-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- I. General
- II. Legally protected property
- III. Fundamental elements
- IV. Optional additional elements
- V. Comparison with Swiss law
- Bibliography
- Materials
I. General
1 Illegal access to a computer system is the basic offence in the field of cybercrime. It is often the prerequisite criminal conduct for the commission of another computer-related offence, such as data interference (art. 4 CCC), system interference (art. 5 CCC), computer forgery (art. 7 CCC) or computer fraud (art. 8 CCC). However, some cybercriminals simply gain unauthorized access to a computer system, out of bravado or for the sheer technical challenge it represents, without committing any subsequent offence. It is therefore justified to criminalize this behavior in its own right, rather than having it absorbed into the offences punishable under the following articles. Thus, the perpetrator is guilty of illegal access by the mere fact of gaining access to a computer system. It is not necessary for him to steal or modify data in the computer system.
2 Some might see hacking as a relatively harmless, playful activity enjoyed by a few geeks in search of new challenges. The reality, however, is quite different. Hacking is far more widespread than one might think at first glance, and its perpetrators pursue far less honorable aims than mere entertainment.
3 Naturally, strong security measures are the most effective way of protecting a computer system against unauthorized access. Given the threat to the security of computer systems and data that hacking represents, technical measures must be accompanied by legislative measures designed to dissuade cybercriminals from taking action, or to punish them if they commit malicious acts. In this way, the interests of organizations and individuals in being able to run, operate and control their IT systems without disruption or hindrance of any kind are best protected.
II. Legally protected property
4 Art. 2 CCC protects the inviolability of computer systems. This protection under criminal law is necessary for at least two reasons.
5 On the one hand, illegal access to a computer system can result in substantial repair costs for the rightful owner. The perpetrators often modify data in order to gain access to the system. What's more, victims are often unaware of the intrusion until some time after it has taken place. It is therefore particularly difficult to trace what has been modified by the perpetrators, and what new data has been generated by the computer system as a result. Once identified, these data must be restored to their original state. These operations can be very time-consuming and costly.
6 On the other hand, illegal access enables authors to consult information to which they should not have access (e.g. confidential reports, trade secrets, customer lists, accounting documents, credit card numbers, personal data, etc.). This information can then be resold on the black market, which can cause far greater damage to the rightful owner than simply restoring the system's protection.
III. Fundamental elements
A. A computer system
7 According to art. 1 let. a CCC, "the term 'computer system' means any isolated device or set of interconnected or related devices, which performs or of which one or more elements perform, in execution of a program, automated data processing". The notion of computer system thus includes all hardwares (motherboard, processor, hard disk, screen, keyboard, printer, etc.) and softwares (BIOS, operating system, software, updates, etc.), as well as the devices that connect these different elements to each other (cables, router, wifi terminal, etc.).
8 For further details on this concept, please refer to art. 1 CCC above.
B. Access to the computer system
9 One might be tempted to compare illegal access to a computer system with the offence of trespass. Access to the computer system would thus be the digital equivalent of breaking into the dwelling. The reassuring thing about this analogy is that it's easy to visualize the situation intellectually. However, the virtual world is more complex than that, and the contours of legal notions are necessarily more blurred.
10 An analogy with the real world is complicated. If one were to be made, however, access to a computer system could be compared to entering a medieval castle. Access to the castle is limited by a surrounding wall and moat. The main gate is usually guarded by guards. They check that those entering the fortress are authorized to do so. Once inside, individuals can access certain parts of the castle and not others, depending on their rank. Rank is defined by the lord to whom the castle belongs. Each part of the castle contains objects that can be viewed, touched, modified or even destroyed. For these items too, the castle lord determines who can do what with which object. The lord is the only one with access to every room in the castle, and the only one who can act as he or she sees fit with every object in the castle.
11 A computer system operates in a similar way to a castle. To gain access to the computer system, the user generally has to enter a login and password. Once logged in, the user can access all or part of the computer system according to his or her accreditation level, which is determined by the computer system administrator. This accreditation level also determines what the user can and cannot do in the parts of the computer system to which he or she has access, i.e. only view the title of documents contained in a folder, open them to read, edit or delete them. The administrator is the only person with access to the entire computer system, and with the rights to perform any action he or she wishes with the data contained therein.
12 The analogy with the real world ends there, however. Indeed, the notion of "access" in the virtual world cannot be compared to that of "penetration" in the real world. In computing, the notion of "access" means that the author succeeds in establishing a connection with all or part of a computer system. Strictly speaking, therefore, there is no physical movement of the author from one place to another.
13 In the simple form of the offence, the means used by the perpetrator to connect to the computer system is irrelevant. The perpetrator may therefore establish a connection by means of local or remote access. If the perpetrator establishes a local connection with a computer system to which he or she has physical access, this will be done using a keyboard - hardware or virtual - and a mouse, or even simply with the fingers for tablets and smartphones. They may also use a terminal to connect to a central computer system. If, on the other hand, the author decides to establish a remote connection, he or she can use any telecoms network. The type of network (local, public, private, etc.) and the type of connection (wired or wireless) are of no importance.
14 Nor is the extent of access decisive in determining whether an offence has been committed. Access may be total, in which case it extends to the entire computer system. It may also be only partial. In this case, it concerns only part of the computer system. This is the case, for example, when the perpetrator only accesses a user's session or part of the data stored on a server.
15 The offence is committed as soon as the connection to the computer system is established. There is then nothing to prevent the perpetrator from acquiring knowledge of the data contained in the computer system. However, it is not necessary for the perpetrator to become aware of the data for the offence to have been committed. In practice, however, these two events usually coincide, since at the moment when access is established, the data is displayed on the screen.
16 The notion of access as defined in art. 2 CCC must be clearly distinguished from data interference as defined in art. 4 CCC. To commit the offence, it is sufficient for the perpetrator to gain access to a computer system. Even if, in practice, the establishment of illegal access regularly results in the modification of data, such deterioration is not necessary for the commission of the offence.
17 Finally, only the establishment of illegal access is punishable. Maintaining lawful access after the owner of the computer system has informed the user that he or she is no longer authorized to access it is not punishable. A case in point is the employee who, in the course of his professional activity, uses his private computer to connect to the company network and who, once dismissed, continues to consult company files. However, the absence of punishability lasts only as long as the connection. If he interrupts the connection and establishes a new one, he is guilty of the offence. In our opinion, this absence of punishability is clearly a loophole that has been misleadingly described, as the Parties probably simply did not envisage this possibility when drafting the text.
C. Unlawfulness
18 To be punishable, the perpetrator must have acted without right. This involves first determining whether the computer system is public - i.e. open to all - or whether access to it is restricted, or a combination of both. If the computer system is public, access to it cannot be unlawful, and any infringement is excluded. On the other hand, if access to all or part of the computer system is restricted, unauthorized access is punishable.
19 It is the owner of the computer system who determines who is authorized to access which part of the system. This means that not only those who have not been authorized to access the computer system are liable to punishment, but also those who have been authorized to access one part of the computer system, but who access another part of the computer system to which they have not been granted access. On the other hand, persons who have been granted access to the computer system by its rightful owner, and who comply with the limits of this access, are not liable to punishment.
20 The rightful owner of a computer system is not always its administrator. This is particularly true of medium-sized and large computer systems. In such cases, the management of the IT system is delegated by its owner to a third-party administrator. This administrator may be either an individual or a legal entity. In both cases, the owner of the IT system authorizes the administrator to access it in order to carry out his or her mission. In other words, the administrator does not have unauthorized access to the computer system, as long as this is for the purpose of fulfilling his or her mission. On the other hand, access is unauthorized when it is for another purpose, such as consulting private or confidential information not intended for the administrator.
21 When the management of an IT system is delegated to a company, all the natural persons in charge of this task within the company are authorized to access it. However, this is not the case for individuals within the legal entity to whom this task has not been assigned. If these people do access the computer system, they do so without right, as they are not doing so to carry out the task entrusted to the legal entity.
22 A person specifically mandated to test the security of a computer system, who manages to gain access to the system by circumventing the protection measures in place, is not acting unlawfully, as he has been authorized to do so by his beneficiary.
D. Intention
23 Illegal access is intentional. Intention must cover all the objective elements of the infringement. The perpetrator must therefore be aware that he or she is accessing a computer system without right, and have the will to do so. Any fraudulent intent is sufficient. If the perpetrator suspects that he is accessing all or part of a computer system to which he should not have access, but establishes a connection anyway, he is guilty of illegal access. On the other hand, if the perpetrator makes a handling error and establishes an unauthorized connection in spite of himself, intent is lacking and the offence is not committed.
24 The law punishes only the establishment of illegal access, and not the fact of maintaining access against the will of the rightful owner. Consequently, anyone who inadvertently accesses a computer system but, once connected, explores its contents, is not punishable.
25 If the author mistakenly believes that the computer system he is accessing is public, or if he mistakenly believes that he is entitled to access it for some other reason, he has committed an error of fact.
IV. Optional additional elements
26 When the Convention on Cybercrime was being drafted, a majority of Parties wanted to criminalize outright piracy. Others, on the other hand, were opposed to a general criminalization of hacking, on the grounds that simple intrusion does not necessarily cause damage and that, in some cases, acts of hacking even make it possible to discover and close security loopholes. To take account of these considerations, and given that the national legislation of many countries already contained provisions that punished hacking in various forms, Parties were given the option of limiting the punishability of illegal access by requiring the fulfilment of one or more additional constituent elements.
A. Access in violation of security measures
27 The Convention on Cybercrime first gives Parties the option of punishing illegal access only when it is committed in violation of security measures. The Czech Republic, Finland, Germany, Japan, Lithuania, Peru, the Slovak Republic and Switzerland have made use of this option.
28 This additional requirement means that the computer system must be protected against unauthorized access. In other words, if the author gains unauthorized access to an unprotected computer system, he is not punishable.
29 The notion of security measures must be understood broadly. It encompasses both physical and virtual security measures. With regard to physical security measures, the computer system may, for example, be located in a locked room that can only be accessed with a key, magnetic badge, fingerprint, retinal scan or voice print. Virtual security measures may include firewall protection, PIN codes, passwords, double or even triple authentication.
30 If the perpetrator is unable to bypass the security measures, or if he spontaneously decides to end his activity before having bypassed them, only one attempt is possible. This poses a problem, however, since art. 11 § 2 CCC does not require Parties to punish attempted illegal access. Each State is therefore free to deal with this aspect as it sees fit, with the result that such conduct may not be punishable at all, depending on the national legislation of the States Parties.
B. The purpose of obtaining computer data or another special purpose
31 Another possibility open to Parties is to require that the perpetrator acted with a special purpose. Several States have made use of this possibility.
32 The United States of America has decided to require that the perpetrator has acted in order to obtain data. Although this possibility has been given to the Parties, its use is regrettable, as it empties the norm of much of its substance. In fact, this provision was specifically designed to punish the acts of hackers who gain access to computer systems out of bravado, but are not interested in the data they contain. Requiring this specific special purpose therefore seems contrary to the spirit of the norm.
33 Belgium, for its part, has stated that illegal access is criminalized only when committed with fraudulent intent or malicious intent. Fraudulent intent seems to refer to the desire to obtain an undue advantage for oneself or for others. As for malice aforethought, it probably refers to the intention to cause harm to others in any form whatsoever.
34 The Principality of Andorra and the Slovak Republic have decided to prosecute illegal access only if it is committed with the aim of obtaining data without right, of damaging it (in the case of the Principality of Andorra only) or for some other criminal purpose. This wording is intended to prevent perpetrators from escaping conviction on the grounds that they were pursuing a purpose other than obtaining or damaging data. In our opinion, however, it must be interpreted in the light of the special purposes listed in art. 2 CCC, and is similar both in terms of the purpose pursued by the perpetrator and its criminal intensity. On January 1, 2021, the Slovak Penal Code was amended and the Reserve of the Slovak Republic adapted. Section 247 has been revised. In its simple form, this provision no longer requires any special purpose (§ 247 par. 1). On the other hand, § 247 par. 2 provides for a qualified form when the perpetrator causes considerable harm.
35 Finally, Canada has indicated that it will only prosecute illegal access if it is committed with criminal intent. This last notion is particularly imprecise, and consequently creates considerable legal uncertainty. What's more, it seems to overlap with the notion of intent. In our view, it should therefore be interpreted restrictively.
36 Chile initially entered a reservation identical to that of Canada. However, it amended its legislation in 2022. In its new version, acceso ilícito is punishable when committed intentionally. Special intent is no longer required. However, when illegal access is committed with the aim of obtaining or using data contained in the computer system, the penalty is increased.
C. A computer system connected to another computer system
37 Finally, the Convention on Cybercrime allows Parties to limit the punishability of illegal access to connections established without right with a computer system via another computer system. By making use of this possibility, Parties can exclude cases in which the perpetrator physically accesses the computer system he is targeting, without passing through a network.
38 The only States to have made use of this possibility are the Slovak Republic and Japan. The Slovak Penal Code has since been amended. The new wording of § 247, which entered into force on January 1, 2021, no longer provides for this requirement in its current version, so the Slovak Republic's reservation has been adapted.
V. Comparison with Swiss law
39 Under Swiss law, hacking is punishable under art. 143bis of the Swiss Criminal Code. This provision punishes unauthorized access to another person's computer system, specially protected against access, by means of a data transmission device. However, this standard does not meet the requirements of art. 2 CCC in three respects.
40 Firstly, the convention makes no distinction between computer systems. It protects the integrity of all computer systems, irrespective of their affiliation. Art. 143bis para. 1 of the Criminal Code, on the other hand, only criminalizes unauthorized access to a computer system "belonging to another person". Given that this provision is to be found in Title 2 of the Criminal Code, i.e. offences against property, this wording must be interpreted with regard to real rights. The computer system must therefore belong to a person other than the author. If the author is the owner or co-owner of the computer system, this constitutive element is not fulfilled, since it does not belong to another person. Thus, if several sessions have been opened in the same computer system, the author, (co-)owner of the computer system, who accesses a session other than his own, is not punishable. The majority of legal writers, on the other hand, take the view that "belonging to others" means that a person other than the author is authorized to access and dispose of the computer system or a computer subsystem. Such an interpretation would, however, make the notion of "belonging to another person" redundant with the constitutive element of unlawful access. The reason why the legislator has mentioned these two elements separately is that they are two notions which must be analyzed independently of each other. To be consistent with the Convention, the term "autrui" in art. 143bis para. 1 of the Criminal Code should therefore be deleted.
41 Art. 143bis para. 1 PC requires the perpetrator to have accessed the computer system by means of a data transmission device. This means, for example, that a perpetrator who takes advantage of his victim's absence to enter his office and log on directly to his computer is not guilty of undue access to a computer system, since he is not using a data transmission device. Art. 2 § 2 CCC allows Parties to limit criminal prosecution to unlawful access committed by means of a computer system connected to another computer system. However, Switzerland has not declared that it will avail itself of this possibility. Consequently, the constituent element of access by means of a data transmission device should be deleted.
42 Finally, art. 143bis of the Swiss Criminal Code establishes an offence prosecuted only on complaint. However, when an offence is only prosecuted on the basis of a complaint, a criminal authority cannot take the matter into its own hands. Since there is a conflict of doctrine as to whether a complaint lodged in the requesting state is sufficient to implement international cooperation, it would be prudent to prosecute undue access to a computer system ex officio.
43 In view of the foregoing, it is clear that Swiss law does not comply with art. 2 CCC. Art. 143bis of the Swiss Criminal Code should therefore be amended.
The technical IT concepts contained in this contribution were drafted with the help of Mr. Yannick Jacquey, ICT Manager with a federal diploma. Our warmest thanks to him.
Bibliography
Dupuis Michel / Geller Bernard / Monnier Gilles / Moreillon Laurent / Piguet Christophe / Bettex Christian / Stoll Daniel (éditeurs), Code pénal - Petit commentaire, 2. éd., Bâle 2017
Pfister Christa, Hacking in der Schweiz, Diss., Zürich, 2008
Schmid Niklaus, Computer- sowie Check- und Kreditkartenkriminalität, Zurich 1994
Schwarzenegger Christian, Die internationale Harmonisierung des Computer- und Internetstrafrechts durch die Convention on Cybercrime, in : Strafrecht, Strafprozessrecht und Menschenrechte, Festschrift Trechsel, Zurich 2002
Stratenwerth Günter / Bommer Felix, Schweizerisches Strafrecht, Besonderer Teil I: Straftaten gegen Individualinteressen, 8. éd., Berne, 2022
Trechsel Stefan / Crameri Dean, in : Trechsel Stefan / Pieth Mark (éditeurs), Schweizerisches Strafgesetzbuch, Praxiskommentar, 4. éd., Zurich 2021
Weissenberg Philippe, in : Niggli Marcel Alexander / Wiprächtiger Hans (éditeurs), Basler Kommentar, Strafrecht II, 4. éd., Bâle 2018
Materials
Conseil de l’Europe, Explanatory Report to the Convention on Cybercrime, Budapest 23.11.2001, disponible sous https://rm.coe.int/16800cce5b, visité le 21.1.2024 (cité : Rapport explicatif de la Convention sur la cybercriminalité)
Message concernant la modification du code pénal suisse et du code pénal militaire (Infractions contre le patrimoine et faux dans les titres) ainsi que la modification de la loi fédérale sur l'approvisionnement économique du pays (Dispositions pénales) du 24 avril 1991, FF 1991 II 933, disponible sous https://www.fedlex.admin.ch/eli/fga/1991/2_969_933_797/fr, visité le 21.1.2024