-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- I. General information
- II. Legally protected property
- III. Basic constituent elements
- IV. Comparison with Swiss law
- Bibliography
- Materials
I. General information
1 Over the last few decades, society has undergone profound changes. Many services have become digitalized. Smartphones, which didn't even exist twenty years ago, are now ubiquitous in everyone's lives. Aware of this change, companies have adapted their services to these new devices, with the vast majority offering online services. This underlying trend has been further accelerated by the coronavirus pandemic that hit the world's population between 2020 and 2022. The health measures put in place by the authorities significantly restricted contact between individuals. As a result, the trade had to find new ways of doing business in order to survive.
2 Today, more than ever before in human history, all players in society are interconnected. Thanks to their smartphones, individuals can access their e-banking accounts, trade online, store data in the cloud or stream video from anywhere in the world, at any time.
3 This extreme interconnectedness, however, creates an equally extreme interdependence. This reality is perfectly illustrated by the large-scale cyberattack that hit Estonia for several days in 2007. One of the world's most connected countries was completely paralyzed. State administration, the banking system, commerce: nothing functioned, causing considerable damage to society as a whole. Today, even more than in the early 2000s, it is vital that IT systems can function without hindrance.
4 In view of the considerable damage that hindering the proper functioning of IT systems can cause, it was essential to protect the proper functioning of these systems by means of a penal standard.
II. Legally protected property
5 The legal asset protected by art. 5 CCC is the right of the operator and users of a computer or telecommunications system to ensure that it functions correctly.
III. Basic constituent elements
A. A computer system
6 According to art. 1 let. a CCC, "the term 'computer system' means any isolated device or set of interconnected or related devices, which performs or of which one or more elements perform, in execution of a program, automated data processing". The notion of computer system thus includes all hardwares (motherboard, processor, hard disk, screen, keyboard, printer, etc.) and softwares (BIOS, operating system, software, updates, etc.), as well as the devices that connect these different elements to each other (cables, router, wifi terminal, etc.).
7 For further details on this concept, please refer to art. 1 CCC above.
B. Punishable conduct
8 Art. 5 CCC lists seven punishable acts: the introduction, transmission, damage, deletion, deterioration, alteration or suppression of computer data. This list is exhaustive. Behavior which hinders the proper functioning of the computer system, but which is not included in this list, is therefore not punishable. This is the case, for example, of moving data within the computer system, although this is just as harmful as damaging or deteriorating data.
1. Introducing data
9 The notion of "introduction" must be interpreted in the sense that the author introduces data from outside the target computer system. Some authors even go so far as to camouflage this data by giving it the appearance of completely innocuous files, to prevent it from being spotted too easily. From the outside, this data therefore appears to be original system data.
10 However, art. 5 CCC does not extend to all data introduced into the computer system, but only to data intended to hinder its proper functioning. This means malicious data or programs which slow down or even completely block the operation of the computer system. This can be achieved either by activating a feature that slows down or blocks the data processing process, or by deactivating a feature that is necessary for the computer system to function properly. Examples include the installation of a Trojan horse which enables the perpetrator to take control of all or part of the computer system, or the installation of a virus which paralyzes the processor or destroys a boot sector, preventing the computer from restarting.
2. Data transmission
11 The term "data transmission" refers to the sending of data from one computer system to another. The conduct referred to here is the sending of data which interferes with the proper functioning of the computer system. In particular, the parties wanted to criminalize denial-of-service and distributed denial-of-service attacks. A denial-of-service attack consists in sending such a large quantity of data to a target computer system that the latter is unable to process it all, and eventually crashes.
12 Over the years, the performance of computer systems, particularly servers, has increased considerably. Load balancing and high-availability techniques have made denial-of-service attacks virtually impossible. Cybercriminals have therefore evolved the denial-of-service attack into a distributed denial-of-service attack. This attack is similar to the previous one, with the difference that the perpetrator has control over a multitude of computer systems, to which he gives orders to simultaneously send very large quantities of data to the target computer system. Given the sheer volume of data coming in from all directions, the target computer system is unable to process them all, and eventually crashes. This type of attack is currently relatively widespread. It is almost always linked to ransom demands in exchange for stopping the attack, or to some other fraud such as data theft. Even today, there is no solution for effectively defending against distributed denial-of-service attacks. Moreover, the damage caused to victims is particularly significant, since they are either deprived of the use of their computer system, or impoverished by the payment of the ransom.
3. Damage, deterioration and alteration of data
13 Data integrity is essential to the proper functioning of information systems. Its importance is such that it is even the subject of an ISO standard.
14 Data integrity refers to the reliability, accuracy and completeness of data. Data of guaranteed integrity is data that has not been modified since it was first recorded. By way of illustration, the concept of guaranteed data integrity could be compared to sending a parcel by post, where it is certified that it was actually sent by the sender named on the parcel, that it was sent on the date and at the location indicated on the postmark, that the parcel was not opened during transit, and that the contents of the parcel were not altered after it was sent.
15 It goes without saying that data content, i.e. the information contained in the data (e.g. text, code, image, etc.), is just as important as formal data integrity. In addition to guaranteeing the formal integrity of the data, it is therefore essential to also guarantee that the content of the data has not been corrupted. In the example of the package given above, formal data integrity is represented by the packaging, while data content integrity corresponds to the object inside the package.
16 The damage and deterioration of data referred to in art. 5 CCC are behaviours that overlap in the field of information technology. In both cases, the integrity or content of data or programs is adversely affected. Damaged or deteriorated data is no longer reliable, accurate or complete. The perpetrator modifies the data on the target computer system so that it can no longer be used correctly for data processing. For example, simply renaming a folder containing files essential to the proper functioning of the operating system is enough to bring the entire computer system to a standstill. Modifying the programming code of a software program can also block its proper functioning. More recently, cybercriminals have been encrypting data and then selling the encryption key.
17 Alteration refers to the modification of existing data in the computer system, as a consequence of another act performed by the perpetrator. It is a very broad generic term, encompassing all modifications made to data, i.e. the addition, replacement or deletion of data. These modifications may concern both the formal integrity and the content of the data. A case in point is the modification of data following the introduction of a Trojan horse or the installation of a virus.
4. Deleting and erasing data
18 Computer data is stored on storage media (e.g. hard disk, DVD, USB stick, etc.) in the order in which it was created. In order to be able to retrieve specific data when the user needs it again, the computer system establishes a kind of index, so that it knows which data is where on the medium.
19 Deleting data involves destroying all or part of this index, which enables the data to be located. The data still exists, but the computer system can no longer know where it is on the medium, and therefore can no longer access it.
20 Unlike deletion, data erasure is the definitive destruction of data. The data no longer exists on the storage medium.
21 When the author deletes or erases data essential to the proper functioning of the computer system, such as the operating system, the system becomes unusable and ceases to function.
5. Mode of commission
22 The various types of behavior we have just examined can obviously be committed directly by an individual. However, this would take a great deal of time. In practice, therefore, cybercriminals tend to use malware or bots to carry out these acts automatically. The rapid development of artificial intelligence will certainly make this type of action even easier to carry out. WormGPT already gives us a glimpse of the possibilities offered by artificial intelligence, since it enables content generated by artificial intelligence to be implemented in other IT systems, which until now has been confined to an IT sandbox.
23 There is also the question of commission by omission. Most of the time, punishable behavior is committed by cybercriminals who seek to hinder the smooth running of the computer system in order to obtain something in return. However, it is also conceivable that the computer system may eventually cease to function properly because its administrator is not taking care of the necessary updates. In our view, the administrator of the computer system is punishable in such a case, since, by virtue of his function, he has a legal duty to act, and is therefore in a position of guarantor towards the rightful owner and users of the computer system.
24 In our view, the solution is identical in the case of the computer system administrator who fails to install a firewall and/or antivirus to protect the system, thereby leaving countless opportunities for third parties to attack it.
C. Serious interference with the operation of the computer system
25 To be guilty of system interference, it is not enough for the perpetrator to attack the integrity of the data contained in the computer system, as this would constitute data interference within the meaning of art. 4 CCC. The act must seriously hinder the operation of the computer system.
26 Impairment occurs when the computer system no longer functions optimally. The wording of art. 5 CCC is sufficiently neutral to protect multiple functions. It is therefore irrelevant which functions are impaired. It is also irrelevant whether the entire computer system is impaired or whether only certain functions are impaired.
27 The computer system is impaired when it is put out of action. It is also impaired when an application can no longer be used. This may occur because the program's computer code has been damaged or destroyed, or because data saved by the user has been erased, deleted or encrypted. The computer system may also be impaired as a result of reduced performance. This is the case, for example, when a cybercriminal takes remote control of a computer system and uses it as a zombie machine without the knowledge of its owner. In doing so, he or she uses part of the computer system's performance without the consent of the rightful owner, usually for malicious purposes. Finally, the smooth running of a computer system can be hampered by excessive demands. This is the case with denial-of-service or distributed denial-of-service attacks. The computer system itself functions normally, but is besieged by so many simultaneous requests that it cannot process them quickly enough, and eventually crashes.
28 Given the wording of the standard, obstruction must be the result of punishable conduct. Since the list in art. 5 CCC is exhaustive, hindrance must necessarily result from one of the enumerated behaviours in order to be punishable. Obstruction resulting from other conduct, such as moving data within the computer system, is not punishable.
29 As for the qualifier "serious", this has deliberately not been defined, to allow each State to define it freely. For some, serious hindrance may refer to the minimum damage caused by the hindrance. For others, it will be a question of the extent of the hindrance, such as the blocking of all external connections to a computer system. The authors of the draft "have deemed 'serious' the sending to a computer system of data whose form, volume or frequency significantly prejudices the owner's or operator's ability to use the system in question or to communicate with other systems (this is the case of programs that undermine systems in the form of a 'denial of service', malicious code, such as viruses, which prohibit or significantly slow down the operation of the system, or programs which send a huge volume of e-mail to a recipient in order to paralyze the system's communication functions)".
D. Unlawfulness
30 To be punishable, the author must have acted without right. It is the rightful owner of the computer system who determines who has the right to administer and use the system. This means that anyone who has not been authorized to modify the operation of the computer system is liable to prosecution. On the other hand, persons who have been authorized, expressly or by contract, by the rightful owner to modify the operation of the computer system, or who are authorized to do so by law or by contract, are not liable to punishment.
31 Until the early 2000s, it was rare for an operating system or application to require updating. Over the past two decades, however, updates have become increasingly common. Today, they are even the rule. During an update, a new version of the program is installed in place of the old one. Existing data is erased, and new data is written to the storage medium. For the most part, updates contain application patches, bug fixes or new features. A priori, therefore, there is no impediment to the smooth running of the computer system. However, some updates may require more storage space on the hard disk, or take up more RAM or processor capacity. As a result, the computer system slows down. As a result, system performance is hampered. In most cases, this is not a problem, as the slowdown of the computer system is very slight or even insignificant. In exceptional cases, however, updates may cause the computer system to slow down, notably because the previous version of the application was already stretching available resources to the limit, and the update requires more resources than are available. In all cases, the user must be able to choose whether or not to install the update. In our view, the publisher of the application is punishable if he forces the user to install a new version of the application, failing which the computer system is impeded in its proper functioning, or the application is rendered unusable.
32 The behaviors listed in art. 5 CCC are also not unlawful when they have been contractually authorized. One example is the computer system administrator, whose task is to maintain the system. He is not punishable if he updates the programs installed in the computer system. On the other hand, he is liable to punishment if he takes advantage of his status to undermine the proper functioning of the computer system, for example by uninstalling programs or deleting data.
E. Intention
33 Undermining the integrity of a system must be intentional. Intention must cover all the objective elements of the offence. The perpetrator must therefore be aware of and intend to disrupt the proper functioning of a computer system without being authorized to do so.
IV. Comparison with Swiss law
34 There is no equivalent to art. 5 CCC in Swiss law. Admittedly, the different forms of conduct could give the impression of a similarity with the deterioration of data (art. 144bis ch. 1 CP). However, this is not the case, for three reasons.
35 Firstly, the assets legally protected by art. 5 CCC and art. 144bis ch. 1 CP are completely different. As explained above, art. 5 CCC protects the interest of the operator and users of a computer or telecommunications system in its proper functioning, whereas art. 144bis ch. 1 PC ensures a right of disposal over data. In other words, the former guarantees the proper functioning of a means of data processing, while the latter protects a specific right in rem.
36 Given that the legally protected goods are not the same, the persons harmed by these two offences are not identical either. The person harmed by the deterioration of data (art. 144bis ch. 1 CP) is the owner of the deteriorated data. On the other hand, undermining the integrity of the system (art. 5 CCC) affects the rightful owner of the computer system.
37 Secondly, although these two offences share many points in common, they cannot be equated. Indeed, system interference (art. 5 CCC) must in some way be seen as a special form of data deterioration (art. 144bis ch. 1 PC), as it requires that the data interference causes a serious hindrance to the functioning of the computer system. This is an additional constituent element not required under Swiss law.
38 Finally, certain forms of conduct fall within the scope of art. 5 CCC, even though they are not punishable under art. 144bis ch. 1 CP. This is the case, for example, of sending "data to a computer system, the form, volume or frequency of which is significantly prejudicial to the owner's or operator's ability to use the system in question or to communicate with other systems". Nor are these acts adequately punished by art. 179septies of the Swiss Penal Code (misuse of telecommunications equipment), for three reasons. Firstly, because art. 179septies CP requires a special purpose - namely malice or mischief - in addition to intent, which is not the case with art. 5 CCC. Secondly, because misuse of a telecommunications facility is merely a contravention, punishable only by a fine. However, art. 13 § 1 CCC expressly stipulates that the offences punishable under arts. 2 to 11 CCC must be punishable by penalties including deprivation of liberty. Thirdly, because aiding and abetting and attempting to undermine the integrity of the system are punishable under art. 11 CCC, whereas aiding and abetting and attempting to misuse a telecommunications facility is not punishable, as it is a contravention (cf. art. 105 para. 2 PC).
39 In view of the foregoing, it must be concluded that Swiss law does not comply with art. 5 CCC. It should therefore be adapted.
The technical IT concepts contained in this contribution were drafted with the help of Mr. Yannick Jacquey, ICT Manager with a federal diploma. Our warmest thanks to him.
Bibliography
Ottis Rain, Analysis of the 2007 Cyber Attacks against Estonia from the information warfare perspective, in : Proceedings of the 7th European Conference on information warfare and security, Plymouth, 2008, pp 163-168, disponible à https://ccdcoe.org/library/publications/analysis-of-the-2007-cyber-attacks-against-estonia-from-the-information-warfare-perspective/ visité le 02.11.2023
Schmid Niklaus, Computer- sowie Check- und Kreditkartenkriminalität, Zurich 1994
Trechsel Stefan/Crameri Dean, in : Trechsel Stefan/Pieth Mark (éditeurs), Schweizerisches Strafgesetzbuch, Praxiskommentar, 4. éd., Zurich 2021
Weissenberg Philippe, in : Niggli Marcel Alexander/Wiprächtiger Hans (éditeurs), Basler Kommentar, Strafrecht II, 4. éd.-, Bâle 2018
Materials
Conseil de l’Europe, Explanatory Report to the Convention on Cybercrime, Budapest 23.11.2001, disponible à https://rm.coe.int/16800cce5b, visité le 21.01.2024 (cité : Rapport explicatif de la Convention sur la cybercriminalité)