrative agencies can take the lead. But can government solve the problem on its own? Consider the “ecosystem” of botnet: malware writers and controllers of botnets are criminally liable. Should software companies that generate and release insecure software have some liability? ISPs that use pirated, insecure software? “Mules” who provide identity fronts to criminal actors? “Victim” companies that use insecure systems and don’t adequately protect other people’s data?
Doreen stopped to take questions. [My coverage of the ensuing discussion is incomplete, because at a certain point I put aside my computer so that I could participate. But here’s what I have.]
Q: What did you mean by “mules?” Doreen: the term we use in Chinese translates to “human head.” Suppose a perpetrator needs someone to manage a bank account to receive the proceeds of online fraud. The perpetrator pays a person to open an account and allow the perpetrator access. The mule himself/herself often has very little knowledge of who had control of the account.
Q: Do I understand correctly that in Taiwan the state cannot bring charges absent a complaint? Doreen: Yes. It’s common in civil law countries to require a victim to initiate the criminal complaint. The government needs to clear a certain evidentiary threshold to proceed, and a complaint requirement establishes harm as well. Where, as in the Bahamut case, the victim is reluctant to come forward, the complaint requirement can impair investigations.
Q: What’s a good way to handle cross-border criminal activity? How do we balance one nation’s sovereignty concerns with another’s need to enforce the rule of law? Should there be some international institution that conducts/ manages transnational criminal investigations? There have been efforts to improve international cooperation on evidence collection.
There followed discussion of a recent matter one of the practicing attorney Fellows had handled. The case involved fraudulent purchase orders sent to vendors by email; the emails came from an account with a domain name suggesting a false affiliation with a large institutional buyer. The domain name had been bought with a stolen credit card: “whois” information revealed that the credit card’s owner, a resident of South Carolina, owned the domain. Investigators reviewed the email headers and traced the messages’ origin to Nigeria. How do we tackle crimes of this nature?
