"Perfect phishing" and the criminal law

Shanghai Hengjie lawyer firmWang Longguo

[Abstract]"Phishing" is a rising network of fraud since the mid 90's in last century. Since around 1996 in USA occurs first, quickly spread to other developed European capitalist countries. In recent years, China also occur frequently "phishing" attacks, and the situation is worse. For such acts, the international community to actively respond to, American federal and state government has to regulate "phishing" from the criminal legislation and the criminal law of our country, in the fight against such behavior seems to force some thin, need to be perfected.

[Key word.Phishing  Criminal regulation  Perfect

 

[Abstract]"Phishing" isA network of fraud raising in the last century since the mid-90's the rise ofAfter the first time Since around 1996 in the United States, it has quickly spreaded to other developed capitalist countries in Europe. In recently, the "Phishing" has also repeatedly taken place in China, and its cicumstance is ingcreasingly aggravatingFor suchSituation, the international communityTake anActively respond to these cases.The U.S. federal government and state governments have regulated "Phishing" by criminalLegislation.However, the China's criminal law in fighting against such acts Sometimes appears some weak, so it needs necessarily to be strengthened

[Key Words]Phishing   Regulated by criminal law     Improving

[Subject]  Improve the system of criminal laws about the regulations of Phishing

 

A,"Phishing" and its essence

   "Phishing" is a rising network of fraud since the mid 90's in last century. Since around 1996 in USA occurs first, quickly spread to other developed European capitalist countries. In recent years, China also occur frequently "phishing" attacks, and the situation is worse.

   "Phishing" since after the word, and not a precise meaning, is also not a law real sense of the term. But generally, "phishing" refers to the use of fraudulent email web sites and forged for fraud, deception visitors to provide some personal information, such as a credit card number, account number, social security number, and use it to obtain illegitimate interests. The anti phishing working group (APWG) will "phishing" is defined as a use of social engineering and technology theft consumer personal information and financial account certificate of identity information online theft activities.[1]America justice department thinks, "phishing" refers to the email and website manufacture or use with well-known legitimate businesses, financial institutions and government agencies like email and website, deception network users to reveal their banks and financial account information or other personal information such as user name and password.[2]Japanese police department will be "phishing" and phishing scams is defined as: "phishing, is disguised as a bank enterprise mail, guide the recipient access false Webpage, make its input personal information in the financial Webpage (on the credit card number, ID, password), illegal access to their personal financial information behavior. With this information as the basis for money means known as phishing scams."[3]

   From the above about the definition of "phishing", we can see that, the specific connotation of "phishing" does not have a unified definition, the Japanese National Police Agency will only those "access to their personal financial information" acts as the "phishing", and in the America, whether it is the Justice Department or the APWG both will steal personal financial information will steal other personally identifiable information acts as the "network fishing". The actual situation of some countries from the world "phishing" case more point of view, the definition of APWG is more representative. "From a legal point of view, the essence of phishing is identity theft (Identity Theft)."[4]The author thinks, as long as they are lured others to disclose their personal identity information in did not know the circumstances of the use of computer network behavior is "phishing" behavior.

Two,"Forms of phishing "

   "Phishing" in order to effectively obtain the true identity information to others by fraud, take a variety of means. "Phishing" and unlike viruses or hacking other attacks will cause damage to the computer user, more sensitive data using human mental weakness to trick users. As the main of deception:

   1, send e-mail, false information to lure users to trap. Fraudsters to spam mass sending fraudulent messages, these messages to winning, consultant, checking contents lead users in the mail in the financial account and password, or by pressing reason to require the recipient sign aWebpageSubmitted user name, password, identity card number, credit card number and other information, and then steal user capital.

   2, a fake online banking, online securities website, or send false link, diddle user account password theft. Criminals set up the domain name and Webpage content and real Internet banking system, securities online trading platform is very similar to the user site, enter the account password and other information, and then through the real online bank, online securities system or forged bank savings card, securities trading card theft of funds; others use cross site scripting, namely the use of legitimate Web siteThe serverThe flaw on the program, the insertion of malicious Html code in some Webpage site, shielding some important information can be used to distinguish the true and false of the site, use cookies to steal the user information.

   3, the use of electronic commerce false fraud. This kind of crime is often the establishment of e-commerce sites, or release of commodity sales of false information in the more well-known, large e-commerce sites, the criminal victim's shopping after received remittances disappear from the scene. As of 2003, she was "a criminal peculiar equipment net" the website, publishing selling spy equipment, false information hacking tools, lured customers will purchase into a false identity in multiple bank accounts, and then transfer the money case.

   4, using the Trojan horse and hacker technology to steal user information after the implementation of theft. Trojan fabricant is sent by mail or in the website of the hidden Trojan, Trojan wantonly spreadThe programWhen infected, users of online transactions, the Trojan program thatKeyboardGets the user account and password recording mode, and sent to the specified mailbox, the user of funds will be seriously threatened.

   5, use the user of weak passwords, exploit, guess the user account and password. Illegal use of the part of the user convenient setting of weak passwords loophole, to crack the password of bank card. As of 2004 October, three criminals from the online search of a bank card, and then log on to the online banking site, try to crack the weak passwords, and often successful.

   6, Pharming attack. Pharming first appeared in 2004, the invasion of DNS (Doman Name Server) mode, the user is guided to the fake Web site, it is also known as the DNS (DNS Poisoning). Domain Name Server is the function of the site's IP address (for example: 125.13.213.1), converted into a web site (for example: www.google.com), once the DNS has been invaded, users via a DNS IP conversion, imperceptibly to "guidance" to a fake website, and let hackers will steal the confidential information of individual organic.

Three,Defects in the regulation of criminal law "phishing" behavior in the current

   Chinese is "phishing" infringed seriously, however, Chinese and have no legal norms directly against phishing. Role in the fight against "phishing" behavior in the current criminal law is quite limited.

   Directly related to computer or network crime is the criminal law of 1997 respectively is 285th, 286, 287. "Criminal law" article 285th, in violation of state regulations, invades the computer information system in national affairs, national defense construction, sophisticated science and technology, constitute illegal invasion of computer information system. According to this provision, the objective aspect of this crime is the violation of the provisions of the state, invades the computer information system in national affairs, national defense construction, advanced science and technology in the fields of behavior. Obviously, any kind of fishing eventually want to obtain others' personal information, ultimately to achieve objective through its individual talent, but not intrusive state affairs, national defence construction, advanced science and technology to achieve the target system, therefore, cannot use this crime conviction. Many scholars have proposed the research of computer crime, the object of crime of the criminal law of the illegal invasion of computer information system is limited to "computer information system of state affairs, national defence construction, sophisticated science and technology", the scope is too narrow, we should expand the crime object, the computer information systems in the important financial, medical, transportation, shipping is also included in the scope of protection of the.[5]If it will be the object of crime of 285th such expansion, those defrauded the personal information and password information, order information and fishing action into the banking system, the transfer of money is likely to conviction. At the same time, we only need to use someone else's login password into the banking system behavior is regarded as "illegal" on the line. Also, one of the fake behavior is "intrusive", usually "invasion" means "fake", "attack", "back door", "trap door" etc..[6]However, some scholars think, the starting point of these recommendations is good, but easy to lead to the randomness of the criminal legislation, because the computer information system in which field should be made by the criminal law protection of computer information system, and what areas need not by the criminal law protection, this requires certain criteria, and not by the subjective we will judge the crime. The basis for their argument is: from the perspective of foreign legislation, not only the illegal invasion of computer system for single act provides for the crime, must also have other elements, or emphasize behavior must have certain results, or on behavior must have a certain purpose, or emphasize behavior must take certain measures, otherwise, not be punished. China's criminal law is to limit the scope of the crime in the criminal object, and abroad generally is restricted by the crime or criminal purpose. The problem here is that the object of crime, to limit the range of crime there is a standard problem, namely what criteria to judge the importance of the computer system.[7]From the above analysis can be seen, illegal invasion of computer information system is unable to regulate the current "phishing" behavior, even if the object of crime to expand, also can not adapt to the need to combat "phishing" behavior.

   "Criminal law" article 286th, in violation of state regulations, the functions of the computer information system, modify, delete, increase of interference, resulting in the computer information system can not operate normally, if the consequences are serious; violation of the provisions of the state, the computer information system in storage, processing or transmission of data to delete, modify, add operation, serious consequences; intentionally making, dissemination of computer viruses and other destructive procedures, affecting the normal operation of the computer system, if the consequences are serious, formed destroy blame of computer information system. "A form of phishing" behavior, namely uses Trojan and hacker technology means to steal user information, often is to influence the normal operation of the computer system such as the Trojan horse destructive procedures, so as to obtain personal information. "This behavior phishing" in the combination of the objective aspects of this crime in a certain extent, seems to be this crime to be punished. However, the crime of three will require a "serious consequences", to the crime, if phishers steal many people's personal information or even didn't steal the data of a lot of people, but caused the victim privacy leakage or the victim because of personal information stolen and Dutch act, revenge on society and other results, we still can said "serious consequences", and in order to conviction. Otherwise, the fisherman stealing someone's personal data or identity information, we very difficult to identify as "serious consequences", because of the lack of a standard. Therefore, this crime also cannot bear the blow "phishing" behavior from the criminal law function.

   "Criminal law" the provisions of article 287th, using the computer for financial fraud, theft, corruption, embezzlement, theft of state secrets or other crimes, be convicted and punished in accordance with the relevant provisions of this law. The provisions of this article is to use the computer implementation of property or other crime, also is the traditional types of crime, computer crime is just the tool, therefore, this article should not be used to combat phishing scam the personal data act.

   Although the direct regulation is associated with the computer and network crime cannot be directly stipulated in criminal law of our country at present defraud others identity information and passwords, but there is a kind of identity information special but because the special provisions of criminal law in our country can be protected, namely the credit card information. If the fish are stealing the network user credit card account, password and other information, form the hindrance credit card management provisions of article 177th of the criminal law of the crime.

   Another kind of behavior anglers may also be subject to regulation of China's current criminal law, namely the fake Web site, at the same time the forged or unauthorized manufacture the marks of a registered trademark of others behavior, if to the seriousness of the case, constitute the illicit manufacturing of Registrar of article 215th of the criminal law the crime target identification.

   Based on the above analysis we can see, to basically not adapt to network fishing regulation the current increasingly fierce in our current criminal law.

Four,Preliminary thinking of adding new crime to regulate "phishing"

Proposition 1, scholars and analysis

   How to set up a new crime fighting "phishing"?

   A part of scholars with reference to the legislation mode of Canada, stipulates identity crime or crime of status. Think "crime of status or identity related crime is an illegal acquisition, holding, collection, dissemination, sale, use and forged identity information, documents and marking behavior."[8]A class of scholars from the legislative mode America, stipulates identity theft or identity theft. Think "identity theft is refers to in order to obtain money, goods, services and other interests or evade the obligations and responsibilities, theft proof of identity information to the illegal identity theft behavior."[9]"Identity theft" refers to the behavior of stealing and using that others identity of personal data, data obtained from others to illegal economic interests of the crime.[10]A class of scholars believe that the "reference" criminal law amendment (five) "," criminal law "on the crime of illegally obtaining state secrets, crime of illegally obtaining military secrets, crime of infringing trade secrets and other provisions, China's criminal law should add the illegal acquisition, dissemination identity information crime."[11]A class of scholars advocate the provisions of phishing crime. Suggestion: "to the identification information for the purpose of illegal or criminal acts, identification information intentionally use fake e-mail messages, Webpage, web site or other network technology means fraudulent access to Internet users, is less than three years imprisonment, criminal detention or control, or be fined."[12]

   The first class of scholars, second class, third class scholar scholars contend not entirely for "phishing" phenomenon is proposed, they not only aware of the harm of phishing, but also get to know the other exists with "phishing" have similarities in the nature of the theft of identity information behavior harm. These scholars tried to use a more inclusive crime programme will be existed in the society of identity information crimes are included, their idea is justified. However, these three scholars claim also each have their defects.

   The first class of scholars advocate comprehensive provisions identity information or the crime of status crime, the characteristics of the proposition is to fight a wide range, as long as the illegal acts related to identity information, can be included in the category of crime, even the "hold" others identity information behavior to strike, but in fact, China the criminal law to rein in "hold" type of crime, object in general only the "hold" is the country banned objects prohibited and strict, it is stipulated as crime. For example, illegal possession of firearms, ammunition, the crime of illegal possession of drugs, illegal possession of state secrets, confidential documents, data, or the crime, holding of counterfeit currency crimes, the crime object itself is prohibited by the state to private possession of identity information, and others are obviously does not have any meaning, therefore, to "hold" others identity information behavior are defined as criminal too harsh. Moreover, "phishing" in theft of identity information, usually have to use this information to commit an illegal act against further, if the evaluation of the overall behavior, we can not avoid the subsequent behavior only evaluation behavior, therefore, we will be in the phishing crime, considering not only the theft of identity information act, usually also consider the stealing behavior motivation.

   The second class of scholars provisions of identity theft or identity theft, the illegal acquisition of others should be identity information behavior and its subsequent behavior evaluation together, and the criminal law of our country has been the use of another person's identity information is illegal behavior is evaluated, if in order to combat identity information crime without considering the existing criminal law exists, will produce some legal the CO opetition. For example, the criminal law of our country has been set into the sin of some of the subsequent acts of illegal acquisition of another identity information, forged, altered identity card crimes, the crime of fraud, the crime of money laundering, credit card fraud is so. Therefore, advocated the provisions of identity theft or identity theft although can hit "phishing", but there will be some overlap on law and the existing criminal law.

   Third advocated the establishment of illegal acquisition, dissemination identity information crime, compared to the first claim, against the narrowing of the scope of a lot of. But, even so, also cannot accurately hit "phishing" behavior. "Phishing" behavior is fishing implementation steal others' identity information behavior the same person and subsequent fraud or by a person handling, control, behavior to implementation of all two stages in this process, before and after the behavior in a succession of fishing, the purpose is clear, the motivation is the same. If the illegal acquisition, dissemination identity information crime, there will be a situation, it is behavior person to the identity of the information on the stolen, and then sold to conduit company or to purchase, even after a lot of road transit, so, in this case, all the behaviors are defined as criminal obviously is not desirable. Because of these behaviors, people may have pure is the sale of information behavior, their motivation is different, this all human behavior is a crime to evaluation is unfair.

   Fourth propositions are provided separate phishing crime, from the fight against "phishing" point of view, this provision is certainly desirable. Because, when each kind of illegal crime, we have reason to prescribe a crime in the criminal law, but, in the long run, this kind of practice is also a drawback. An increase in the number of new crime criminal law will cause the instability and can be changed at any time, will reduce people's understanding of the criminal law and predict. And, with the new situation of criminal law, such as response, will cause the current criminal law system and the structure of the shock. Therefore, we must add new crimes to consider this issue, not only to maintain the stability of the current criminal law system, and some new crime into their regulation. According to the "phishing" phenomenon, we can add the phishing crime, but in the establishment must be clearly defined its connotation, but also has certain forward-looking, full consideration of the possible future situation, analysis and demonstration. Only in this way, the establishment of a new charge could maintain its stability, feasibility, has revealed the significance, and can adapt to strike similar behavior in future, not let the crime has become a completely to the temporary transition needs of the situation.

2, the author's suggestions

   Based on the previous analysis, the author advocates an additional identity theft crime in article 286th of the criminal law of the crime of destroying computer information system, as one of 286th. Specific recommendations are as follows:

   "The use of fraudulent, counterfeit, web site, e-mail Webpage Trojan or destructive procedures, breaking the weak password Internet techniques such as theft of identity information, if the consequences are serious, is less than 3 years imprisonment, criminal detention or control, or be fined; if the consequences are especially serious, 3 to 7 years in prison, or be fined.

   Use other means of Internet technology outside of the theft of the identity information, especially serious consequences, is less than 3 years imprisonment, criminal detention or control, or be fined.

   As mentioned in this article refers to the identity information: the bank account number, password; the credit card password; ③ various identification number; the various network password, password; the other can be used to identify the identity of the personal information of others."

   The first paragraph of this article is using Internet technology to identity theft crime, paragraph second of identity theft for the use of non internet crime. As long as the illegal theft of identity information, resulting in serious consequences, were convicted and punished. Taking into account the identity theft behavior is mainly implemented through phishing tools, for such behavior, to special provisions, aggravated punishment.

   Identity theft crime crime constitution are as follows:

   The main identity theft crime is general subject. Those who reach the age of criminal responsibility and criminal responsibility of the person, which is at least 16 years of age, the spirit of normal intelligence, can become the subject of the crime. The author thinks, from the angle of nip in the bud prospective development and to consider the subject of crime in criminal law, the unit can constitute the crime of. Although no units to implement the situations at present illegal theft of identity information, but this does not mean that won't appear. In 1990 May, the Japanese found between the first cases of using computer virus as a means of struggle case: the Japanese company in an attempt to destroy the Sharp Co uses the computer virus X6800 micro computer system data files, in order to achieve the purpose of unfair competition.[13]In China, also have units in order to protect their own interests, at the expense of making, spread destruction computer system program case: 1997 late June, Jiangmin company in order to combat piracy software, antivirus software in the KV300 version of L++ in a "logic bomb" program.[14]From the two cases we can know, to implement the use of computer network crime is likely to be the behavior of units. Therefore, we can not rule out the future will have some company or organization to seek illegal interests, will come to steal the identity of the client information or other identity information through phishing scams, it is entirely possible. Moreover, some companies, enterprises and other units of the bank itself holds a lot of customer information, they are more steals and spread the identity information of convenience. With respect to the individual, the unit often have more abundant capital and technology, once they have implemented this kind of crime, the consequences will be more serious than the natural person crime. In view of this, units of the theft of identity information, also can violate the provisions of the criminal law.

   The subjective aspect of the crime of identity theft is deliberately. Negligence does not constitute the crime of identity theft, only intentionally illegal theft of identity information or knowingly illegally obtained people's identity information and deliberately spreading behavior, it constitutes the two crimes. As for the behavior of human motivation is varied, regardless of whether it is ready to continue to implement the follow-up actions to identity theft, as long as the "steal" the behavior implemented, the two crime has ended.

   The use of the Internet technology to steal the identity information of objective aspect of the crime are: the network technology, sending fraudulent e-mail, web site or Webpage fake, compiling a Trojan or destructive procedures, to decipher the weak passwords, password, identity theft and identification information of others. Behavior as long as the implementation of the above acts, and the purpose is to steal your identity information of others, no matter whether the future use of the identity information of the implementation of the illegal act, which accords with the objective aspects of this crime, the crime punishment. The crime to conduct and control the identity information of others as a symbol. If the behavior of both the implementation of this kind of behavior, and use the identity information to steal the implementation of other crimes subsequent, constitutes a crime of the crime and his crime, punishment should be combined punishment for several crimes. As for the specific way to steal the identity information of others through the network technology of the. The objective aspects of Internet technology by using non identity theft crime is: the behavior of theft of identity information by any means other than the behavior of Internet technology. People steal others' identity information is either for their own use, or sell it for profit, or in any other unlawful purpose drive, without the information owner agreed to its diffusion, causing major damage to the interests of the information owner. In this case, the behavior of people in line with the objective aspect of the crime.

   Identity theft crime violates the security of computer information system, undermining the country on the management of computer information system order. At the same time, the crime infringes the exclusive right of identity information and use the right of others.

   Based on the above analysis, the author thinks, phishing, behavior identity theft is a serious criminal acts, along with the computer and network technology change rapidly, phishing trend will become. At present, in the criminal law, our country basically is a blank, this has brought difficulties to the judicial practice to prevent and combat phishing behavior. Therefore, it is necessary in the theory and practice of phishing behavior research, strengthen the awareness of related issues, so that criminal law can adapt to the social life and the progress of the information technology revolution occurred due to.

 

 

---