Greater China refers to Mainland China (China), Hong Kong, Macau and Taiwan. Mainland China is the People’s Republic of China (PRC), Hong Kong and Macau is its “special administrative region” (SAR). Taiwan is officially known as the Republic of China (ROC). Although currently there are some political issues between Mainland China and Taiwan, but since cyber wrongs are borderless and the problem facing Mainland China is also faced by Taiwan and vice versa. Thus, in this article will be discussing about cyber wrong in Mainland China together with an important recent case occurred in Taiwan.
Cyber wrongs covers cyber crimes and cyber torts. Traditionally speaking, when we talk about tortious liability and criminal liability, although there are a lot of similarities between the two, but nevertheless, they are still two different sets of laws. One major difference between them is the standard of proof. In criminal law, in able to find one guilty, it must be proven beyond reasonable doubt, but under the law of torts, once satisfy the balance of probability, it would be sufficient to find one liable.
Another difference between the two is that in the Common Law society, usually when we talk about criminal liabilities, it would be something that the police would involved, but when we talk about torts, usually it would be seen as a civil matter and normally the police would not be involved. This is not necessary the case in China when we talk about cyber wrongs.
China has one of the largest Internet users in the world and currently till 2013, there are 590,560,000 people hooked up onto the Internet. [2] Attached to this enormous number of users is of course a huge amount of right infringement cases. Currently, based on many cases and practical experiences, many of these cases although had a tortious nature, but nevertheless, they had been channeled through criminal proceedings, which means usually involved with police.
This may be reflecting the reality of China’s current legal practice, as the police does not get themselves involves with pure civil cases, but evidence discovery in China is one major problem in any kind of civil cases (in which China does not have the system of interim injunctions for evidence discovery yet) not to say the difficulties of discovery when dealing with the Internet and computer. Thus, based on the current experience, in China when one tries to seek the remedy for infringements of their legal right in cyber spaces, if they do not go through the criminal channel (if possible) and let the police get involved, their chance of achieving the desired remedies would be very slim. One exception to this of course is defamation, in which if proven, one could seek pure tortious damage and many cases had been successfully litigated in which we would be looking into closely later.
Therefore as tortious remedies are more abstractive than criminal sanctions here in China, usually when we talk about cyber wrongs, people usually pointing at criminal sanctions, such as cyber fraud, theft, hackers and cyber pornography. In other words, cyber crimes. In this chapter, cyber crimes and cyber wrongs will be equally used in many regards if not specifically talking about cyber torts.
With a more tortious side of cyber wrongs, as mentioned earlier, defamation would be looked into, but defamation in China are also mostly leaning towards criminal sanctions. Another type of cyber wrongs perhaps more unique in China, known as “cyber hyper” and “cyber hitman”. Cyber hitman is theorically illegal in China but difficult to identify and prosecute them. On the other hand, the legal position of cyber hypers are not that clear at all. Currently there is no any law which clearly suggest this kind of practice as legal or illegal, but on August 2013, the Chinese government arrested two famous cyber hypers known as “Li Er Chai Si” (立二拆四)and “Qin Huo Huo” (秦火火)for spreading rumors and defame public figure. [3] This is interesting because this shows that the Chinese government is willing to battle with this kind of practice head on and more related law may be implemented accordingly. This would be look closely later in this article.
Besides this kind of more general or should we say more traditional kind of computer wrongs, although done through computer obviously, but the central concept has not be much more than physical crimes, so of it even quite low tech. So if we say those general kind of computer wrongs in many regards instead of saying it is a cyber crime, it is in fact more looking like a mind game. For example, in cyber fishing, it is really a battle between the fishermen (cyber criminal) and the fish (the victim). However, on 10th July, there was a bank in Taiwan which was heisted by some foreign criminals by some malwares implemented into that bank’s internal system and as a result, that bank’s ATM machines were spilling cash while no one was physically controlling it. This is perhaps a new kind of computer thief, with a large amount of commercial consequence. We will be looking at this case closely towards the end of this article.
Chapter Ⅱ: Cyber Fraud
According to the People’s Republic of China Criminal Code (Criminal Code) (中华人民共和国刑法)Article 287:
“Whoever uses a computer for financial fraud, theft, corruption, misappropriation of public funds, stealing state secrets, or other crimes is to be convicted and punished according to relevant regulations of this law.”
Therefore, when we talk about cyber fraud, basically, this could be seen as possibly divided into two categories: one is fraud which involves cyber technologies, such as Phishing (web fishing), and the other basically use web as a medium to perform traditional fraud, such as shopping fraud, misrepresentation of good, false advertisement, etc.
The Characteristic of Cyber Fraud
Fraud means one cheats another person for economic gains or other purpose into believing in something either does not exist or into believing something that does not consistent with what that person believed. The important elements here are the intention (Mens Rea), whether if the original cheater had the intention of creating such fraud. If however fraud was only the consequence but the original creator did not possess the relevant intention for making such a fraud, then the matter may be misrepresentation instead of fraud.
Cyber fraud indicates offense that are being carried out by the criminals with the computer network and Internet facilities. Originally the computer frauds were limited to the extent of stealing data, tampering records, account balances, stealing bank accounts, salary payments, etc. However, with the connection of Internet would wide, the possibilities of committing fraud have increased beyond national borders, and now it usually involves creating a scheme that aims to cheat people into believing a particular scenario thus spending money or transferring funds on it.
Certain inherent features of Internet, such as anonymity, cost effectiveness, breadth of reach, difficulties in authenticating identity, etc. have made it difficult too check fraudulent acts. A fraudulent investment scheme looking credible and genuine may be put on advertisement all around the world within seconds and on the cost of hooking onto the Internet through Internet and email service. So it is much easier for a computer fraud to find gullible customers at large number through the net service. The possibility of such fraud is obvious in the field of e- commerce also where goods and services are obtained online and payments are made through credit cards or such other based instruments.
Phishing (Web Fishing)
As mentioned previously, cyber fraud usually involves creating a scheme that aims to cheat people into believing a particular scenario and spends money on it, thus Phishing is one of the most obvious one of them. Phishing means web fishing, a combination of the word phone and fishing. Usually means a person sending out fraudulent emails or creates a website making people into believing the emails or website is from a credible source and willing to submit their credit card password, identification card numbers, computer account passwords or email accounts passwords etc. Then they would use such information for further crime, such as stealing credit card funds, using people’s identity to do other things illegal or creating another bigger fraud based on the information they fished. [4]
It used to be that stealing people’s Internet online time was one of the major characteristic for this kind of fraud during the days that a person’s Internet access time from their account could only allow them to get access to the Internet for a certain period of time, once they used up their time, they must pay further to the Internet service providers. Thus Phishing got an intended person to access another person’s Internet account and used up that person’s time allowance without paying. However, currently, due to the advancement of technology, most of the Internet providers, at least in China allowed their subscribers to access the Internet without time or data limitation for a set amount of fee. As a result, this kind of fraud basically has been disappeared in China. On the other hand, in countries like Australia, Internet account was not charge for time access but rather base on data usage due to bandwidth limitation, so this kind of fraud still applices to this type of account users.
Case study 1 - Web fishing.
One day, Professor X’s friends suddenly received an email from him, saying Professor X has been arrested in some Eastern European country and urgently need some money to settle the matter, and please transfer certain amount of money to a particular account. Some of his closer friends after receiving the email felt worry and indeed transferred the set amount of money into that account. A few days later, they met with Professor X, and out of their surprise, Professor X never left Beijing, and Professor X himself did not know anything about the matter at all. After their investigation, Professor X finally remembered that he has an email account in “yahoo.com.cn” and there was an email sent to him from the so called “yahoo administration” informing him for the purpose of maintenance of his email account, his account name and password was needed, and following the administration’s instruction, Professor X submitted it. As Professor X does not use his email account very frequently, he never noticed his email account passwords have been changed and emails were sent out to his contacts from his account on time. As a result, he could not access his email anymore as it has been hijacked from someone else by changing his passwords, and his friend who wires the money to that account has all become the victims of fraud. Of course they reported the matter to the police immediately, but as the account they wired money to was an overseas account, thus there were limited things that the Beijing police could do. [5]
Web Shopping Fraud
This occurred when a seller depicted as a merchant online and selling a person a particular product with the condition of payment first then delivery of goods, just that the goods would never arrive to the hands of the buyer and the so called seller would just disappeared from the mighty cyber space.
Although this is a classic case of cyber crime, but the scam itself is nothing new. During the age of newspaper, this kind of fraud happened occasionally as well, just that under the computer age, online shopping websites and with the general characteristics of Internet, it made it much easier for the criminals to perform this kind of fraud online.
With the situation in China, web shopping fraud could be divided into three categories, one is fraud done from an online shopping website, such as Taobao (淘宝). The others is the criminal creates a website by himself, and or creating a passing off websites in depicting an established well reputable shopping website.
With the first kind of shopping fraud, now days you rarely sees them as most reputable online shopping websites, such as Taobao, or Alibaba (阿里巴巴)as they all developed their internal check and balance and insurance policy, and most of the trading on those websites are done by payment to the third party, such as “Zhi Fu Bao” (Payment Treasure) (支付宝). However, during the early days when China was still in developing of those online shopping companies, fraud was indeed a major concern with online purchase during that time. In fact, this kind of fraud does not only occurs in China, the author had an experience back in 2003 when the author was in Australia and won an auction from Ebay in the United State. However, after I paid the auctioneer by my credit card, the goods had never been sent to Australia and the auctioneer himself became uncontactable. Due to the fact that the amount of money involved in this matter was not that much, thus I did not take any action further. It was only after a few weeks, the police from an United States county contacted me about the matter and informed me that not only I was cheated, many other victims were involved in this scam as well, and he asked me if I can provide any information about the auction to them in assisting their investigation. I did, and that was the last time I heard anything about the matter. Again, that was happened almost 10 years ago, and although this kind of fraud does not happen that much anymore, but it still occurs from time to time.
The other form of online shopping fraud is the criminal himself creates a website, and used that website to fraud people. This actually has not been changed much since people used newspaper to create fraudulent advertisements. The only problem is due to the wide coverage of the Internet, such as towards the whole world, the power of such a scam could be very widespread and affects many potential victims. Another serious problem for this kind of website in China is that it is easy to create, easy to put in many fraudulent certificates to persuade people into believing the credibility of the website and with relative low cost. In addition, in many situations it would be difficult for the law enforcement to enforce against this kind of websites, as this kind of websites suddenly appears and disappears. For example, on 2007, Mr. Hu purchased a Sony laptop from a website based in Shanghai, after payment, a few days later he received the parcel but instead a Sony laptop, the box was full of washing powders, and the website disappeared and the seller became uncountable.[6] Currently, although the law enforcement agencies in China are endeavor to battle against this kind of websites and practice, but the reality is that a lot of this kind of cases still occurs every year. It is indeed almost fair to say in China, if you want to buy something from the Internet, unless you are dealing with the larger and more reputable online shopping webs, otherwise it would be Caveat Emptor!
The third type is creating a website that looks like a known reputable shopping website but actually is not. In another words, passing off or fake website for the purpose of fraud. Website passing off used to be a very serious problem in China, for example, a website may be deliberately created making people believing it to be the Apple Company online shop, but in fact it’s not. Once if you deal with this kind of so called “authentic online shop” then your interest are at the mercy of the criminals. It used to be a very serious problem in China, in fact not only the passing off of web shops, but in reality shop, there has also been cases of shops fraudulently passing off or even pretend to be the official shops for famous product brands. [7] However, after the effort by the Chinese government, now it is rarer to see a website deliberately pretend to be another reputable or famous web shops. However, for the less famous or less well-known web shops, the problem of passing off is still a problem widespread in the Chinese cyber space.
Generally speaking, web shopping fraud is a kind of fraud that covers so wide that the exact types of web shopping fraud is only limited by imagination. In fact, not only for the shopper to be defrauded, in many cases, the seller could also be defrauded by the buyer as well. For example, a buyer make a purchase with the seller first to gain his trust, and then order a large quantity of good from the seller and ask the seller to send the good first and then the buyer pay later. Usually for this type of arrangement, the seller would refuse it, but due to the fact of large amount and profit, and the two parties had done deals before, the seller may be agreeing to the arrangement. Then of course, the story as usual, once the goods has been sent to the buyer, the buyer would never pay and disappeared.
Misrepresentation of Goods in Web Shopping
Misrepresentation of goods means in a contract, the offeror and offoree thought they were dealing with the same subject matter but in fact were not. For example, the offeror offered to sell a plastic human skull, but the offoree thought the human skull offered were authentic human skull, thus completed the purchase, but later found out that although the subject matter is indeed a human skull, but not the authentic one that he was willing to buy.
The difference between misrepresentation and fraud is that in misrepresentation, the person who misrepresented the goods or services does not involve an explicit intention to cheat (Mens Rea). Although, the definition may be so, in practice, this may not be easy to prove whether if a particular online seller had the intention of deliberately misrepresenting the thing. When dealing with misrepresentation, on a pure legal analysis, that is without any ill intention, this may just be a contract law matter, e.g. without the meeting of mind, thus the contract entered between the seller and buyer may be void, therefore it is possible to ask the seller to refund any money that had already been paid for the misrepresented goods. If however, if the misrepresentation has been done deliberately, than this would be a kind of fraud.
Case study 2 - Wrong Teddy Dog.
On 2011, Ms. Lu from Qingdao, Shandong Province (山东省青岛市)saw some one advertising on the web offer to sell “Teddy Dog” (Toy Poodle) for RMB 1800, in which the market price for such kind of dog would cost around 4000 – 5000 RMB. After few rounds of bargain with the seller, Ms. Lu managed to bring down the price for the dog to RMB 800 and agreed upon by both parties. Originally Ms. Lu thought she got a bargain, but after the dog being shipped to her, she shockingly discovered that the dog is not a “Teddy Dog”, but just a normal dog that would worth no more than a few hundreds RMB. [8] Ms. Lu contacted the seller but the seller admitted no wrongdoing and refuses to refund.
With the case above, the seller never disappeared, just refused to admit any wrongdoing and due to the low lost suffered from Ms. Lu, she never bothered to take this matter into the court. However, if we analysis this case by purely legal means, than we can see although there was obviously a misunderstanding between the seller and Ms. Lu, it is that during the process of their bargain, whether if the seller realized the occurrence of a misunderstanding were amounting into a misrepresentation, at all or at any point? If the answer is positive, than this would be the seller doing something deliberate, and thus would be amounting into fraud. If not, then depends on the evidence based on the corresponding emails between both parties, an innocent misrepresentation may or may not be occurred.
Investment Scam
Investment scam is under the arena of white collar crime. Cyber investment scam basically has no difference between traditional investment scam and just like other areas of cyber fraud, once the Internet becomes the medium for such a scam, the width of the coverage for such scam suddenly becomes worldwide. Cyber investment scam usually involves with sending out emails or spreading news about a particular scheme, that once invested, the return would be exceptionally high. In China, a lot of investment scam websites are websites of share investment, lotto number prediction, company or business investments, etc. Some of this websites are a passing off websites making it to imitate famous legitimate investment houses; this area has been covered in fraud passing off mentioned above. Others are websites or email sender promoting certain investments usually with unreasonable high investment returns. A unique type of scheme in China is the so called “Lotto Number Prediction” website and this worth us to look at it closer.
China is a country against gambling, thus, no horse racing, casinos (not on the mainland) or kenos, etc. But out of this entire ban, the only lotto allowed in China is the so-called “Sports Lotto” (体育彩票). The reason that it is called the sports lotto is because other form of lotto is not allowed to run in China, but for the purpose of raising capital to support sports development, Lotto run by the sporting agency of China is allowed. This is the only form of lotto that is allowed in China. Basically there is no difference between this and other type of lotto which, every month they all draw winning numbers from different pin pong balls . In other words, this is a game of pure chance. The only problem is, Chinese people do not believe in the credibility of the lotto agency, and they always believes that there are insider information passing around with regards to the ultimate winning numbers. Therefore, under this mind set, websites claiming to be able to “predict” the winning numbers (e.g., having connections with high officials) starting to spur in the cyber world. In order to get their prediction service from those websites, people must purchase their membership first, with different level of membership cost differently, as VIP membership would cost the most. They will not just sell the insider winning numbers to their members, that would be purely illegal. What they do is that they will predict different sets of most possible winning numbers, and will let all members to “invest money” and purchase a large quantity of different set of numbers. If prize won, than they will divide the “dividends” to each member depending on how much you invest. [9]
As you can see, the prediction of sports lotto numbers and gather members to invest on the purchase of lotto tickets itself may not be illegal, after all the larger the purchase of numbers the bigger the chance of winning. The problem however exist when those websites claimed to use the investment funds from their members in purchasing lotto tickets but in fact they did not. They may use the money for their own use or pleasure as they may be act of theft.
Chapter Ⅲ: Cyber Theft
First of all, let us look at the general definition of theft in China. According to the People’s Republic of China Criminal Code, Article 264 provided us with a general definition with the behavior or theft. Article 264 stipulated these:
“Those who steal relatively large amounts of public or private property and money or have committed several thefts are to be sentenced to three years or fewer in prison or put under criminal detention or surveillance, in addition to fines; or are to be fined. Those stealing large amounts of property and money or involving in other serious cases are to be sentenced to three to 10 years in prison, in addition to fines. Those stealing extraordinarily large amounts of property and money or involving in especially serious cases are to be sentenced to 10 years or more in prison or given life sentences, in addition to fines or confiscation of property. Those falling in one or more of the following cases are to be given life sentence or sentenced to death, in addition to confiscation of property:
(1) Those stealing extraordinarily large amounts of money and property from financial institutions;
(2) those committing serious thefts of precious cultural relics.”
Thus, according to the above section, the main emphasis is money and property, or should say any property public or private with certain value. This article when deals with the normal conventional property is relatively straight forward, although there was a Constitutional issues with the recognition of “Private Property” used over here, but that disputed has been settled recently. [10] Accordingly, the obvious issue now is that whether if cyber property could be seen as property with value in the conventional senses.
In order to determine this, the PRC Criminal Code also provided regulations in regards to this, according to Article 287:
“Whoever uses a computer for financial fraud, theft, corruption, misappropriation of public funds, stealing state secrets, or other crimes is to be convicted and punished according to relevant regulations of this law.”
Based on this Article, the PRC Criminal Code does recognize the use of computer as a means of achieving the crime of theft, but not a single category as a kind of crime itself. So in other words, Article 287 recognized the use of computer as a means of committing a crime but the main body of such criminal behavior is still determined by Article 264. Based on this, when we look into cyber theft, the main question that must be asked is, what kind of property has been stolen and whether that property could be determined as property with value in the normal legal sense.
Before determine whether if one commits the crime of fraud, two requirements must be satisfied. The age requirement base of Chinese Criminal Code, and Mens Rea, the guilty mind, or based on the Chinese definition, “the subjective intention” of the perpetrator. The age requirement is 16 full age of a natural person. [11] The subjective intention requirement is a little bit interesting, the requirement is very much similar to the Mens Rea requirement of Common Law jurisdiction, that you must have guilty mind in able to commit a crime. [12] If one objectively satisfied a possible criminal behavior but without the subjective intent, although that person may not totally avoid criminal liability, but that person certainly would have a very good defense from the prosecution. The situation in China may not be as complicated as the Common Law requirements, but nevertheless, the subjective intention of the person being prosecuted still needs to be proven. The subjective intention requirements may not possess a lot of complication in the real world theft, but under a cyber scenario, in many situation the problem of subjective intention may not be easy to determine. For example, under the example of Peer to Peer (P2P) downloading. We all know, that under the Chinese law, uploading questionable materials, such as pornography or copyrighted movies onto the internet is illegal. [13] Download such kind of materials if for personal use, usually would not be seen as an illegal behavior, although the law in the area of downloading materials is not totally clear yet. One of the function of the P2P downloading, such as Bit download, etc is that while you are downloading a particular material, you are at the same time also uploading to the web for others to share. Thus, this comes to the problem, if you are downloading something, you may not know you are uploading at the same time, thus without “subjective intention”. So far this situation does not have any precedents at hand, but this is the type of cases happened in Taiwan, which will be discussed later when we deals with Internet pornography.
Now, lets us get back to the discussion of “property” and in the computer crime context, mainly pointing to “Personal Property”, itself for a while. According to The General Principles of the Civil Law of the People’s Republic of China (中华人民共和国民法通则), Article 75:
“A citizen’s personal property shall include his lawfully earned income, housing, saving, articles for daily use, art objects, books, reference materials, trees, livestock, as well as means of production the law permits a citizen to possess and other lawful property.
A citizen’s lawful property shall be protected by law, and no organization or individual may appropriate, encroach upon, destroy or illegally seal up, distrain, freeze or confiscate it.”
In other words, personal property in China, although does not have any finer definitions besides the Civil Code, it nevertheless could be interpreted as any type of personal belonging that possess certain monetary value that is capable under the law to be protected. Accordingly, this definition is fine with the traditional sense of theft, but this may or may not be easily applicable under the scenario of cyber theft. First of all, whether if the material being stolen via means of computer could be able to be determined as a property that is stealable? This is due to the reasons in three areas:
1. The materials that cyber theft steals could be intangible information, such as credit card numbers, passwords or transfer of funds, etc.
2. With respect to so called tangible materials stolen via computer means, we are mostly talking about cyber money, cyber service (eg, password for software updating) and equipment used in cyber games that could be traded with real money in real world. In other words, these materials when compare with materials that has been stolen in the conventional world, is still relatively “intangible”.
3. Regardless referring to point one or point two, how do you value those cyber properties? As we know from the Civil Code of China, you must be able to have a value first in respect to the property in question, before the things are capable of being stolen.
With the logic derived out from the three points above, the next question would be, how does one values the value of a cyber property in which is mostly intangible. As a result, when we talk about the value of the cyber property, the value type could be again further divided into four kinds.
First type - The property itself has a value, for example stolen money, transfer funds from a bank account via computer means.
Second type - The things that has been stolen is the key that leads into gaining or retrieving assets that are valuable. For example, the password of cyber bank account or any kind of password that leads to good or services that are being capable of being physically stolen in the real world.
Third type - Password that leads to certain communication account, such as QQ, Weibo or Wechat, etc, (Facebook are not connectable in China currently), in which itself does not have any set value, but may leads to things or information that may contains monetary values.
Fourth type – This is the kind of property that has the most disputed issues. It consists of equipment within the computer games that are tradable in the real world with real money. The main dispute for this kind of property is that can this type of assets be seen as real “property” and being protected under the relevant Chinese law? How do you value them?
With the first two types of cyber property, it has usually been regulated by Article 287 of the Criminal code and possibly Article 286 as well, which is the article dealing with hacking and cracking that would be discussed later in this chapter. This is because the amount of theft valued that is usually easier to determine with these two types of cyber theft, however when looking at the third and fourth type of cyber theft, it may not be so easy to prosecute, as usually the value of the damage suffered by the victim is not easy to determine, not to mention that with type four of the theft, whether if the things stolen could be seen as property is yet to be determined.
Let us look closely at type three of the cyber theft, not only in China, it is not rare to heard that people’s password of facebook, twetter or QQ, etc got stolen from the web, in fact some of us may personally experience this type of computer crime as well. A crime no doubt in most of the jurisdictions around the world, but in many time, the person who experienced such instances may chose not to make a fuss as it may be involving with lengthy investigation and usually lead to no conclusion. However, what if the account stolen in which the name of the account itself may be involved with a large amount of monetary values? For example, the most widely used cyber communication tool in China is the service know as QQ. The QQ service is basically a same type of service similar with MSN (now ceased to exist) or ICQ of earlier days (which still existing but not many people use it any more). Although superstitions, but there is a Chinese tradition that people loves lucky numbers, especially the number of 8 and 6, in which 8 means rich, and 6 means lucky in Chinese. [14]There was a funny incident back in 6 June, 2006, in which the date contains 666. During that day, a lot of western pregnant ladies panically asked their doctors to help them avoid their children born on that day (666 represents the devil in Christianity). On the other hand, at the same day, a lot of Chinese pregnant ladies rushed to the hospital in hope that their babies could be born on the 666 day.
Due to this kind of mentality, in Hong Kong, people are willing to spend a lot of money on car licence plate if the number of the plate consists of good numbers, such as 8 or 6s. Thus, the Hong Kong government reserves those so called “lucky number plates” for auction. Same kind of mentality happened in the Chinese cyber world, especially for those business people using their cyber account for business communications. The only problem is, it is not easy for someone to steal others people’s licence plate (even if got stolen the usefulness of the plate is minute), but it is quite easy to steal other people cyber account such as QQ. This can either be done by hacking or fishing, but currently there is not much of a law in China to sanction this kind of behavior besides Article 252 of the Criminal Code. Article 252 of the Criminal code provides this:
“Those infringing upon the citizens right of communication freedom by hiding, destroying, or illegally opening others’ letters, if the case is serious, are to be sentenced to one year or less in prison or put under criminal detention.”
In other words, this article mainly deals with the freedom of communication instead of computer related matters.
Case study 3 - QQ Account and Q coins thieves.
On 2005, Mr King [15] established three workshops in Liaoning province (辽宁省)and employed 11 person for the purpose of stealing QQ accounts and Q coins (which is a kind of cyber coin that could be purchased by real money for the purpose of beautify the QQ space, as it is a blog space allocated to the user once the QQ account are being applied ) by the means of sending Torjan House software. Mr King pays his so-called employees by 5 cents RMB with every QQ account and Q coins they steal. The case report did not say how many accounts and coins were stolen, but one of his employee actually received 7000 RMB within a single month as payment, thus one can do the math on how many accounts and coins was stolen by those racketeers. After Mr King steals all those accounts and coins, he then sold all of them to another person Mr Yue. [16]
After those people’s behavior discovered by the legal authority and arrested by the police, the issues then arose on what kind of legal reasoning should the authority prosecute them with? First of all, is QQ account and QQ coins can be seen as a kind of property that can be protected under Civil code and Criminal Code? [17] It was submitted that QQ accounts and QQ coins although possess certain values, especially with the QQ coins, which could be purchased with real world money, the value of them is however uncertain and difficult to determine, therefore could not be seen as a kind of legal property that are protected under the law. [18] Although, it was determined by the court that those suspects steals things that is not possible to be stolen as the property involved in the case is not protected by the law, however the behavior from those suspects are definitely wrong and must be punished accordingly. After some thought by the court, the judge used the reason based on Article 252 of the Criminal Code for obstructing people’s freedom of communication. Thus, all the suspects involved in this case had been sentenced from 6 months to 1 year (which is the maximum sentence under this category of crime).
Although the case above has been settled and became one of the important precedents for this type of cyber theft in recent years, however this case has actually created more problems than solving them. First of all, there has not been any difference in the sentence between stealing 10 Internet accounts and stealing 10,000 internet accounts, the maximum sentencing is always 1 year. Of course, if the person who not only steals these accounts but also used the private information within those account for gaining profit, they would be then penalized under Internet hacking, which will be discussed in the next section. Generally speaking, the penalty for stealing Internet accounts is a bit weak. In addition to this, as the law so far does not recognize Internet account and Internet coins for the purpose of perfecting the account as a kind of legal property that is protected under the law, as such it would not only affect the criminal sanctions for such kind of behavior, it would also creates obstacles in respect to civil remedies (Torts) that the victims may be willing to taking in. Therefore, so far in China, if you spent an arm and a leg for a particular QQ account which is made up with magnificent lucky numbers and it got stolen, what would be your remedies? Tortuously speaking you will not have any remedies which means you will not get your money back, and criminally if you are lucky enough that your account has been stolen together with a large number of others, then the police may be willing to investigate into it and someone may ends up in the prison for a while. Even though it might make you feel better, but you may not have any substantial remedy.
Finally with the fourth type of cyber stealing mentioned above, which is the equipment within the computer games that are tradeble in the real world with real money. This problem is similar to QQ accounts and QQ coins, how do you value them? One can only has his property being stolen if that property is protactable under the law with a recognizable value. Besides that, with those cyber game instrument, most of them are not purchased by the players, they are earned by them with a huge amount of efforts, time and skills putting in by playing those games, and in fact purchasing those game equipment with money are really a kind of short cut way of playing the game. So how do you recognize the value with cyber equipments from a computer game? The valuation of cyber equipment or any cyber assets is a bit like the standard of care in Torts, that is you must find something to judge against first. There are five opinions when dealing with the valuation of cyber properties:
1. According to the amount of time, efforts, and money put into gaining those cyber game equipments. In other words, regardless one acquire the equipment is by pure money or earned with a lot of input of time, efforts and skills, all of these should be taking into consideration when valuing those assets.
2. Only consider the monetary values of those cyber equipments. In other words, those more abstractive elements, such as time, efforts, skills will not be considered.
3. An objective person test, same as the first one, but considered on how much values would an “objective person” put in to acquire such cyber equipment.
4. The selling price from that theInternet game company set for those cyber equipments if purchase directly from them.
5. The sold price from the thief when they resell those stolen cyber equipments to others.
Currently, based on several cases happened in recent years, the court seems to be leaning towards the first type of opinion, that is will take in time, efforts and money spent from the victims for them to acquire those cyber game equipments.
Case study 4 - Cyber game equipment thief.
On 2006 in Zhejian province (浙江省), the city of Ningbo (宁波市) handled by the Ningbo district court, a case happened as someone’s cyber game account was stolen. The defendant Zhang Bin(张斌)in this case was accused of selling a particular game account know as “Heaven 1st ” for the price of 4800 RMB. After he sold that account, he then hack back into the system and stole back the particular account to himself. The plaintiff reported to the police and accordingly and the defendant was arrested by the police. In the prosecutor’s opinion, cyber property should be seen as a kind of immovable property that can be purchase or sold either with monetary consideration or not, therefore should be treated as a kind of property with value and should be protected by the law. Thus, the behavior of Zhang Bin should be seen committed the crime of theft under the Criminal Code and the court agreed with the prosecutor and sentenced Zhang Bin imprisonment for one year with a fine of 5000 RMB. [19]
This is one of the case that recognize cyber theft as a crime and recognized cyber equipments (accounts, equipments, status, etc) as a kind of legal property as long as it is tradable in the real world, however as China is not a Common Law country, this kind of precedents usually serves only limited persuasive value towards other similar cases occurred later.
Chapter Ⅳ: Hacker
Hacker originally got the name from a group of computer engineers from the Massachusetts Institute of Technology during the 1960s as they analyze, study and perfecting the computer system, and others calls them hackers. [20] Thus, one can see, the original name of hackers are actually a name of praise instead of denounce. These are the technical people who worked for the aim of improving computer and Internet system as a whole. Just like a sword with a double edge, if one side works for good, the other side may works for the bad. Although originally the people known as hackers may be working under good will, but they do possess a lot of technical powers in which if misused may create havoc towards the cyber world. The human nature is similar to the double edge sword in which eventually, for the purpose of gaining money, power, self-satisfaction, etc some hackers may cross over to the other side of the line. Originally, hackers are mostly good, but some hackers went to the wrong side are known as “crackers”, and crackers are those people who creates a lot of mischief on the Internet. In recent years, the line between hackers and crackers are not that clear anymore, and more and more people refer crackers as hackers, as such hackers and crackers are originally two different groups but now they had been emerged into one. Thus, now a days when we say the word hackers, we refereed to those people who creates havoc on the Internet, such as virus making, stealing confidential information, system crasher, etc.
Currently, when we look at hackers, we can basically divide them into three different categories.
1. Hacker grouped themselves under patriotic reasons.
2. Hackers acted solo for no other reason but booting self-esteem.
3. Hacker acted either group or solo for illegal purpose.
First of all, let us look at those so called patriotic hackers. China’s Internet only became widespread and available to the public around 1996. Before 1996 although Internet was available, but it was very expansive and mostly available only to the institutions. Around 1996, the largest Internet provider China Telecom (a large State Owned Enterprise) (中国电信)dramatically decrease the price for the Internet service, it was then Internet became widely available and created the birth bed for hackers in China. [21] It was on May 1999 when the U.S. bomber mistakenly bombed the Chinese embassy in the former Yugoslavia for the Chinese patriotic hackers to group up and honed their skills. Those Chinese hackers formed an Internet alliance and called themselves “The Chinese Red Hackers” (中国红客)and started to attack the U.S websites and email providers. As a result, a large numbers of U.S email providers and Internet service providers was paralyzed by those attacks. From 1999 till now, those Red Hackers became more sophisticated and skillful. They will appear whenever there is political incidents whenever China clashes with other countries, such as United States or Japan. [22] Recently there is a claim that some of these Red Hackers has been absorbed by the Chinese government for strategic cyber warfare purpose. [23]
With the fist type of patriotic hackers, their behavior is obvious illegal under the Chinese law, but for most of the time, it is a political matter rather than legal. With respect to the rest of the two types of hackers, it is totally illegal. Therefore, let us look at what kind of law sanctions for this type of behavior in China. According to the People’s Republic of China Criminal Code Article 285 and 286:
Article 285 Whoever, in violation of State regulations, invades the computer information system in the fields of state affairs, national defense construction or sophisticated science and technology shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention.
Article 286 Whoever, in violation of State regulations, cancels, alters, increases or jams the functions of the computer information system, thereby making it impossible for the system to operate normally, if the consequences are serious, shall be sentenced to fixed-term imprisonment of not more than five years or criminal detention; if the consequences are especially serious, he shall be sentenced to fixed-term imprisonment of not less than five years.
Whoever, in violation of State regulations, cancels, alters or increases the data stored in or handled or transmitted by the computer information system or its application program, if the consequences are serious, shall be punished in accordance with the provisions of the preceding paragraph.
Whoever intentionally creates or spreads destructive programs such as the computer viruses, thus affecting the normal operation of the computer system, if the consequences are serious, shall be punished in accordance with the provisions of the first paragraph.
Based on these two articles, we get two observations, first is that besides spreading virus, it does not seem to require Mens Rea when one committed the crime of hacking in the sense of spreading virus into other people’s system and altered their data. This means, the prosecutor does not need to prove whether if a defendant was aiming at hacking into other people’s system, as long as those result are the consequence of your behavior, than you would be guilty under such crime. However, on the other hand with spreading virus, Mens Rea is required, which means intention must be proven by the prosecution. A situation may be that one may design a particular program for the benefit of some purpose, but it ends up turning into a virus and spread out and damaged many computer systems, if this is the case, then that person’s may have a defense.
With respect to the problem of hacking, there is another problem. The Criminal Code stipulated that only a person over the age of 16 years old is liable criminally under the code. This is a typical example of when old mentality meeting with a new problem, as computer crime is not like the traditional crime that may needs a lot of physical strength in able to commit such crime, cyber crime is a kind of intellectual crime that could be performed by people at very young age, such as elementary school students or under 16 years of age. But the dilemma is that it may not be fair and reasonable for the legislature to lower the age of penalties for this particular type of crime. Thus, currently how to solve and deter the problem of under age hackers is a topic that is still heatedly debate in China.
Case study 5 - Underage hacker.
On 2007, there was a hacker under the age of 16 (identity withheld) created a computer virus called “Rabbit Baby” and he put that virus on his blog space. This virus was extremely aggressive and destructive, although is scannable by anti - virus software, but once infected, the damaged data could not be restored. This type of virus was not made for profitable purpose, but for bragging his skill and know how on in the cyber world. As the virus spread widely and authority was involved with the investigation, finally the minor was arrested by the police. As based on Article 17 of the Criminal Code, he was under age and could not be liable criminally, and accordingly the minor was released and no penalty had be applied to this offender. [24]
Chapter Ⅴ:Defamation
Defamation is where people’s reputation gets defamed either intentionally or otherwise via either slander or libel. In which slander is usually by depleting people’s reputation by images while libel is by words. These could also be done by directly attack people’s reputation or by innuendo and the information used to defame others must be false information. [25] With the requirement of defamation, those injurious words or images must be spread to the public, and the meaning of the injurious substance must be relatively understandable by the public who receives it. The tradition medium for spreading such injurious substance is via newspapers, radio board cast, magazines, sculptures, etc. With the development of the Internet, it almost over take all of the functions of the traditional mediums and thus became one of the most important field of battlement for defamation.
Defamation has been well developed in the Common Law jurisdictions, for example under the Fourth Amendment of the United States Constitution Law [26], but it is interesting to note that in the United Kingdom, traditionally there was no protection of privacy under the English law and only have some protection in the area of “breach of confidence”. This has influenced through out the Commonwealth countries, such as Australia. In Australia, although no general protection in the Common Law, but since the enactment of the Privacy Act 1988 (Cth), privacy principles are now protected under the statute.[27] In the Great Britain, it was the enactment of the Human Right Act 1998 in which implemented the European Convention on Human Rights into the UK law, as the European Convention on Human Rights required privacy principles, thus now there are also Privacy principles in the UK in de facto. [28]
Privacy is regulated in the Chinese law both criminally and civilly. Earlier in this chapter, the author mentioned that in China, when we talk about cyber wrongs, most of the time we are talking about cyber crimes because usually civil compensations is insufficient for the victims in China and most importantly, it would be very difficult for a victim to prove his case if the police was not involved and the police usually does not involve in civil litigation. On the other hand, defamation is different. There are many cases that has been successfully litigated directly from civil litigation based on the Tort law in China, while others may be sued by the public prosecutor criminally in the first instance and later the victims would used the criminal evidence for them to prove damange in civil law suit.
Criminally speaking, the law governs this area is Article 246 of the Criminal Code. In which it stipulated as:
“ Whoever, by violence or other methods, publicly humiliates another person or invent stories to defame him, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of no more than three years, criminal detention, public surveillance or deprivation of political rights.
The crime mentioned in the preceding paragraph shall be handled only upon complaint, except where serious harm is done to public order or to the interests of the State.”
And on 2013 with the application of “ Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Specific Application of Law in the Handling of Defamation though Information Networks and Other Criminal Cases” (最高人民法院、最高人民检察院关于办理利用信息网络实施诽谤等刑事案件适用法律若干问题的解释)with 10 Articles in which provided an detail guidelines for the court to determine defamation cases. The more interesting part with this interpretation is Article 2.1 in which it stipulates: Any of the following circumstances of defaming another person through an information network shall be deemed as a “serious circumstance” as mentioned in paragraph 1, Article 246 of the Criminal Code - the same defamatory information is actually clicked or browsed for more than 5,000 times or is forwarded form more than 500 times.”
There are a lot of discussions on how does one determine that a particular message has been browsed more than 5,000 times and forwarded for more than 500 times, and the real agenda for such an interpretation as a whole issued by the Supreme People’s Court. [29] It is submitted that most of the recent important defamation cases has been determined before the implementation of such interpretation. We will discuss this a bit later.
With tortious remedies, the main statute govern this area is the Tort Law of the People’s Republic of China 2010. Article 36, in which stipulates:
“A network user or network service provider who infringes upon the civil right or interest of another person through network shall assume the tort liability.
Where a network user commits a tort through the network services, the victim of the tort shall be entitled to notify the network service provider to take such necessary measures as deletion, block or disconnection. If, after being notified, the network service provider fails to take necessary measures in a timely manner, it shall be jointly and severally liable for any additional harm with the network user.
Where a network service provider knows that a network user is infringing upon a civil right or interest of another person through its network services, and fails to take necessary measures, it shall be jointly and severally liable for any additional harm with the network user.”
This Article actually put both the person using the network to defame others and the service provider equally liable if the service provider knew that its client is using their service to infringe on other people’s right and did nothing about it.
Regardless criminal or torts, the problem for cyber defamation compare with the tradition form of defamation is that first of all, it is anonymous. Recently the government are forcing people to register with real name when using Internet, [30] but compare with the traditional form of information medium, such as newspapers, the Internet is still very much more anonymous. As people knew that they can hide their identity behind the net, they are much more willing to speak irresponsibly. Secondly, it spread very quickly. When someone wrote something silly in China on the Internet, a person in the United Kingdom may be reading it only seconds later. Till 2013, there are 590,560,000 Internet users in China, thus one can see the defamed information on the Internet not only could travel very fast, but also very widely as well. [31]
With the general principle of defamation, a person may defame another person either intentionally or negligently if objectively speaking the person who was defamed has their reputation damaged. One thing interesting about China’s defamation law is that it is leaning more towards an intentional defamation, because according to Article 246 of the Criminal Code, “...with person who invent story who defame him”, it would be difficult to invent (and most likely be false) a story without intentionally doing so. Besides this, a government body or a company could not be defamed because a government body or a company does not have the right of personality based on German Civil Law type legal principle (which China is a type of it). In other words, in China only a natural person could be defamed. Unlike under the Common Law jurisdictions, the government could not be defamed based on public interest, but a company certainly could sue for defamation, if not injurious falsehood. The problem about company reputations in China would be looked at in the next section when we talk about cyber hyper and cyber hitman.
Case study 6 - The Sone Zue De defamation case.
A movie director named Sone Zue De (宋祖德)and his brother Liu Xin Da (刘信达)operating a blog in Sina net in which they like to disclose other show business people’s private affairs on his blog for the purpose of getting attention, and a lot of these so called information about other show biz people’s gossip are false information. For example, movie star A is having an affair while movie star B is a gay, etc. For a while, other people affected by him just ignored him, and thus made him bolder and bolder. On October 2008, a famous movie director Mr. Xie Jin (谢晋)suddenly passed away, and Sone started to make up nasty stories about Mr. Xie’s private life. According to his blog, he accused Mr. Xie had an inter-marital affairs with another movie star Ms. Liu Xiao Qin,(刘晓庆), and they had an illegitimate child who was born to be brain paralyzed. He said they put their son overseas and the son is now 21 years of age and are taking care by a maid. He then used some very nasty and explicit words to describe their so-called son’s daily life involving eating human feces(??) etc. Later Sone’s brother Liu Xin Da published another article on his blog, suggesting Mr. Xie died because of seeing prostitutes, and he is willing to testify on such claim. In fact, all of these accusations were false and were made up by the two brothers for the purpose of gaining attention. As such, the widow of Mr. Xie sued both brothers for defamation under civil jurisdictions, and the Shanghai Jinan district court held the two brothers defamed Mr. Xie, and should publicly apologize on the Internet and public media, pay damage for 89951.62 RMB and 200,000 for psychological harm to Mr. Xie’s widow. At the same time, Sina net also shut down the brother’s blog and refuse to let them open any other new blogs in their service. [32]
This case is one of the most famous defamation cases in recent years, and it did deter people trying to get attention by defaming other people. There is a bad tendency in recent China, that is if people want to become famous in the entertainment business, they must firstly gain attention from the public, regardless if the attention is good or bad. We will elaborate more on this when we discuss Internet phonograph later. The good thing comes out for this case is that the Song brothers disappeared form the public eyes, perhaps this is not what they were hoping to achieve originally when they decided to defame other in gaining their own fame.
Case study 7 - Defaming the government.
The case study here is not only referring to one case, in fact it consist a number of cases with a similar material facts, but the main issues are the same, that is defamation towards the government. The material facts are usually of someone complains about some disfunctioning of some governmental departments or government officials (usually the level of provincial or local government) to the relevant authorities, such as the court, and when their complaint did not get the proper attention with those authorities, they put their complaint on the Internet. Once when the public got aware with the complaint, the government or the official got angry and arrest those complainants and put them into the prison with the reason of “defaming the government”. Another problem with these types of cases is that usually what the complaint complains has been proven later to be true. Quite a few of these cases occurred in recent China, for example, the “Ling Bo case” (灵宝案)2008 [33], “Peng Shui Poem case” (彭水诗案)2007 [34] and “Cao County case” (曹县案)2009 [35], etc. Generally speaking, someone complains the government on the Internet on something that is true, and the government got angered and arrest then imprisonment them for defaming the government.
With this kind of situation, it is in fact more political than legal, it is very clear that based on Chinese law, as said before, the government could not be defamed because it does not possess a right of personality like natural persons. Also, it is a general defense for defamation universally if the so-called “defamed statements” is in fact true. Therefore, besides the governmental abuse of authority, the government really does not have any standing to arrest those people. In addition to that with Article 41 of the People’s Republic of China Constitution:
“Citizens of the People's Republic of China have the right to criticize and make suggestions regarding any State organ or functionary. Citizens have the right to make to relevant State organs complaints or charges against, or exposures of, any State organ or functionary for violation of law or dereliction of duty; but fabrication or distortion of facts for purposes of libel or false incrimination is prohibited.
The State organ concerned must, in a responsible manner and by ascertaining the facts, deal with the complaints, charges or exposures made by citizens. No one may suppress such complaints, charges and exposures or retaliate against the citizens making them.
Citizens who have suffered losses as a result of infringement of their civic rights by any State organ or functionary have the right to compensation in accordance with the provisions of law.”
Thus accordingly the government’s behavior was not only contravene with the normal legal principles, but also unconstitutional. It is true that with most of these cases, most of the arrested person was released and some of them got compensated for wrongful detention. The only problem was that the compensation was quite unproportional compared with the ordeal they went through. In the “Ling Bo case”, the defendant Mr. Wang, was arrested and imprisoned, but the compensation for his wrongful arrest was only 783 dollars RMB (Around $25 USD).
Chapter Ⅵ: Cyber Hyper
The practice for cyber hyper and are currently not illegal in China but may be morally questionable. Cyber hyper means people create a publicity stunt on the web for achieving a particular purpose usually aim at making someone or some company famous. The motto for those cyber hypers is that in able to get one person famous, the person must gain public attention first, regardless whether that attention is a good or bad. In fact, bad attention unless illegal, will always makes the public remember the person more. Thus, those cyber hypers are always playing the matter onto the legal borderline and stretch the public’s moral nerve onto its limits.
The most famous cyber hyper case is the case known as the “Furong Sister’s” case (芙蓉姐姐). From August 2002 till early 2004, there was an ID named “huobingker” registered in the Peking University (北京大学)Weiyan BBS (未名BBS). This girl, keep sending her own sexy pictures onto the forum and claiming she is the most beautiful lady in China. Later she post her pictures onto the Tsinghua University (清华大学)BBS (水木清华) and a few other general forums as well. Then, she successfully stirred up a heated debate on her behavior, and finally got the attention she wanted. She then began to engage with show business agencies and entered the show business world and became an actor and advertiser. At one stage, she was the most famous person on the Chinese Internet (even Taiwan and Hong Kong noticed her), and at the peak of her fame around 2005, her phenomenon was actually reported by the “Time Magazine” and various other international news medias. [36] Although her behavior was not illegal, but according to the Chinese government’s eyes, it does not create a positive imagine for China, thus as the Propaganda Ministry (中国共产党中央宣传部) kicks in, the whole phenomenon died out quickly, but Furong Sister had already successfully entered the entertainment industry and today is still working as an actor (not very successful though). [37] In another words, she got what she wants!
The problem with the Furong Sister phenomenon has only been clear recently about how it could possibly happened. It was not like what people originally thought that some girl throws her pictures around onto the Internet for showing off purpose and the whole matter got out of hand. It was in fact a precise project designed by a cyber hyper know as Mr. Chen Mo(陈墨). He is an Internet advertiser, planner and runs an Internet advertising agency. Furong Sister was his most proud product in which during the Furong Sister phenomenon, every step was carefully calculated and planned by him. [38] Since the Furong Sister phenomenon, Mr. Chen became very famous and it brought a lot of business into his firm.
Furong Sister’s phenomenon was the first and most famous cyber hyper case, after the Furong case, many similar cases appeared, such as “Hooligan Swallow” 2005, “February Girl” 2006, “The Most Pretty Cleaner” 2008, etc. There are many more of them and they all are pushed by cyber hypers for the purpose to make their products famous. Thus, is the behavior of cyber hypers illegal? On August 2013, the Chinese government arrested two famous cyber hypers known as “Li Er Chai Si” and “Qin Huo Huo” for spreading rumors and defaming public figure.[39] This is interesting because the concept between “cyber hyper” and “spreading rumors and defame public figure” is actually two different things and this case itself still does not provide with us a clear picture of the legality on the behavior of cyber hyper.
Traditional Order and Value
Therefore, where is the fine line between cyber hypers and cyber advertisers? It looks like they are trying to achieve the same result? Perhaps the division between them is not a legal one but a moral one and should be dealt with a “Traditional Order and Value” (公序良俗), which was originally a concept derive from the Roman Law, and now incorporated into the principles of the general rules of civil law in Japan, France, Taiwan and Mainland China, etc.[40] When talking about this traditional order and value requirement, the most area that this may arise in practice is actually under the Chinese inheritance law, with dealing with will. There are many instance, for example, the husband dies and in the will left all property to his mistress instead of his widow and children. The most famous case happened in 2001 Luzhou City (泸州市)a man live with his girlfriend for many years and they even had a daughter but the man never divorced his estrange wife, when he died, he left all his property to his girlfriend. His legal wife and children contested the legality of his testamentary, this was later up held by the court under the reason of against tradition order and value, and the testator’s girlfriend got nothing. [41] This case had a lot of debate even till today, as man scholar suggest the verdict of that case was not a fair one, as the testator’s girlfriend should at least get a portion of the property. Other kind of testamentary, such as the testator leaving all the property to his or her care taker instead of their spouse or ken. This kind of testamentary has a lot of debate towards it, and the most famous one was occurred in 2001, in Hang Zhou (杭州市), where a old man left all his property to his employed care taker (a young girl), instead of his daughters, and it was upheld by the court as a legitimate testamentary.[42]
We are not dealing with inheritance law here, but the author thinks the concept of this “Traditional Order and Value” can also applies here with cyber hypers, because in most of the time, the behavior of cyber hype does not against the law, but it really depends what kind of drastic action they do to draw people’s attention. Some of their behaviors, eg, half naked in a populated place, may not be against the law per se, but certainly are not following the normal people’s standard values.
Chapter Ⅶ: Cyber Hitman
Cyber hitman which means people or group of people who defame or falsely accuse a person or company for the purpose of destroying their reputation for political or commercial reasons. This is very similar to the situation of Malicious Falsehood under the Common Law defamation, but just that as mentioned earlier, China so far does not have remedies for defamation against the company regardless with business reputation or not. It is important to note, although China does not have the civil remedies for Malicious Falsehood, but there is Article 221 of the Criminal Code in which stipulates a crime of disrupting market order. According to Article 221 of the Criminal Code:
“Article 221 Whoever fabricates stories and spreads them to damage another person's business credit or commodity reputation, if heavy losses are caused to the person, or if there are other serious circumstances, shall be sentenced to fixed-term imprisonment of not more than two years or criminal detention and shall also, or shall only, be fined.”
Case study 8 - The Yili QQ star milk.
On July 14th, 2010, there was an article published on various newspapers about “deep sea fish oil usually possessed health problems”. On July 27th, 2010, there was an ID named “Young Mother” appears on a lot of Internet forums, asking the same question, “My baby just weaned, is Yili Dairy QQ star milk (A branded milk in China) (伊利QQ星)safe for baby to drink as alternative to breast feeding?” not for a while someone replied, “You did not know? Yili’s QQ Star milk actually had the ingredient of deep-sea fish oil, it will make your baby sexually premature, do not let your baby drink that milk”. Then later, someone further on the net stipulates that his son because of drinking Yili QQ star milk is now growing facial hair. This kind of statements was not only appeared once or twice, it actually appeared hundreds of time in various forums. As the result of these negative publicity, all of the parents were shocked and the sale of Yili QQ star milk dropped like a falling stone. [43]
Yili Dairy (伊利乳业)reported the incident to the police, and after the police investigation, it was discovered that the whole matter was planned by An Yong (安勇), an employee of Mengniu Dairy (蒙牛乳业) (product manager), a major competitor of Yili Dairy, together with Bo Si Zhi Public Relation Company (北京博思智奇公关顾问公司)which is the PR company usually works with Mengniu Dairy. As a result, An Yong, and Hao Li Ping (郝历平), Zhao Ning (赵宁)and Ma Yeh (马野)of the Bo Si Zhi Public Relation Company were all arrested accordingly.
In the Yili case, those people involved were arrested based on Article 221 of the Criminal Code as mentioned earlier, however there was no evidence to suggest that Mengniu Dairy Company actually knew the its product manager An Yong were involved with such behavior, thus it has been seen as the behavior of An Yong independently, thus the Mengniu Dairy company escaped the liabilities. Therefore, currently in China, there is a lot of suggestion that there should be a Malicious Falsehood Article being implemented into the Chinese Tort Law, in which currently there is not any. In other words, this kind of behavior should be de-criminalized with more emphasize on its civil liabilities in which large amount of damage may be the key to discourage these kind of practice.
Chapter Ⅷ: Cyber Pornography
According to Article 367 of the Criminal Code:
“For the purpose of this Law, pornographic materials refer to obscene books, periodicals, movies, video-and audio-tapes, pictures, etc. that explicitly portray sexual behavior or undisguisedly publicize pornographic materials.
Scientific works on human physiology or medical knowledge are not pornographic materials.
Literary and art works of artistic value which contain erotic contents shall not be regarded as pornographic materials.”
The Criminal Code in this regards is the mother law regulating this area, there is a further interpretation provided by the Supreme People’s Court: “Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Concrete Application of Law in the Handling of Criminal Cases of Making, Reproducing, Publishing, Selling and Spreading Pornographic Electronic Information by Means of the Internet, Terminal of Mobile Communications and Sound Message Stations” 2004. In which this interpretation mainly deals with providing pornographic materials via Internet for commercial purpose.
The above two laws are the legal reasoning that several Internet pornographic crack down based in recent years. The most recent Internet porno crack down has been taken place in 2014 organized by the “Anti Piracy and Pornography Working Committee” (扫黄打非工作小组办公室)which is a governmental working group, the “Office of National Internet Information” (国家互联网信息办公室), the “Ministry of Industry and Information Technology” (工业和信息化部)and the “Ministry of Public Security” (公安部) in cooperation with each other for the purpose of cracking down on piracy works and pornography. [44]
Basically, pornography materials consist of article of words, pictures, films, etc. There are a huge number of materials providing the description on what can be seen as pornography, thus the author will not put in too much emphasize on this. Generally speaking once you see one, you will know its porno or not. The interesting question here is China does not allow this kind of materials to be freely circulated. At this point it is important to note that when we talk about Internet pornography, it is different to cyber erotic services. Cyber erotic service, which may be involving with prostitution is actually using the Internet as a means of communication or advertisement for the purpose of providing services. This situation in fact is just like swapping the traditional yellow pages into Internet catalogs and whether if this action is legal or not, depends on the jurisdiction of the country on whether if prostitution is legal or not. Currently, prostitution is illegal in China, thus cyber erotic service is also illegal as well. [45]
The problem for Interment pornography is that it is very easy to get access to. Unlike the traditional means of supply, one can put certain restrictions on who can access on those materials, for example, in Australia, under aged people are not allowed to enter certain kind of book shop or purchase certain rated films, etc. On the Internet, although it is possible to establish a classification system, or using parenting software individually, but with the nature of the Internet, it is still difficult to totally restrict under aged people accessing them. This is the main reason provided by the Chinese government for a blanket ban on pornography materials in able to protect under age children.
It is a fact that the Chinese society is much more open than the days where the open policy during the 1980s just implemented, thus people is much more tolerate with this kind of materials now days. As such, there was always a debate on whether if pornography materials should be ban at all or at least partly lifted if the age classification system could be established and implemented. Also, the Internet is a world wide web, that means it does not have a true border. Therefore, even if China has the toughest ban on such kind of materials, a lot of them still managed to hop over the Chinese great fire wall into China from Japan and United States.[46] One indication could be that, one of the Japanese adult video actor Aoi Sora (AV女优 - 苍井空)became a celebrity in which has some 400,000 fans chasing her in China. The simple logic is if one did not see her adult film before, how does one felt the attraction of becoming her fans?
Thus, generally speaking, when we talk about the cyber pornography problem in China, we should really divide up the problem into two parts, the providers and the users. In terms of the providers, they can be divided into domestic providers and overseas providers. In the early days, the original domestic pornographic providers were using porno materials in their web site to attract people’s viewing in order to sell advertisements, but they later discover that selling pornographic materials or organizing club membership is much more profitable. As a result, many of them then turned into cyber clubs and selling memberships for profit. [47] This kind of domestic providers has been cracked down in recent years and not many of them exist any more. It is however that some of the surviving website masters then moved their web server into overseas to avoid the crack down, mostly the United States, which is a country where this kind of websites could be legally exist (unless pornographic materials concerning with under aged person). They are now be considered as overseas providers, because due to the problem of the Chinese great fire wall, it is rarely that the Chinese people will get directly over to the porno websites that is run overseas domestically and not aimed at the Chinese users. In addition to that, these overseas Chinese porno websites will actively find ways to overcome the Chinese great fire wall, thus made domestic Chinese still able to access them. Currently, few of these overseas Chinese porno websites still operating strong, in fact due to their effort, almost every new Japanese adult video produced, within a month, the Chinese users are able to watch it in China, and some of it are totally free!
Now let us turn to the users of those cyber pornography. Is it legal to watch those cyber pornography privately? If not for commercial gaining purpose, currently there seems to be no law suggesting that one cannot watch those materials in private circumstances. Of course, one cannot watch those stuff in public place or in public office, etc, but those are behaviors prohibited by other means of law, such as public order or sexual harassment law, and is the normal practice even for countries like the United States where cyber pornography are legal. Thus, it is fair to say that in China, watching those cyber pornography may be morally questionable but not legally forbidden. However, is that always the case?
Case study 9 - Watching porno in private dwelling.
On 31 December, 2002, in Shanxi Province Yanan city (陕西延安), there were a couple watching porno movies at home just before the new year bell of 2003. For some reason, the police noticed that they were watching “illegitimate stuff “ (there was suggestions that someone reported to the police). Then the police busted into their door and arrested the couple, and later the husband was put into detention. The only problem was that the police could not find a reason to charge the husband, as every law in China in this area suggests one cannot sell, duplicate, transfer such movies, but none of those law expressly indicate one cannot watch them. There was a huge debate about this in the society and finally after a few days of detention, the husband was released and the local police department apologized to the couple. [48]
This case was a very famous case and an important precedent as well, so now a days in China, watching porno movies at home is a bit like the legal arrangements back at the Prohibition days in the United States under the Volstead Act, where one can not produce, sell, transfer, supply, but for some reason if you got a bottle of Whiskey and drink it at your home, then it would be alright.
Now we know that watching porno at home may be alright, but what about downloading cyber pornography? We understood that based on the 2004 interpretation from the Supreme People’s Court, one not suppose to “reproduce” porno materials, so as such is downloading porno films or pictures an act of reproducing? This is very ambiguous indeed, and much has been debated about this in recent China and most of the intellectuals are leaning towards even if seen download as a kind of reproduction, then reproduction for private use does not contravene the law. It is however important to note that in recent year, a few person has been fined by the police for downloading porno materials on the net, but they are usually heatedly disputed and ends up in nothing definite. [49] There is actually a joke in China saying that, if downloading porno material is illegal, then most of the web users would be arrested.
So downloading pornography materials may be all right with the law, what about uploading? Uploading is totally different from downloading. It is clearly illegal, as it is specifically forbidden by the 2004 interpretation from the Supreme People’s Court as a form of “spreading pornography materials”. Indeed, quite a few cases already exist as people uploading porno materials for all sorts of reasons and ends up being arrested. [50] Thus, uploading porno materials is definitely illegal. But what about if one did not intentionally uploading those materials but it was uploaded automatically due to software problems or design?
Case study 10 - Li Zhong Rei drug and rape case.
This case was not happened in Mainland China, but in Taiwan. On 2012, there was this guy named Li Zhong Rei (李宗瑞), who was a rich second generation and his whole aim of life was drinking at the pub and taking girls back home afterwards. What happened to this guy was that after taken those girls back home, he drugged them, had sex with them and filming it while those girls were unconscious. He then collected those films, stored it in his computer and later will use it to brag with his friends. About 30 girls were fallen prey to him. It was July 2012 that two sisters discovered they were being drugged and raped by Li and brought this case to police investigation, and thus, the whole matter were discovered and consequently Li was charged by the prosecutor. Li was charged under the Taiwanese Criminal Code with rape and interference with right of private secrecy among others things. Due to the fact that his crime was particular serious as more than 30 victims were involved, he was then sentenced for 30 years imprisonment. [51]
The area that we are concerning is actually not Li’s case itself. It was the film he made when he drugged and had sex with those 30 girls and what happened afterwards. After he made those films, he then sent to his friends for bragging and some of the film ends up releasing beyond their control. When he was charged and arrested, someone actually released all those film to the public in which contained some 29 gigabits of space with 60 something girls in the film (some of the girls were filmed with consent, thus not illegal). Although the authority declared that the downloading of such materials would be illegal under the criminal penalties such as interference with the right of private secrecy under the criminal code, but as human nature of curiosity, people started to download those films crazily and most of them downloaded with P2P softwares.
Downloading such kind of materials are usually not illegal (debatable, but in practice seldomly anyone got prosecuted before) but uploading them is definitely illegal in Taiwan. The design for a P2P download is that once when you are downloading, you are automatically uploading them as well. As a result, 12 downloaders were arrested for the reason of uploading those films to the web. [52] Now the question is, for uploading them and being prosecuted, is subjective intention required? It seems to be very much debatable in this area and those 12 arrestees should have a defense based on the lack of subjective intention. They were arrested under criminal sanctions, that means Mens Rea or “subjective intention” under the Civil Law system must be proven. With the way of operation of the P2P softwares, if you are only downloading, although up loading at the same time, it is automatically done and can not show your own intention of up loading it. However, in this case no one seems to be raising this question as a defense and later all of the 12 arrestees were fined and no one complained about the legitimacy of their arrest, which was quite unfortunate indeed.
Finally, not cyber pornography per se but something similar, as we had discussed about cyber hypers earlier, and we know that when people tries to get themselves famous, they will try their best with all sort of publicities on the web regardless if those publicities are negative or positive. Recently there is a tendency in China that those fame seekers will take one step further than cyber hypers and put their sexual films or photos onto the web in order to make themselves famous overnight. This phenomenon began with the case know as “Shou Shou sex films (兽兽门事件)- Di Ling (翟凌)” [53] in 2010 and the most recently the “Uniqlo sex film incident” (优衣库性爱视频事件)in 14th July, 2015. Although with most of these cases, people involved (usually female) always claimed that they are the victims of people attacking their privacy, such as hacking into their cell phones or computers, but most of the people believes that they are actually hyping themselves in order to become famous. The problem is, with this kind of behavior, it is usually very difficult to prove whether if they or they deliberately put their sexual photos or films onto the net or they are the victims of ill intention as their cyber equipments were really stolen thus the films and photos leaked out. This kind of behavior may not be a cyber crime but certainly a kind of cyber wrong, and this is the area that the relevant authorities must find ways to deter this kind of practice from getting copycat by the many.
Naked Chatting and Cyber Sex
In addition to this, the latest phenomenon in China is know as “naked chatting” (裸聊) which some people organize some website and employ some young girls in different chat rooms. The user buy cyber present to them available in that chatting website. The more the user pays (buy presents) the girls will chat to them with more explicity and taking off their cloth, if the user really pays them top dollars, they will chat naked with the and even perform some kind of sex show to satisfy the sexual fantasy of the user. [54] This is of course the typical example of this kind of the so called “cyber sex”, and the form and different versions could only be limited by your imagination. Currently, all form of naked chatting and cyber sex (unless done privately between two consenting adults without any financial considerations) are strictly sanctioned by the Chinese authorities, including Taiwan’s authority as well. But then again, there is an old Chinese saying, “the priest climbs a foot, the devil climbs ten.” (道高一尺魔高一丈), illegal or not, as this is a relative simple and lucrative business and also attaches to human nature, thus the author believes this phenomenon would never be totally cracked out, in fact would only grow larger in scale.
On the other hand, can one really say naked chatting or cyber sex, etc is a form of cyber wrongs? If you look at it closely, it is really not much difference compare with the traditional form of prostitution, in fact basically identical to “phone sex” or “call girls”, and that existed even in the 1970s. The fundamental difference is only with the improvement of cyber technologies, this kind of tradition form of prostitution through the medium of the internet, became more diverse. Thus, the author believes, the central question about issues of cyber sex or cyber pornography is not with “cyber” itself. The main issues is about what do you see about pornography and prostitution and whether if they should be legalize? Once the argument entered this area, it became a value arguments, and its seems to be just like abortion, euthanasia, mariguana in which you can never find a clear cut answer. Currently in China, beside cyber pornography, cyber gambling is another area which has the same issues, then again, the problem does not lie within cyber, the argument is whether if gambling should be legalized at all.
Chapter Ⅸ: The Taiwanese First Commercial Bank Heist
After looking at many types of traditional forms of cyber wrongs, now let us look at a recently happened case in Taiwan. In this case, it has all the elements of traditional cyber crimes, such as cyber theft, Phishing, torjan horse implementation, etc. But they are many step further, and the criminals did it so well almost like magicians in which they actually made ATM machine spilling money without even touching them from thousand of miles away in Russia.
Background
On 10th July 2016, 5:30 at dawn after a typhoon storm, a man with a face mask and black stripe hat stand in front of an ATM machine which belonged to the Taiwanese First Commercial Bank’s Jilin branch at Siping street. Amazingly without any bankcard or passwords, in fact without even touching the ATM itself, the cash continuously flow out of the machine like some magician putting a spell on the machine. Not only this machine, but around the same time, there were 41 ATM machines belonging to 22 First Commercial Bank branches in Taipei and Taichung all together spit out $83,277,600 New Taiwan Dollars (NT), equivalent to around $2,629,376 USD. What amazes people was that the person receiving the cash only spent a few minutes at each of the machines before bagging more than $2 million cash into their backpack. Based on the image from the security cameras, the thieves seems to be a group of 16 to 17 people attacking the ATMs around the same time without operating the machine in any way, but possibly gain control of the machine beforehand with some sort of “connecting device”, possibly from their smartphones.[55]
The unnatural spitting of cash was witnessed by some passerbys, as they immediately reported to the police, and First Commercial Bank immediately checked the cash inventory in their ATM machine across all braches and realize there were 41 ATM machines across Taiwan had abnormal cash out situation. Once the seriousness of the situation was discovered by the First Commercial Bank, they reported to the relevant authority as well, as such both the Taiwanese police and Investigation Bureau from the Taiwanese Ministry of Justice (MJIB) immediately got started with the investigation of such matter. With the initial investigation, all the thieves collecting the money were foreigner and Caucasian by looks, around 16 or 17 people collecting from the ATM machines at roughly the same time and judging from similar precedents around the world as this had happened to Japan and Thailand before, probably this was another work done by the Russian Mafia syndicate. But then, many questions must be answered, as how can they control the ATMs and instructed it to spit money without even operating or even touching the machine? If the smartphones were the remote control devices for the job, how and by what means would it be possible to achieve this result? [56]
Taiwan now a days is an island full of close circuit televisions (CCTV), and with a detailed analysis of the footage from those relevant CCTVs of First Commercial Bank, a suspect car was identified by the investigators (police and MJIB), and by tracing the number plate, it was identified as a rental car, and from the rental car company, the identity of the thieves was identified a few days after the incident. These people were indeed from Russia or Eastern European countries, but some of them already left Taiwan the next day on 11th July after the incident occurred. However, one strange situation intrigued investigators, NT$83 millions was not a small amount of money in terms of size and weight, but according to the CCTV footage from the airport, none of them brought any large suitcase, and many of them only had cabin luggage when they left the country, so how did they take their trophy money with them, as ultimately that is why they steal the money?[57] In another words, they did not or only take a small amount of trophy money with them when they leave Taiwan.
Where Did the Money Go?
As such, based on this information the investigators believed most likely the stolen money must still be in Taiwan, or at least in the hand of other group members and waiting for the right moment to transfer the illegal funds to overseas. In another words, this Russian crime syndicate may be divided up into different teams or gruops, and each team is responsible only for a part of the whole business. The person caught on the CCTV cameras for collecting the money was only responsible for cash collection. Once they finished their job, they left the country immediately. There must be another team members from the same syndicate to coming into or remains in Taiwan who will handle the transfer or remittance of the illegal cash and finish up the job. With this theory in mind, the investigators immediately began to watch out for any suspect from Russia and Eastern Europe entering Taiwan or remaining in Taiwan at around the same period of time. Through various channels, they started to contact both the legal financial institutions and “underground money wiring companies” to let them know the seriousness of the situation and warn them to refrain them from taking on this “business” for this group of people. Especially with the underground money wiring companies, although they may not be legal, but they existed in Taiwan for a very long period of time, they are especially popular with business man transferring money into and out of Mainland China (as transfer money from Taiwan to Mainland China via official channel may be time consuming and involve massive red tapes). Since those underground companies do not want to have any direct conflict with the Taiwanese authorities, thus they decided to cooperate with the Taiwanese authority and refrain from taking on this money laundering business for this group of people ..[58]
The Suspects Arrested
After thorough investigations from various channels, the investigator identified three possible suspects in which was Andrejs Peregudovs from Latvia. He was among the group of people first entering into Taiwan and remaining in Taiwan till the indicent completed, while Niklae Penkov from Moldova and Mihail Colibaba from Romania arrived Taiwan on the 16th July after the incident occurred. From tip offs, these three person were trying to contact underground money wire companies in order to transfer the stolen money overseas, just due to the warning from the authorities, no companies dare to take on their business. Therefore these three persons entered into a situation where they got a large amount of cash but no way to transfer it out of the country, as such they tried to find a place to hide those cash before they figure out a means to transfer out those funds. As the police had blocked almost all possible channels for them to transfer out their cash, they became desparate and they decided to hid the money at a rubbish dump in Taipei’s Neihu District (内湖))[59]
Andrejs Peregudovs was the first person being arrested by the Taiwanese authority in Taiwan’s Yilan County (宜兰县))) in 18th July 2016,which according to the report, he went to a local restaurant and order sweet and sour fish, which is a dish only foreigner would order in this restaurant, and this was witnessed by an off-duty police officer. First of all, this restaurant was not a place frequent by foregners and the dish he ordered usually no locals will ordered, so this immediately raised his alarm. After he left the restaurant by a bicycle heading south towards Hualian County (花莲县)), the off-duty officer contacted the local police and got Andrejs Peregudovs arrested. Andrejs later confessed he was trying to find a fishing boat (this two counties are port counties) and take the money out of the country by a smuggling boat Of course that was not an easy for a foreigner to find the contact for a smuggling boat in Taiwan as there are a very good coast guard system in Taiwan. Later at the same day, the other two suspects Niklae Penkov and Mihail Colibaba was arrested in a luxery hotel in Dazhi District (大直。[60]
Due to their arrest, most of the money stolen from the First Commercial Bank was recovered, as NT$60,240,000 (1,910,501 USD) were found in the hotel room of the three suspects above, 2 days later a further NT$12,630,000 (400,558 USD) was recovered in the rubbish dump mentioned earlier. Also, there was an old man Mr. Ke (柯姓老翁 reported to found a further NT$4,541.200 NTD (144.023 USD) near the original location of the rubbish dump. Thus, till then, out of the NT$83,277,600 lost cash, NT$77,450,000 were recovered, with around five millions NT were lost and presumably taken away by the first group of thieves when they left the country (five millions NT is quite possible to be taken out by 16 or 17 people with light luggage, as they may divided it up among that number of people, the size and weight is not very large). This means most of the money stolen from the First Commercial Bank ATMs were recovered by the Taiwanese authority (mainly the police), thus this case was declared by the Taiwanese police as officially being solved. This group of criminals with members from six countries (mostly form Russia and Eastern Europe) commit similar acts around the world and stolen roughly around more than USD$95 millions, [61] but only cracked by the Taiwanese police. This is not only a rare occurrence for among similar cases world wide, but it also indicate that the Taiwanese police also has its own expertise in cultivating relationship with different parties which may help them to handle this type of special and technological case.[62]
It was fortunate that this case was solved and criminals being arrested, at least some of it. However, a lot of questions remained unanswered here, especially on how it was possible that those criminals made the ATMs spill cash without even physically touched them. There are two possibilities. One possibility is that this is an “insider job” where there may be someone inside the First Commerical Bank to cooperate with this Russian syndicate. The other possibility is that it was done by very clever cyber criminals and used some way or ways to remotely control those ATM machines. Although ATM machines are not 100% criminal proof, but it has been widely known that it would be very difficult to hack into the ATM system in able to gaining their control and force them spitting out money.
MJIB, Cyber Forensics Laboratory
Once this incident had happened, the Taiwanese police was active in investigating and catching those suspects who may be involved in this case and who still remaining in the country. The MJIB was on the other hand busy in figuring out how it may be possible that ATM could be made to spill out cash without physically controlling it. Both the possibility of insider job and cyber crime was investigated at the same time. Although initially the prosecutor refuse to rule out the insider scenario, but later this was ruled out. Thus, this paper will not focus on MJIB’s initial effort on investigating the possible insiders as this will be another area to focus on criminal activity. The other possibility of course was the cyber crime scenario, and this was later proven to be the case when this case was cracked by the Taiwanese authority. The cyber crime investigation was handled by the MJIB Cyber Forensics Laboratory (CFL)(法务部调查局资安鉴识实验室), and immediately after the incident happened the CFL experts started to work on this case toward cyber crime direction focusing the ATM machine.. First of all, the ATMs that spilled cash was removed from the scene and sent to CFL for analysis, altogether 41 of them. According to their hypothesis, the only way that this kind of scenario could occur would be some kind of malwares invaded into the ATM’s controlling system and taken over the ATM machine. But with their initial investigation, they could not find any malware in the ATM system. But with their hard sleepless effort on the 19th July, which was only the next day the incident occurred, the CFL discovered three possible malwares might be hiding in the ATM controlling system.[63]
The MJIB said the machines were infected with three different malware files that instructed them to "spit out cash" and then another sub-malware would be activated to delete those malwares once they completed the task to avoid to exist as evidence of the crime. The sub-malware are known as “cleanup.bat”, and it would work though the encrypted internal delete tool “sdelete.exe” to delete any evidence of the malwares in the ATM system, thus those hackers could come, attack and go without any trace of their track. The only reason the CLF could figured out the existence of those three malwares was because one of the ATM being attacked in which they investigated upon had the cleanup sub-malware malfunctioned. But then again, there is another question, these three malwares does not possess the ability of far end online engagement, this means these malwares cannot remote control the ATMs via Command and Control Server (C&C) like many hackers usually do. In order to achieve the result of the case at hand, it must be done manually at far end. Therefore, the CFL experts believe the hackers must broken into some computers within the First Commercial Bank by sending “Spear Phishing emails” which is a kind of Phishing but more aggressive than the normal Phishing emails. Once computers inside the First Commercial Bank got infected with these malwares, then it would be possible to commend those ATMs to spill cash even without physically contacting them.[64]
After checking all the online records from the internal net of the First Commercial Bank, it was discovered that on 9th July, there was a large amount of online engagement from First Commercial Bank’s London branch towards its ATMs in Taiwan. The system with the large amount of online engagements was done through the “Telephone Recording Server” of the First Commercial Bank’s London branch. It was strange as First Commercial Bank’s London branch does not offer any ATM services, therefore does not need to get online with the Taiwan ATMs and should not have any record accordingly. Therefore, it was infered by the CLF investigators that the London branch was the hacking point by the hackers, and after hacking into the London branch’s server, they then used the server as the jumping board and attacked back into the head office of the First Commercial Bank in Taiwan. This inference was later proven by the CLF investigators as they further invetigate the case and admitted by the suspects when they was being arrested.[65]
The ATM Machines itself
Another problem may be pointing towards the problem of hardwares, that is the brand of the ATMs in question itself. The ATMs spitting money in this case was the “Pro Cash 1500 model” manufactured by a German company Wincor Nixdorf. After the incident, Wincor Nixdorf although cooperate with the First Commercial Bank and the Taiwanese authority, but they said it has no evidence to suggest that the malware was introduced into the network by the ATMs themselves, but this was later proven to be the case by the CLF investigators. However, some expert suggest this model of ATMs is a bit out of date, and could easily be purchased on the net and practiced by the criminals on how to crack them. [66] Although in this case the ATMs itself may not be directly linked to the result of spitting money for the thieves, but nevertheless, on a news briefing on 18th July, the chairman of the First Commercial Bank Mr. Chai Qing Nian (蔡庆年)decleared that they would replace all the Wincor Pro Cash 1500 ATMs with newer ones.
It has been suggested that many of the Taiwanese ATMs used a closed system framework known as the Systems Network Architecture (SNA). The ATMs connect directly thorough SNA to the bank’s main system in order to determine and process customer’s banking details and instructions on deposit or dispense money. When the ATM connecting with the SNA, during the transmission, every process would be encrypted. Thus, in theory, the structure should be a totally closed system and should be failsafe. However, is it really so? If the ATM system is a total closed system, then whenever the system needs update, it can not be updated remotely, it must be done by engineers manually by inserting a CD or USB disk on every machine itself. In another words, this could be time consuming and inconvenient for the Information Technology (IT) department for any banking corporation. As a result, it is not done by this way for any bank. In pracice, whenever the ATMs need a system update, it is done by server remotely and updated all the machines at once. So in other words, this so called “closed system” is not really closed at all, although heavily encrypted, but nevertheless still have some holes for the hackers to get thought. [67] In this case, this is exactly what happened when this Russian syndicate find a hole in First Commercial Bank’s email system and use this whole as a jumping board to get a hold onto to their ATM system and make all their ATM machines into mechanical zombies.
After all the investigations by the police and MJIB, all the suspects were being hold custody and going through subsequent legal proceedings. It is lucky that Taiwan authority crack this case on time and serve as a strong warning for other crimical syndicate on taking Taiwan financial institutions for their future illegal activities. As for the First Commercial Bank, they decided to scrutinized their fire wall and Internet security system in order to prevent their email systems being further attacked by Phishing emails. Even though First Commercial Bank had recovered most of the lost cash, but this incident had exposed the bank’s two important weak point of outdated hardware and weak Internet security system. These two points served to be the perfect opportunity for the Russian syndicate to take advantate to perform this magical case. As a result, after the investigation mostly completed, the chairman of First Commercial Bank, Mr Tsai had regisned accordingly.
Chapter Ⅹ: An Interview with an Insider
On 1st October, 2016, the author had an interview with an officer from the First Commercial Bank IT department, as he demanded his name to be remain anonymous, so he will be refer as “Mr. Wang” in this paper. According to Mr. Wang, technically regardless of any kind of ATM, it consist of two level to complete operation. The upper level is known as the “Application Level” (AP) and the lower level is known as the “Firmware”, which is the one controlling with operating system such as Windows. Most of the encryption, anti-virus softwares and guarding system are usually limited at the AP level. On the firmware level, as it is usually been regard as the internal level, its security risk level is relatively low, thus the guarding arrangements usually not as strong as the AP level. If we use other ways to describe this situation, it can be seen as like our house, we usually put of a lot of security efforts on our front gate and surrounding walls, because they are the area directly facing with outsiders , but we usually do not put a lot of security arrangments in the interior of the house. People usually will not put CCTV’s inside the house or create obstacles and locked up every rooms in the house all the time. The reason for this is that we usually thinks once the external part is safe, then the interior of the house should be safe as well. Now if there is thief that can create some way that can instruct someone or somehow to open the front gate for them to enter your house effortlessly, then even if you had the Chinese Great Wall surrounding your house it would still be useless against those thief. The situation in the First Commercial Bank was exactly the same.
After First Commercial Bank had done a comprehensive investigation internally, they had conclude few main reasons for this case to happen. First of all, the ATM machine was out of date, that was why they later changed all the Wincor Pro Cash 1500 models to a newer ones. Secondly, accordingly to Mr. Wang, their leader of their IT department were not exactly professional, the person was transfer up from other departments based on normal promotion procedure. Thus, they had a scenario where unprofessional leading the professionals. As an result, the IT department in the First Commercial Bank could not look the whole cyber security in a border prospective but concentrated on the day to day operation of the system that mainly focus on the AP level. Third, and most importantly, as this point had never been disclose to the public, after their thorough internal investigation, besides the malwares fould on the ATMs by the MJIB as discussed earlier, they also found Trojan EXEs among their high level executive staffs. In other words, due to the lack of cyber safety awareness, their high level executive staffs may be the one responsible for the thieves attack. Accordingly to Mr. Wang, at the same day where the three suspects officially charged by the Taiwanese prosecutor, there was another major attack from Russia at the First Commercial Bank’s firmware level, but this has never been disclosed to the public. This means, our earlier discussion on the malware getting into the system via First Commercial Bank’s London branch, or malwares that self destruct etc, may only be part of the problem. In theory if that was the only problem, once it was determined by the MIJB, the foreign end should not possess the ability to attack First Commercial Bank again. But that had been done on the 13th September, 2016, the day where Andrejs and other two were charged with fraud (诈欺) and disruption of computer usage (妨害电脑使用) and demanded for 12 years sentences by the Taiwanese prosecutors.[68]
According to Mr. Wang, the problem of the attack on the First Commercial Bank on 13th September 2016 had never been fully determined by both MJIB and their own internal IT department, and that attack had been seen as a kind of demonstration by the Russian syndicate by the authority and their bank. In short, based on Mr. Wang’s statement, the real problem of the First Commercial Bank Heist had never been fully identified by both the authority and their bank. The story prescribed earlier in this paper was only the story that the authority and the First Commercial Bank released to the public to avoid public panic and maintain their commercial reputation. In another words, there is still a possibility that this or similar case may still happen to First Commercial Bank or other Taiwan financial institutions in the future.
Recommendation from the First Commercial Bank Heist
After the First Commercial Bank’s Heist, more similar cases occurred around the globe and the later one was in Thailand. As we can accurately and truly identify the cause of this kind of activities, it is foreseeable that this kind of cases will be continuing to be happen around the world. Some expert suggested that the cyber world cop and thieves is like an old Chinese saying “ while the priest climbs a foot, the devil climbs ten”, (道高一尺魔高一丈). So cyber thieves would always find some new ways to get around the system. Nevertheless, as a tentative conclusion for the First Commercial Bank’s heist, a few recommendations may be put into practice in able to create a more “difficulties” Information Technology (IT) environment for those cyber thieves and minimize the risk of similar incidents from happening again.
1. The ATMs machine hardware must be updated to the latest model. If that is not economically possible, then the software operating system of the machine must be kept updated.
2. The cyber security system must be designed towards both the AP level and firmware level. In addition, there must also be a cyber security system also guarding the internal system of the
Bank.
3. There should be a “white list” (白名单) with all the safe softwares operating in the system and only the softwares from the white list could be used and operated. Once any foreign software not within that white list being identified, the alarm bell must be immediately activated to determine whether if there is any security breach.
4. The leader of the IT department must be promoted via an IT background, it must not let lay personnels leading IT engineers. Also, more resources must be put into the IT department and personnel education. In fact, the leader of the IT department should be from board of directors level of executives with an IT background.
5. Different banks must work together for the same objective of achieving a safer cyber banking system.
Chapter Ⅺ: Conclusion
The different kind of cyber wrongs discussed in this article is only a few of the more obvious kinds of cyber wrongs occurred in recent years, it is no where near an exclusive list for all kinds of cyber wrongs. The cyber world is similar to the real human world, in which all the possible wrong kind of practice would only be limited by your imagination. This is the reason we closely looked into the Taiwanese case of the First Commercial Bank’s heist. The author always like to use that old Chinese saying, the priest climbs a foot the the devils climbs ten. In the cyber world, it is exactly like this, “the authority climbs a foot, the criminals climbs ten.”. So based on the analysis of the First Commercial Bank’s heist, both the bank and the Taiwanese authority could not 100% identify and prevent the problem. Thus, it can be a inference to that a lot of Taiwanese banks, or banks around the world almost like sitting ducks waiting for those cyber criminals to be shot at.
Now looking back at Mainland China, it is a fact that China has the toughest legal arrangement on Internet wrongs already, many even suggest with the toughest implementation of various Internet usage regulations, it actually kill people’s creativity and affects people’s freedom of speech, which is a Constitution right under the Chinese Constitution. [69] In addition to this, although the Chinese government never admits that there exist this so called “The Chinese Great Firewall”, but its existence is generally a public knowledge. With this great firewall, one can not freely peruse many international websites, such as Facebook, overseas news agencies and sites deemed improper by the Chinese government. Accordingly, in theory the Chinese government should have a upper hand in war against cyber wrongs. However, just like with the famous slogen said in the movie Jurassic Park - Life will find its own course. While if we admit human brain are limitless, then we must also admit that new forms of cyber wrong, both crime and tort will without any doubt appear in the near future endlessly.
Finally, although a lot of these forms of cyber wrongs are clearly illegal, for example, cyber theft, hacking, destroying cyber properties or overtaking other people’s net accounts, etc. But a lot of these cyber wrongs, may not be totally illegal, but depends on the value judgment of a particular society. For example, cyber hyper could be a form of advertising tactics and cyber pornography, cyber sex, or cyber gambling is purely a matter of the value judgment of the society. If the Chinese society and government legalized pornography (like in the United States with limitation) and prostitution (like Australia in certain states) and gambling (like Australia with limitation), then the problem of cyber pornos, sex and gamblining would immediately becomes no problems at all. Thus the resources which originally used to take against this kind of so called cyber wrongs then could be put into the area to battle with the real and more serious type of cyber criminal activities, such as the First Commercial Bank heist.
[1] Greg Tzu Jan Yang, SJD, Bond University, Australia. Ph.d Peking University, China. Assistant Professor, China University of Political Science and Law, College of Comparative Law.
[6] Ji Jing and Zhang Zhi Chao “A Study on the New Type of Cyber Criminal Behavior” Chinese Public Prosecution Bureau Publishing Co., 2012 page 47.
[7] Soho Technology News “Chinese fake Apple Shop has been busted by foreign media, their fake products can almost compete with the real one.” http://it.sohu.com/20141225/n407272684.shtml 2014-12-25
[8] Ji Jing and Zhang Zhi Chao “A Study on the New Type of Cyber Criminal Behavior” Chinese Public Prosecution Bureau Publishing Co., 2012 page 47.
[10] Sina News “ Peking University Professor claims the new property law unconstitutional in an open letter, the debate between capitalism or socialism raised again.” http://news.sina.com.cn/c/2006-02-23/15019183436.shtml 2006-02-23
[11] The People’s Republic of China Criminal Code Article 17.
[13] The Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Concrete Application of Law in the Handling of Criminal Cases of Making, Reproducing, Publishing, Selling and Spreading Pornographic Electronic Information by Means of the Internet, Terminal of Mobile Communications and Sound Message Stations. 2004.
[14] Yu Zhi Gang “The Legal Principle of Cyber Crime” Yuan Zhao Publishing Company, Taipei. 2007-3. Page 260.
[15] The full name of Mr. King and other 11 defendants has not been release by the court.
[16] QQ Technology News “11 person found guilty by the first instance court for breaching of the freedom of communication with stealing QQ accounts.” http://tech.qq.com/a/20080214/000086.htm 2008-02-14
[18] QQ Technology News “11 person found guilty by the first instance court for breaching of the freedom of communication with stealing QQ accounts.” http://tech.qq.com/a/20080214/000086.htm 2008-02-14
[19] Jin Yang Wan News “Ningbo court convicts a cyber account thief.” http://www.ycwb.com/gb/content/2006-01/26/content_1062508.htm 2006-01-26
[20] Ji Jing and Zhang Zhi Chao “A Study on the New Type of Cyber Criminal Behavior” Chinese Public Prosecution Bureau Publishing Co., 2012 page 121.
[21] Baike Encyclopedia “The Chinese Internet Histroy.” http://www.baike.com/wiki/中国互联网史 2015-01-27
[22] Wikipedia Chinese “The Chinese Red Hackers.” https://zh.wikipedia.org/wiki/红客 2015-12-12
[24] Ji Jing and Zhang Zhi Chao “A Study on the New Type of Cyber Criminal Behavior” Chinese Public Prosecution Bureau Publishing Co., 2012 page 137.
[25]Berkoff v. Burchill and another [1996] 4 All ER 1008.
[26] The Fourth Amendment did not used the word “Priacy” itself, but the concept of it appears in it against “unreasonable search and seizures. William Mc Geveran “Privacy and Data Protection Law.” Foundation Press, USA. 2016.
[27] Martin Davies “Torts.” 4th edition, Butterworths, Australia.
[28] Barbara Harvey & John Marston. “Case and Commentary on Tort.” 3rd edition, Financial Times Pitman Publishing, United Kingdom.
[29] The New York Times, Chinese “The statutory interpretation from the Supreme People’s Court and the Supreme People’s Procuratorate may further depress the freedom of speech” http://cn.nytimes.com/china/20130911/cc11libel/ 2013-09-11
[30] Baidu Encyclopedia “The Real Name System of the Internet.” http://baike.baidu.com/view/529067.htm
[42] Rai Guo “Our Current lack of Testamentary Succession System with Perfect - to up to two typical inherit case thinking.” http://www.docin.com/p-1459875945.html 2011-6
[44] Xinhua News Agency “The 2014 action on the elimination of pornography and illegal publications on the net.” http://www.xinhuanet.com/legal/shdf/ 2014-01-19
[45] Decision of the Standing Committee of the National People’s Congress on the Strict Prohibition Against Prostitution and Whoring, 1991.
[46] Yu Zhi Gang “The Legal Principle of Cyber Crime” Yuan Zhao Publishing Company, Taipei. 2007-3. Page .
[50] QQ News “A man upload 62 pornography movies on the net within 3 month, but did not know it was illegal while he was being arrested.” http://news.qq.com/a/20130320/000008.htm 2013-03-20
[57] United Daily News,Taiwan. Editorial Department “It happened so dramatically - Understood the First Commercial Bank case in one go” https://udn.com/news/story/10027/1823435. 2016-07-21
[58] SETN News (三立新闻) “The Heist has became too publicized, the underground money wire companies refuse to take the business even with a 70% commission!”. http://www.setn.com/News.aspx?NewsID=165462 2016-07-18
[61] United Daily News,Taiwan. Editorial Department “It happened so dramatically - Understood the First Commercial Bank case in one go” https://udn.com/news/story/10027/1823435. 2016-07-21
[68] On 25th January, 2017. Andrejs and others were sentenced to 5 years and a penalty of TWD 600,000 (19,014 USD), will also be evicted once the sentenced served. Jiao Jia Hui “The three suspects of the First Commercial Bank case sentenced to 5 years each, and will be evicted once sentence served”. http://www.storm.mg/article/216936. 2017-01-25
[69] The Constitution of the People’s Republic of China, Article 35
2017-12-16
