-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- I. General
- II. Legally protected property
- III. Basic elements
- IV. Optional additional constituent elements
- V. Comparison with Swiss law
- Bibliography
- Materials
I. General
1 To guarantee complete legal protection, unlawful access had to be supplemented by unlawful interception. As we have seen above (cf. Art. 2 N. 9ss), unlawful access punishes the unlawful intrusion into a computer system and the consultation by unauthorized persons of the data stored therein. Illegal interception, on the other hand, sanctions the violation of the confidentiality of data circulating within the computer system, as well as data exchanged between the computer system and the outside world.
II. Legally protected property
2 This provision protects the right to confidentiality of transmitted data. The offence represents the same violation of the right to secrecy of communications as the conventional tapping and recording of telephone conversations between individuals. Art. 3 CCC takes up the guarantee of the right to respect for correspondence contained in art. 8 ECHR and applies it to all forms of electronic data transfer, whether by telephone, fax, e-mail or file.
III. Basic elements
A. Computer data
3 According to art. 1 let. b CCC, "the term 'computer data' means any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable for causing a computer system to perform a function". The notion of computer data is therefore very broad, encompassing in particular all letters, symbols or programming codes that can be entered, processed and stored by a computer system.
4 For further details on this notion, please refer to what has been written on art. 1 CCC.
B. Non-public transmission
1. The notion of transmission
5 Contrary to what the etymology of the term "transmission" might suggest, the notion of transmission in art. 3 in initio CCC does not refer solely to remote exchanges between two devices. As the prepositions "to", "from" or "within" a computer system suggest, it concerns all data in circulation. The only data not covered by this concept is that which is permanently stored on a medium, such as a hard disk, USB stick or DVD.
6 The transmission of data "inside" a computer system covers data circulating in and between the motherboard, processor, graphics card, computer screen or printer. It even extends to data stored in the computer system's random access memory, since such data is not permanently stored in this memory, but is only held there for a few moments before continuing to circulate within the computer system.
7 Data transmissions "to" or "from" a computer system presuppose that the receiver or sender of the data is a computer system, while the other may be a human or a computer system.
8 The transmission of data from a human being "to" a computer system involves the human being entering data into the computer system, for example using a keyboard, mouse or joystick. Conversely, the transmission of data to a human being "from" the computer system refers to the return of data from the computer system to the human being, by displaying the data on a screen or printing a document on a printer.
9 Finally, when data transmission takes place between two computer systems, it takes place both "to" and "from" a computer system. This is the case, for example, when data is exchanged between a computer and a server, between two computers, or between a computer and a smartphone. It doesn't matter whether the two computer systems belong to the same person or to different people. Nor does it matter how the data is transmitted. Data can be exchanged via a wired or wireless connection (Wifi, NFC, Bluetooth, radio wave, etc.).
10 The preceding elements show that the notion of transmission is very broad. In order to restrict the scope of this provision, art. 3 in fine CCC allows the Parties to limit criminal prosecution to the illegal interception of data transmitted between two remotely connected computer systems.
2. Non-public nature
11 Art. 3 CCC concerns only non-public transmissions. Non-public character relates to the transmission and not to the data transmitted. It is therefore irrelevant whether the data transmitted is public or private. Only the nature of the transmission is decisive.
12 In our opinion, a transmission is non-public when it is limited to a certain number of people or to specific individuals. This is the case, for example, of the transmission of a videoconference presentation that can only be followed by a limited number of participants, or of films made available only to subscribers by a streaming company.
13 However, the notion of non-public transmission does not mean that the transmission must take place over a network that is not public. Transmission can take place using a public network; it simply has to be restricted to a specific number of people.
14 To restrict transmission to a specific number of people, technical measures must necessarily be put in place. However, these security measures need not be particularly advanced. A system that checks whether the person wishing to access the transmission is one of the authorized persons is sufficient. This could involve following a link sent by e-mail, entering a code supplied in advance, or identifying oneself by means of a login and password.
C. The special case of electromagnetic emissions
15 When the Convention on Cybercrime was drawn up between April 1997 and December 2000, the experts wanted to anticipate technological developments. Illegal interception was therefore not limited to data transmission alone, but was extended to electromagnetic emissions.
16 To understand how the interception of electromagnetic emissions works, we need to remember that computer data correspond in binary language to a succession of "0s" and "1s". This is the form in which computer systems process data. From a microtechnical point of view, this means generating different electrical impulses for a "0" and a "1". This is what transistors are for. Schematically, computer systems are made up of a multitude of transistors. These transistors vary the voltage across the system's electronic components from low to high, depending on whether the bit being processed is a "0" or a "1". These innumerable voltage variations create an electromagnetic field that propagates around the computer system. This enables a person in the vicinity, equipped with a suitable device, to pick up this flux, convert it back into "0s" and "1s" and thus reconstitute the computer data processed by the computer system.
17 For the experts, the legal arsenal seemed incomplete if it were limited to punishing the interception of data transmitted to, from or within a computer system, without simultaneously punishing the capture of electromagnetic waves emitted by a computer system. In the real world, this would have been tantamount to punishing the bugging of a person's apartment, while leaving the eavesdropping of that person's conversations from behind the apartment's front door unpunished.
18 In particular, it should be remembered that when the text of the convention was being drafted, fax machines were in widespread use. This device sent uncoded data, at a frequency and with an electrical intensity that made it fairly easy to pick them up and then reconstitute them in a comprehensible language. Experts certainly identified this as a security flaw that could be exploited by cybercriminals, which led them to include the capture of electromagnetic waves in the list of punishable behaviors.
19 Over the years, faxing has almost completely disappeared. Today, the capture of electromagnetic waves has become very marginal, if not non-existent, due to the technical difficulties involved in capturing these signals. The electrical cables used in today's information technology are much more insulated than in the late 90s, and the electrical impulses are much weaker. At the same time, the amount of data exchanged every second has exploded. As a result, it is now virtually impossible to capture magnetic waves from a single source and reconstruct them into intelligible data.
20 When the text of the convention was drawn up, however, the experts could not anticipate the direction in which the technology would evolve. This is why this behavior - even if it is now anecdotal - is included in the list of offenses punishable under art. 3 CCC.
D. Interception by technical means
21 Art. 3 CCC applies only to data interception by technical means. The physical removal of data, such as the theft of a USB stick sent by post, or the theft of a laptop turned on and unlocked in a public place, are therefore not punishable under this provision.
22 The interception referred to in art. 3 CCC can be either direct or indirect. The perpetrator intercepts data directly when accessing the computer system itself. The simplest form is the installation of a Trojan horse in the computer system, enabling the perpetrator to gain access. The perpetrator can also use a backdoor or exploit a security flaw. All these techniques enable the perpetrator to gain knowledge of the data circulating in the computer system in real time.
23 Interception is said to be indirect when the perpetrator intercepts the flow of data exchanged between two devices. This is the case, for example, of capturing the data flow between a device and a Wifi terminal to which it is connected. Within a local area network (LAN), the perpetrator can also usurp the MAC address of a computer system at the time of broadcasting, in order to have data packets sent to the system whose address has been usurped. Another technique is port mirroring. Initially, the aim of this system is to control the data exchanged within a network. To achieve this, a copy of all data passing through a network switch is sent to a computer control system. By taking control of the network switch, however, the perpetrator can redirect the copied data to his own computer system, enabling him to gain knowledge of all data exchanged on the network.
24 The notion of "technical means" used by the parties is very broad and imprecise. Nor is it accompanied by an exemplary list. This choice is undoubtedly intended to enable the standard to adapt more easily to technological innovations. In any case, the devices concerned are those which enable the content of communications to be listened in on, controlled or monitored. These include technical devices connected to transmission lines, as well as devices for collecting and recording wireless communications. However, the technical means referred to in art. 3 CCC are not limited to hardwares. Software, passwords and other codes are also included.
E. Unlawfulness
25 To be punishable, the author must have acted without right. It is the rightful owner of the data who determines who is authorized to access it. All persons who have not been authorized to consult the data are therefore liable to prosecution. On the other hand, persons who have been authorized to access the data by the rightful owner, or who are authorized to do so by law or contract, are not liable to punishment.
26 National laws contain exceptions to the guarantee of data confidentiality. In particular, they allow intelligence services to access data not intended for them. They also enable prosecuting authorities to monitor data flows in real time as part of a criminal investigation. Such interceptions are not illegal as long as they are carried out in strict compliance with the legal provisions in force. However, surveillance may only be carried out in serious cases, and must be subject to subsequent judicial review.
27 The interception of data is also not considered unlawful where it is contractually authorized. This is particularly the case where the computer system administrator is responsible for maintenance. In this case, he is not punishable if he intercepts the data he needs to carry out his work, as he has been authorized to do so by the rightful owner. Similarly, the person in charge of monitoring a network is not punishable if he or she intercepts data obtained through proper use, such as port mirroring. On the other hand, when such persons take advantage of the technical possibilities available to them to intercept data which is not necessary for the performance of their work, they are acting unlawfully.
28 In the context of employment relationships, the lawful interception of data is conceivable, but under restrictive conditions. Generally speaking, the European Court of Human Rights has held that employees' private communications are protected by art. 8 ECHR. Employer surveillance is therefore only conceivable if the employee has been informed of the surveillance of his communications, the nature and extent of such surveillance, and the degree of intrusion into his private life and correspondence. If the employer complies with these conditions, the interception of employee data is lawful.
29 Originally, art. 3 CCC was not intended to penalize common commercial practices aimed at obtaining information about users. Since the entry into force of the Convention on Cybercrime, commercial practices have evolved considerably, and the information that commercial enterprises seek to obtain in order to target their advertising is increasingly important. As a result, national legislation has significantly strengthened data and consumer protection. As a result, websites are frequently required to obtain the consent of Internet users before collecting data about them, notably through the use of "cookies". Without the consent of the rightful owner, the collection of such data could constitute illegal interception.
F. Intention
30 Unlawful interception is intentional. Intention must relate to all the objective elements of the offence. The perpetrator must therefore be aware that he is obtaining data improperly and have the will to do so. Any fraudulent intent is sufficient. In its simple form, the aim pursued by the perpetrator is irrelevant.
IV. Optional additional constituent elements
31 Art. 3 CCC allows Parties to restrict punishability to particular acts by adding one or two of the constituent elements listed at the end of this provision.
32 Depending on how illegal interception is transcribed into national law, this offence may be closely linked to illegal access (art. 2 CCC). In view of the fact that some States have chosen to limit the repression of illegal access to cases committed with a specific purpose or by means of a computer system connected to another computer system, it was necessary to allow these States to restrict illegal interception to these same cases.
A. The purpose of obtaining computer data or another special purpose
33 The first possibility open to Parties is to require that the perpetrator acted with a special purpose. Several States have availed themselves of this possibility.
34 Canada, Japan and Peru have indicated that they would only prosecute illegal interception if committed with criminal intent. The latter notion is particularly imprecise, and consequently creates considerable legal uncertainty. Moreover, it seems to overlap with the notion of intent. In our view, it should therefore be interpreted restrictively.
35 Chile initially entered a reservation identical to that of Canada, Japan and Peru. However, it amended its legislation in 2022. In its new version, interceptación ilícita no longer requires a special purpose.
36 Switzerland, for its part, has declared that it will only prosecute illegal interception if the perpetrator has acted with the intention of illegitimate enrichment.
37 The Principality of Andorra, Belgium, the United States of America and the Slovak Republic, while declaring that they would only prosecute unlawful access if the perpetrator had acted with a special purpose, have waived this requirement for unlawful interception.
B. A computer system connected to another computer system.
38 The Convention on Cybercrime also allows Parties to restrict the punishability of unlawful interception solely to data transmitted between two connected computer systems. The only States to have made use of this possibility are Japan and Peru.
39 In this case too, it is surprising to note that the Slovak Republic has refrained from making use of this possibility, even though it had expressly stated that it would only prosecute illegal access if committed by means of a computer system connected to another computer system.
V. Comparison with Swiss law
40 In its Message on the approval and implementation of the Council of Europe's Convention on Cybercrime, the Federal Council acknowledged that "Swiss criminal law does not have regulations corresponding to Art. 3 of the Convention, but several criminal norms provide partial protection". In his view, this was a combination of arts. 143, 143bis and 321ter of the Swiss Criminal Code. In reality, this is absolutely not the case.
41 Art. 143bis of the Swiss Criminal Code only punishes intrusion into a computer system, not the interception of data.
42 As for art. 321ter of the Swiss Penal Code, it punishes a crime in its own right, since the offence can only be committed by an employee of a company providing a postal or telecommunications service.
43 As for art. 143 of the Swiss Criminal Code, this is the provision that most closely resembles art. 3 of the CCC. To meet the requirements of the Convention, however, this provision would have to be amended in four respects.
44 Firstly, the legal assets protected by the two standards are different. Art. 3 CCC protects the confidentiality of transmitted data, whereas art. 143 PC protects "the right of the legitimate recipient of the data to dispose of it freely and in accordance with his will". The legal asset protected by art. 143 of the Swiss Criminal Code should therefore be adapted.
45 Secondly, art. 3 CCC penalizes the interception of non-public transmissions, regardless of whether the data transmitted is public or not. However, art. 143 of the Swiss Criminal Code only punishes the theft of data specially protected against access. The theft of public data transmitted in a non-public manner therefore does not fall within the scope of Art. 143 of the Swiss Criminal Code. In practice, however, this is the most common case, as electronically transmitted data are generally not specially protected against access.
46 Secondly, art. 143 of the Swiss Criminal Code only protects a right of disposal over data. Computer data does not always have intrinsic value. To require a purpose of unlawful enrichment therefore amounts to excluding criminal protection in all cases where the perpetrator subtracts data of no value. In view of the legally protected asset, this constitutive element should be removed.
47 Finally, art. 3 CCC is not limited to non-public transmissions, but also includes electromagnetic emissions. However, these are not protected by art. 143 of the Criminal Code. They should therefore be added.
48 For all these reasons, it has to be said that Swiss law does not comply with art. 3 CCC and should therefore be adapted.
The technical IT concepts contained in this contribution were drafted with the help of Mr. Yannick Jacquey, ICT Manager with a federal diploma. Our warmest thanks to him.
Bibliography
Oberholzer Niklaus, in: Niggli Marcel Alexander / Wiprächtiger Hans (éditeurs), Basler Kommentar, Strafrecht II, 4. éd., Bâle 2018
Schmid Niklaus, Computer- sowie Check- und Kreditkartenkriminalität, Zurich 1994
Schwarzenegger Christian, Die internationale Harmonisierung des Computer- und Internetstrafrechts durch die Convention on Cybercrime, in : Strafrecht, Strafprozessrecht und Menschenrechte, Festschrift Trechsel, Zurich 2002
Treccani Jean, Interceptions électroniques, in : Plus de sécurité, moins de liberté, les techniques d'investigation et de preuve en question, Zurich et Coire 2003
Trechsel Stefan / Crameri Dean, in : Trechsel Stefan / Pieth Mark (éditeurs), Schweizerisches Strafgesetzbuch, Praxiskommentar, 4. éd., Zurich 2021
Trechsel Stefan / Lehmkuhl Marianne Johanna , in : Trechsel Stefan / Pieth Mark (éditeurs), Schweizerisches Strafgesetzbuch, Praxiskommentar, 4. éd., Zurich 2021
Weissenberg Philippe, in: Niggli Marcel Alexander / Wiprächtiger Hans (éditeurs), Basler Kommentar, Strafrecht II, 4. éd., Bâle 2018
Materials
Conseil de l’Europe, Explanatory Report to the Convention on Cybercrime, Budapest 23.11.2001, disponible sous https://rm.coe.int/16800cce5b, visité le 21.1.2024 (cité : Rapport explicatif de la Convention sur la cybercriminalité)
Message concernant la modification du code pénal suisse et du code pénal militaire (Infractions contre le patrimoine et faux dans les titres) ainsi que la modification de la loi fédérale sur l'approvisionnement économique du pays (Dispositions pénales) du 24 avril 1991, FF 1991 II 933, disponible sous https://www.fedlex.admin.ch/eli/fga/1991/2_969_933_797/fr, visité le 21.1.2024
Message relatif à l'approbation et à la mise en œuvre de la Convention du Conseil de l'Europe sur la cybercriminalité, FF 2010 4275, disponible sous https://www.fedlex.admin.ch/eli/fga/ 2010/813/fr, visité le 21.1.2024