Development of IT&T Legislation in Latvia in the Area of Criminal Justice and Criminal Procedure
Uldis Ķinis, chairman, Kuldīga District Court, Latvia, Baltic IT Review No. 1 (12), 1999
April 1, 1999, will be a significant moment in Latvia, because the country’s new criminal law will take effect. Prior to this, Latvia has used a criminal code that was implemented in 1961, making necessary amendments along the way. Among other things, the new criminal law sets out criminal liability for violations in the field of computers (i.e., what has come to be known as cybercrime). The mission for the state here is to protect the lawful interests of its residents, should they become victimized by the development of information technologies and telecommunications. The criminal law itself, however, is just one normative act in this area, and in order to apply the law, the state will have to do a great deal of work. ISD regulations, for example, must be elaborated. The criminal process law must be adopted. And there must be laws and regulations to oversee the use of IT&T. In this article, I should like to point the attention of readers to those processes that are currently ongoing in Latvia so that we might harmonize our laws in the field of IT&T. The work has only just begun, and there are a great many problems to resolve.
After the restoration of its independence, Latvia had a great deal to do in order to bring its laws into order. The Latvian civil law was the first to be reinstated, and this provided a foundation for further legislative work in such areas as protection of intellectual property, regulation of real estate issues, and other issues that are of key importance in the development of society. Over the course of eight years of independence, necessary amendments were made to the Latvian criminal code and the criminal process code, but it was very clear that neither document conformed to modern-day requirements.
For that reason, of course, it is extremely good that the new criminal law in Latvia has finally been adopted. The law will go into force on April 1, 1999. Once the law takes effect, we will have an instrument that we can use to turn against those criminals who carry out their malicious deeds with the help of information technologies or who aim their activities against IT&T development products.
This is not going to be a uniformly smooth process, and it is probably true that even after April 1 we will not be able to bring to justice each and every person who uses IT&T for criminal purposes. My intention here is not to list the various articles in the criminal law, but rather to focus on those problems which law enforcement people will have to consider when applying this law.
First of all, I would like to state categorically that criminal liability should be the final resource that is applied when a crime is committed.
Article 6 of the criminal law states: "A criminal offense is an intentional (purposeful) or unintentional act (action or failure to act) which is addressed in this law and for which criminal punishment can be applied." The law states, in other words, that a person can be charged with a crime only if criminal liability is set out in the law for the respective deed. This means that the criminal law must precisely define the object of a crime, the objective side, the subject and the subjective side. This is a matter of elementary legal knowledge, because any law, including a criminal law, serves as a handbook for every lawyer and every judge.
Legislation in the area of cybercrimes seeks to react to two problems that are created by such crimes:
· Ordinary crimes that are carried out through the use of new technologies (e.g., computers, software, etc.);
· New kinds of crimes that can be committed only thanks to the development of IT&T.
There are three terms in use today that conditionally divide computer crimes into groups:
1) Computer crimes;
2) Computer-related crimes;
3) Cybercrimes.
The latter term is the most appropriate for today’s needs. Here we are dealing with crimes that are committed in an on-line regime. Cybercrime experts, in turn, divide these crimes up into the following categories:
· Offenses against the confidentiality, integrity and availability of computer data and systems;
· Computer-related offenses;
· Content-related offenses;
· Intellectual property offenses.
In the United States, which pioneered the elaboration of the theory of computer crimes, it is believed that in terms of the object of offense (which should not be confused with the object of the crime that has been committed), there are three different kinds of computer crimes:
1) The computer is the object of the crime, in which case the computer is the goal or object of the crime itself;
2) The computer is the subject of the crime, which means that the computer is used to commit the crime; in such instances the computer is a resource or cause of losses that are caused, and an example of this is the use of harmful software in pursuit of a criminal aim;
3) The computer is an instrument which is used for traditional crimes such as theft, forgery, fraud, etc. [1]
In this latter category, it can be said that the computer is a tool that is used in the crime. The difference is that in the third version, we are speaking of ordinary crimes that are usually not classified as cybercrime.
Chapter XX of the Latvian criminal law covers crimes that are aimed against "general safety and public order". In addition to such offenses as the befouling of graves, hooliganism and causing mass disorder, the chapter also provides criminal liability for computer crimes (cybercrimes).
It remains to be seen how successful this particular arrangement of the criminal law really is, but the very fact that the authors of the law feel that the object of cybercrimes is "general safety and public order" suggests that Latvia’s legislators are cognizant of the significant public danger that such crimes create.
Articles 240-245 of the criminal law specify criminal liability for "unauthorized access to a computer system", "unlawful obtaining of computer software", "damaging of computer equipment software", "spreading a computer virus" and "violating the security regulations of an information system".
In addition to these offenses, we can also say that computer crimes are addressed in Article 146 ("Violation of the confidentiality of information that is transmitted via telecommunications networks or other information"), Article 193 ("Unlawful actions with monetary documents"), Article 195 ("Legalization of unlawfully obtained resources"), and others. This is not a complete list, because there are approximately 25 criminal offenses that can be committed by using IT&T (i.e., using these technologies as a tool for the crime). We can include in this list such offenses as spying, sabotage, murder, bodily damage, and others. In the implementation of the criminal law, investigations and the practice of the courts will be very significant.
The problem of property rights to information
Article 245 of the Latvian criminal law sets out criminal liability for violating the security regulations of an information system: "For violation of the regulations that are elaborated for the purpose of storing and processing information in connection with an information regime or its protection, or for violation of other security regulations associated with an information computer system when done by an individual who is responsible for observing these regulations if the purpose of said activity has been to steal, destroy or damage information or if any other significant harm has been caused by the activity." Here, in other words, the legislative body has provided an opportunity to bring people to criminal justice for "the theft of information". Criminal theory and commentaries stress that theft is the removal of items from the possession of another. We have neither a practical nor a theoretical basis in our time for declaring that "information" is property in the sense that is described in the Latvian civil law. This is not a simple problem, in my view. In order to define information property, we must first define information as an "item" in the understanding of the civil law. Latvia’s civil law divides things up into movable, immovable, divisible and indivisible items, but there is no classification of tangible and intangible items. It is possible, for example, to steal electricity by using electrical currents in an unauthorized way (Article 182 of the criminal law). In this case I cannot understand the argumentation of the authors of the criminal law, because this direct definition of an object of theft can create considerable problems.
Security regulations for information systems
This problem appears when regulations governing the security of information systems are elaborated – when the range of subjects and objects of the regulations is defined. How can these concepts be defined if we do not use the concept "owner of information"?
Specialists have recommended that in the regulations we use the concept "information holder". But in Article 867 of the civil law, it says that the holder of an item is using it not in his own name, but in the name of its owner. "Holder" is a relatively neutral term, and its main point is that the relationships of a legal person with its employees are regulated on the basis of agreements in which the level of authorization of each employee is set out, along with the employee’s rights and obligations vis-ą-vis information systems and the information that is stored therein.
If there is information that can be classified as "intellectual property" (commercial secrets, undisclosed information, patents, etc.), however, then we must conclude that such information can have an owner. Latvia has joined the World Trade Organization, and this means that all of the WTO’s treaties are mandatory for Latvia now. One of these treaties, "On the protection of intellectual property", provides for the protection of undisclosed information. The deputy director of the Latvian Patents Board, Mr. Poļakovs, participated in the preparation of this treaty, and he told me that "it is common in the world to consider objects of intellectual property as ‘movable objects’." This concept is included in Latvia’s patents law, as well as in other normative acts.
Cybercrimes that are listed in the Latvian criminal law are aimed against the security of information systems and their content elements – confidentiality, integrity and accessibility. This means that it is important to elaborate a base of normative acts that, after April 1, 1999, will allow law enforcement specialists to apply these criminal norms when needed. This work has been entrusted to a task force which I chair. Once those regulations are in place, however, life will not come to a halt, because the truth is that we are only on the way toward the Information Society. It is precisely for this reason that IT&T laws must find their place in the country’s legal system.
The admissibility in court of evidence obtained through electronic means
One of the most important aspects of a court proceeding is to evaluate the evidence that is submitted by the various parties to the case. Any fact can serve as evidence in a court proceeding, and in the process of developing IT&T technologies, the courts have not been forgotten.
Institutions, companies and organizations often use various data bases to make their work easier. This helps them to automate various calculations on a day-to-day basis. In criminal cases concerning illegal logging, for example, evidence that is submitted to the court includes printouts from the computer programs of the State Forestry Service, which evaluates the extent to which trees have been cut down. In these kinds of criminal cases, the printout describes the evaluation of the specific area of forestland. The program is used to calculate the losses that have been caused to nature, as well as other criteria. In reviewing these calculations, however, we have found that serious errors are often permitted in the evaluations. The authors themselves have unwillingly admitted that the errors that occur in their programs can range by as much as 10%. Imagine an instance where losses have been calculated at 10,000 lats, but the possible error is as much as 1,000 lats. In looking into this issue I found that there are no certified programs in this area in Latvia. The program processes only those data that are entered by an individual. So who is responsible for the error? Nobody, at least not today. We do not have the necessary conditions in place to recognize printouts from these programs as documents. In practice, however, this is being done. There are increasing numbers of software programs that create specific legal consequences. Every local government, for example, uses uncertified computer software of this kind to calculate rent and utility payments.
What should courts do in handling such evidence? Should courts have the right to make rulings on the basis of such evidence? These are issues which must be addressed in the very near future when legislators adopt the new Latvian criminal process law.
Conclusions
1. The Latvian criminal law currently sets out liability for cybercrimes, which are also seen as crimes in international legal norms.
2. Work must continue in preparing theoretical supplements to the criminal law on such criminal offenses as spamming, spoofing, sabotage, etc.
3. In the criminal process law, there must be regulations concerning the obtaining, storage and utilization of electronically obtained evidence.
4. Particular attention must be devoted to harmonizing these laws with the European Convention for the Protection of Human Rights and Fundamental Freedoms. The Latvian parliament has ratified the convention, and in the hierarchy of legal norms it ranks second behind the country’s constitution.
5. The state must elaborate obligations and responsibilities of ISPs.
6. A law "On digital signatures" must be elaborated.
7. The necessary amendments must be made to the Latvian administrative violations code to set out administrative liability for violations in the IT&T field.
[1] American Criminal Law Review, Computer related crimes 1995, pp. 185-186.