Abstract
The aim of the paper is to analyze the provisions criminalizing the phenomenon of “computer crimes” (“cybercrimes”) in the strict sense, i.e. acts in which a computer or network is the target of a crime (“a victim”). The paper consists of two parts—the main part in which analysis of articles 267-269c of the Penal Code of 1997 (Chapter XXXIII, entitled “Offenses against the protection of information”)—in which the Polish legislator defined these offenses—is carried out. The second part refers to the “cyberterrorist offense” which is an “ordinary” computer crime carried out with a “terrorist purpose”.
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
Keywords
- Polish Penal Code
- Cybercrimes
- Cyberterrorism
- Hacking
- Hindering the operation of an information system
- Computer eavesdropping
- Terrorist offence
- Offence of a terrorist nature
1 Computer Crimes in the Penal Code of 1997
The Polish regulation of prohibited acts set out in Directive 2013/40 is included in Chapter XXXIII of the Penal Code titled “Crimes Against the Protection of Information”, in the provisions of Articles 267-269c. It owes its present form to three amendments: the first one, introduced by way of the Act of the 18th of March 2004 Amending the following Acts: the Penal Code, the Criminal Procedure Code, and the Code of Minor Offences,Footnote 1 intended to adapt Polish regulations to the provisions of the aforesaid Convention on Cybercrime;Footnote 2 the second one, introduced by way of the Act of the 24th of October 2008 Amending the Penal Code and Certain Other Acts,Footnote 3 intended to implement Framework Decision 2005/222/JHA on attacks against information systems;Footnote 4 and the third one, introduced by way of the Act of the 23rd of March 2017 Amending the Penal Code and Certain Other Acts,Footnote 5 the main purpose of which was to implement Directive 2014/42/EU of the 3rd of April 2014 on the freezing and confiscation of instruments and proceeds of crime in the European UnionFootnote 6 and, “partially” (as formulated in the Act), Directive 2013/40 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.Footnote 7
Article 267(1) of the PC provides for penal responsibility of the offender for gaining unauthorised access to informationFootnote 8 not intended for him/her. It penalises three acts, which constitute attacks on the security of information systems and the data processed in those systems.
First, connecting to a telecommunications networkFootnote 9 or, in other words, the offender’s obtaining physical access to that network, e.g. by connecting to the server via the network and obtaining access to the data stored in that server (actions including the interception of data during transmission are penalised by Article 267(3) of the PC).
Second, obtaining access to information by breaking electronic, magnetic, computer or any other special protection. It follows that only the information, which is stored in computer systems, and which has been protected against unauthorised access by its holder, is protected. Electronic, magnetic or computer protection is to be understood as “any forms of hindering access to information, the breaking of which requires expert knowledge or a special device or code”,Footnote 10 whereas “other special protection” is a complementary category, which includes means that cannot be classified with any of the kinds provided for in the applicable regulation, and the removal of which causes difficulties for the offender no lesser than the breaking of electronic, magnetic or computer protection.Footnote 11 Computer data can be protected either directly, e.g. by encoding or securing access with a password, or indirectly, as part of the overall protection of a computer system itself, by means of firewalls, break detection systems or authentication procedures. “Security breach” is the direct interference of the offender with the protection mechanism, which leads to the loss of its protective function and does not have to involve its removal.Footnote 12 In the doctrine, it is indicated that it must be actual and active at the time of committing the act. Otherwise, the statutory criteria of a crime are not met.Footnote 13
Third, omitting the above-mentioned protection and gaining access to information due to that omission. One should bear in mind that the breaching of protection is merely one of the many techniques (and not the most popular one) used by hackers to penetrate computer systems. The other techniques are omitting protection, and they consist of misleading people (the so-called social engineering, which are, for instance, wheedling passwords out of people), misleading a system (e.g. the so-called IP spoofing, i.e. the creation of false addresses, directed at manipulating the source from which the data comes), or taking advantage of gaps (errors) in, or vulnerabilities of, operating systems, applications or protocols (sets of rules, which specify the communication processes responsible for identifying computers in a network, among other things), using programmes called exploits.Footnote 14
In Article 267(2) of the PC, the legislator penalises unauthorised access to the whole or part of an information system.Footnote 15 The authors of the 2008 amendment, which introduced the provision, pointed out rightly, in the justification, that the purpose of obtaining unauthorised access to a system may be not only obtaining access to information contained in such computer data, but may also serve, to some extent, as a first step to other activities such as, using the example taken from the justification, installing on a computer a programme enabling one to take control over the computer, in order to create a botnetFootnote 16 by means of which the offender intends to launch a dDoS attack.Footnote 17 That provision is applied when the offender’s purpose, as he has gained unauthorised access, is to commit a “common” crime (the offender’s conduct may involve, for instance, accessing another user’s account on an Internet auction site in order to commit fraud) or when he/she was guided by some other motives such as verifying his/her own skills or earning respect in the “hacker circles”. Therefore, the objective, which the offender was to achieve or the motive by which he/she was guided are irrelevant to the essence of the crime defined in Article 267(2) of the PC.Footnote 18
Access to the whole or part of an information system should be understood as having an opportunity to use its resources, which basically means the data processed by it. This, however, is not tantamount to access to information since the data may be, for instance, either encoded or entirely incomprehensible to the offender.
Within the meaning of this provision, unauthorised access should be understood as access without an authorisation or access, which exceeds the limits of such an authorisation.
The solution adopted by the legislator in Article 267(2) of the PC received justified criticism for three basic reasons. First of all, it was a word-for-word copy of Article 2 of Framework Decision 2005/222 (“Each Member State shall take the necessary measures to ensure that the intentional access without right to the whole or any part of an information system is punishable as a criminal offence, at least for cases which are not minor”). It should be stressed that framework decisions were aimed to harmonise legal provisions of Member States. They set out objectives to be achieved, whereas Member States were free to choose the forms and methods to achieve them. Therefore, the provisions formulated in the objectives are very general. The framework decisions, which harmonise substantive criminal law, are not suitable for literal transposition. Second, Article 267(2) of the PC is extremely laden with content. The statutory criteria of the act defined in the article are met by the offender who “obtains unlawful access” to data because that is what obtaining access to a system in principle means, and in order to be held criminally responsible, he/she does not have to breach protection. The sole condition is access that is unauthorised. It should be assumed that the provision set out in Article 267(2) of the PC is applicable to cases, in which the main element of the offender’s act was gaining access to an information system, and not obtaining access to information. This is the case, for instance, when one breaks into a computer in order to insert a bot. Because of the broad subjective scope of Article 267(2) of the PC, also some of the acts penalised by Article 267(3) of the PC, defined as computer eavesdropping, may be potentially qualified also under Article 267(2) of the PC. Obtaining unauthorised access to a network is tantamount to gaining access to the data that is transferred over that network; the offender, therefore, meets the statutory criteria of a prohibited act under Article 267(3) of the PC.
Third, the only condition to be met in order to press charges against the offender for breaching Article 267(2) of the PC is the offender’s gaining access without an authorisation. The issue of access rights to the resources of an information system is, in most cases, regulated by “soft law”, the internal rules and regulations of a network. The granting of access rights for users and the scope of such rights are within the discretion of the system administrator. Such reference to non-legal norms is dangerous and difficult to reconcile with the principle of the specificity of a crime.Footnote 19
The last amendment added provision 269c, pursuant to which one is not subject to punishment for the crime set out Article 267(2) or Article 269a, for acting exclusively for the purpose of protecting an information system, an ICT system or an ICT network, or for developing a method for such protection, and has immediately informed the holder of that system or network of the revealed threats, and his/her actions did not violate public or private interests, or did not do any damage.
The tool for combating the so-called computer eavesdroppingFootnote 20 is the already mentioned Article 267(3) of the PC, which penalises the installation or use of, in order to obtain information,Footnote 21 a listening, visual or other device or software.
It should be stressed that it penalises only the interception of computer data during its transmission. If the offender obtains data stored, for instance, on a server or private computer, this act should be qualified under Article 267(1) or Article 267(2) of the PC. The unlawfulness of the offender’s conduct is obviously derogated if the conduct that meets the statutory criteria of a crime is connected with lawful operations of law enforcement authorities (i.e. it follows from the relevant legal provisionsFootnote 22).Footnote 23
Article 268(2) of the PC penalises any unauthorised interference with computer data that consists in destroying, damaging, deleting or altering significant information on a computer data carrier,Footnote 24 and in limiting its accessibility for an authorised personFootnote 25 by foiling or hindering, in any other manner, the familiarisation with such information recorded on such a computer data carrier.
The information that is the object of the offender’s act must be “significant”, especially in the objective sense (because of its content, weight and significanceFootnote 26), taking into consideration the interests of an authorised person to familiarise him or herself with that informationFootnote 27 for the purpose that was intended or supposed to have been intended.Footnote 28
As the protection concerns “information recorded on an electronic data carrier”, Article 268(2) of the PC is not applicable to any cases where the familiarisation with such information is hindered by disturbances in the network functioning (in this case, the offender’s conduct should be qualified under Article 268a (1) or (2), or Article 269a of the PC).
In this case, the aggravated crime corresponds to the act described in Article 268(2) of the PC, with substantial property damage caused by the offender being considered an element of that offence.
The first part of Article 268a (1) of the PC penalises acts such as destruction, modification of data, and hindering access to it. The second part, in turn, penalises acts such as disturbing (in other words, hindering the operation of an information system) or preventing the processing, storing or transferring of computer data. The statement refers to any acts which impinge on these processes, and which lead to any irregularities in, or slowdown of, these processes, as well as the distortion or modification of the computer data that is processed, transferred or stored.Footnote 29
In this case, the aggravated crime corresponds to the act described in Article 268a (2) of the PC, with the substantial property damage caused by the offender being considered an element of that offence.
The essence of the so-called computer sabotage defined in Article 269 (1) of the PC is the impairment, damaging or alteration of computer data of special significance to the State’s defence, communications security, the operation of the public administration, other public authorities or institutions, or a local government body, or disrupting or hindering the automatic processing, storage or transfer of such data. Pursuant to Article 269 (2) of the PC, computer sabotage may also include damaging or replacing a data carrier, or damaging or impairing a device designed to automatically process, store or transfer protected computer data. It is punishable by imprisonment from six months to eight years, which is a heavy sentence.Footnote 30
In view of the much greater significance of the information protected under Article 269 (1) of the PC, in comparison with the information subject to protection under Article 268 (2) of the PC, and the identicality of the remaining statutory criteria of prohibited acts penalised under those provisions, the crime described in 269 (1) of the PC is considered an aggravated crime in relation to the crime defined in Article 268 (2) of the PC.Footnote 31 For these reasons, such a statement appears justified also in the case of the relationship between the crimes defined in Article 268a of the PC, or 269a and 269 (1) of the PC.
Article 269a of the PC provides for penal responsibility of the person who, without an authorisation, to a large extent disrupts the operation of an information system, an ICT systemFootnote 32 or an ICT network,Footnote 33 through actions of a logical character such as the transmission, destruction, impairment or alteration of computer data. The protection applies to the secure operation of a computer system and, in consequence, to accessibility of the computer data processed in that system.
An attack on the operation of an information system, an ICT system and an ICT network is a logical, rather than a physical attack. Disruption is to be caused by the transmission, destruction, impairment or alteration of computer data. These will include, for instance, DoS attacks.
As pointed out by Andrzej AdamskiFootnote 34 and Włodzimierz Wróbel and Dominik Zając,Footnote 35 the provisions set out in Articles 268a and 269a of the PC overlap. The definitions “to a large extent disrupts or hinders the automatic processing, storing or transferring of data” and “to a large extent disrupts the operation of an information system, an ICT system and an ICT network” are essentially identical. The operation of the said systems and the ICT network consists in the processing, storing and transferring of data. As further proposed by Andrzej Adamski, Article 268a of the PC could be treated as a tool to prosecute the offenders, whose conduct does not meet the criteria of the perpetrator defined in Article 269a of the PC,Footnote 36 while Włodzimierz Wróbel and Dominik Zając claimed that the said article should be applied when the operation of an information system or an ICT network has been disturbed.Footnote 37 The offence under Article 269(1) of the PC should be considered as aggravated type to the offence described in Article 269a of the PC.Footnote 38
As in the case of the act described in Article 267 (2) of the PC, the provision of Article 269c of the PC may apply here.
Article 269b of the PC penalises prohibited acts committed with the use of “hacking tools”. Article 269b (1) of the PC, which is the equivalent of Article 7 of Directive 2013/40, penalises the creation, acquisition, sales or making available: 1) hardware or software adapted to committing the crime defined in Article 165 (1) (4) of the PC (causing danger to the life or health of many people, or resulting in large-scale damage to property), and in Article 267 (3), Article 268a (1) or 268a (2), in connection with 268a (1), art. 269 (1) or 269 (2), or Article 269a of the PC; 2) computer passwords, access codes or other data which enable unauthorised access to the information stored in an information system, an ICT system or an ICT network.
The solutions adopted in Article 269b (1) of the PC, from the moment of its inclusion in the Penal Code by way of the 2004 amendment, were widely criticised. For the most part, the critics pointed out that there was no provision excluding the penal responsibility of administrators and persons in charge of the security of information systems, who use such software in the process of developing and testing protection for systems, or authors of antivirus software.Footnote 39 In order to eliminate the shortcomings, section 1a was added to Article 269b, reading as follows: “Anyone who acts solely with the purpose of securing an information system, an ICT system or an ICT network against the crimes listed herein, or with the purpose of developing such a security method, shall not be considered as committing the crime referred to in section 1”. The primary aim of the amendment was, however, to increase the upper limit of the statutory penalty for the crime to five years of imprisonment, which was justified solely by indicating the necessity to make it possible for one to subject the offender to the so-called extended forfeit, as provided for in Article 45 (2) of the PC.Footnote 40 This also met with fair criticism.Footnote 41 No matter what the intentions of the authors of the amendment were, one should take note of the fact that, essentially from the moment of the inclusion of Article 269b (1) to the Penal Code (by way of the 2004 amendment), emphasis was on the sanctions (the power to impose a penalty of up to three years of imprisonment). The provision actually penalises the acts or actions performed by a criminal offender in order to prepare to commit the crimes set out in the provision, some of which are punishable by the same or lesser sanctions.Footnote 42 As for other “shortcomings” of the provision, one should give attention, in the first place, to the fact that Article 269b of the PC does not include hacking, whether in the form of unauthorised access to information under Article 267 (1) of the PC or unauthorised access to an information system under Article 267 (2) of the PC, in the list of crimes (for the commission of which the creation, acquisition, sales and sharing of hardware and software are penalised).Footnote 43
As far as other shortcomings of Article 269b (1) of the PC are concerned, the provision mainly refers to software “adapted” to commit the crimes specified therein. A problem, therefore, arises in connection with qualifying the actions of creators of software serving several functions (the so-called dual-nature software),Footnote 44 which is then used by third parties for criminal purposes, contrary to the creator’ intent.Footnote 45 With the aim of complying with the ratio legis of that provision and avoiding excessive criminalisation, Włodzimierz Wróbel proposed that it be interpreted in line with the definition of punishable preparatory activities under Article 16 (1) of the PC, which requires that the offender creating or acquiring the tools listed therein acts with direct intent (or, as regards selling and providing access, with indirect intent).Footnote 46 As it seems, however, most representatives of the doctrine (except for Włodzimierz Wróbel and Dominik Zając, Joanna Piórkowska-Flieger, Barbara Kunicka-MichalskaFootnote 47 and Andrzej MarekFootnote 48 are of the opinion that, in order for guilt to be attributed to the offender, it suffices that he/she has acted with indirect intent.Footnote 49
The Polish legislation on computer crimes undoubtedly needs change. First of all, the conceptual framework should be standardised. At present, in the light of the ratification of the Convention on Cybercrime, it is not necessary to define the concept of information (computer) data as the definition offered by it has the character of a self-executing norm and may be applied directly. In view of the broadly discussed doubts about the scope of the concepts of an “information system”, those should be defined. The same applies to the term “ICT network”.
I believe that limiting the scope of criminalisation under Article 267(1) of the PC to the cases of violation of the secrecy of correspondence should be considered, along with assigning the principal role in combating hacking (i.e. obtaining unauthorised access to an information system) to Article 267(2) of the PC, by adding the requirement that the offender mitigates or omits the magnetic, electronic, computer or other security feature (which would also conform to the content of Article 3 of Directive 2013/40 recommending such a solutionFootnote 50).
It is also necessary to modify the Polish regulation of computer eavesdropping. Article 267(3) of the PC requires the direct intent of the offender, while no such premise is contained in Article 6 of Directive 2013/40. One should possibly consider leaving that provision as it is (or mostly as it is), and at the same time adding a provision (in conformity with Article 6 of Directive 2013/40) determining the act in relation to which the offence defined in the current Article 267 (3) of the PC would constitute the aggravated offence.Footnote 51
Amendments to Article 269b (1) of the PC are also warranted. It appears necessary to limit the penal responsibility to direct intent, and to specify that it concerns the hardware and software “most of all” or “primarily” (as was used in the English-language version of Directive 2013/40) serving the purpose of committing crimes. Moreover, the list of crimes for which they could be utilised should be extended at least by the remaining acts under discussion. It would be also advisable to ease the sanctions.
2 Cyberterrorism: “Cybercrimes of a Terrorist Nature”
Framework Decision 2002/475Footnote 52 was transposed into Polish legislation by way of the Act of the 16th of April 2004 Amending the Penal Code and Certain Other Acts.Footnote 53 As mentioned earlier, its provisions are similar to those set out in the Directive 2017/541/EU,Footnote 54 and the definition of a “terrorist” offence (in PC—offence of a terrorist nature) has a similar shape.Footnote 55 The Polish legislator, however, did not decide on its literal transposition, instead creating a more synthetic one (Article 115 (20) of the PC), whereby emphasis was placed on the criterion of the offender’s purpose. Similar to Article 1 (1) of Framework Decision 2002/475 and Article 3 (2) of Directive 2017/541, the following were listed alternatively as the offender’s purposes:
-
(1)
severely intimidating many people,
-
(2)
forcing a state authority of the Republic of Poland or other state, or a body of an international organisation, to undertake or relinquish certain actions,
-
(3)
causing serious disruptions in the political system or economy of the Republic of Poland, another state or an international organisation.
The second element of the definition in Article 115 (20) of the PC was formulated differently from the original definition in Framework Decision 2002/475 (and is, in consequence, different from that in Directive 2017/541). The list of crimes which, when committed for any of the purposes listed in the definition, are viewed as corresponding to terrorist acts was replaced with a formal criterion, a requirement that the offence was punishable by a maximum term of imprisonment of at least five years.. Therefore, this provision does not result in delictum sui generis but it makes any offence (a crime and a more serious act punishable by deprivation of liberty for a maximum term of imprisonment of at least five years), committed for any of the purposes listed in the definition, be considered an offence of a terrorist nature. Pursuant to the provisions set out in Framework Decision 2002/475 (and Directive 2017/541), an offence of a terrorist nature also includes threat to commit such a crime (Article 115(20) in fine).Footnote 56
In the light of the above definition, cybercrimes of a terrorist nature may be the following prohibited acts: Article 165 (1)(4) of the PC (causing danger to the life or health of many people, or resulting in large-scale damage to property), Article 268(3) of the PC (preventing one from accessing information, which results in gross material damage), Article 268a(2) of the PC (an attack on computer data or the processing of such data which results in gross material damage), Article 269 of the PC (an attack on computer data of special significance), Article 269a of the PC (disturbing the operation of an information system, an ICT system or an ICT network) and—paradoxically (see earlier remarks)—Article 269b(1) of the PC (offences connected with “hacker tools”).
Notes
- 1.
Act of 18 March 2004 on amending the Penal Code, the Code of Criminal Proceedings and the Code of Offences, Polish Journal of Laws No. 69, item 626.
- 2.
Convention on Cybercrime of the Council of Europe of 23 November 2001. Polish Journal of Laws of 2015, item 728.
- 3.
Act of 24 October 2008 Amending the Penal Code and Certain Other Acts Polish Journal of Laws No. 214, item. 1344.
- 4.
Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, OJ EU 2005 L 69/67.
- 5.
Act of 23 March 2017 Amending the Penal Code and Certain Other Acts Polish Journal of Laws of 2017, item 768.
- 6.
Directive 2014/42/EU of the European Parliament and of the Council of 3 April 2014 on the freezing and confiscation of instrumentalities and proceeds of crime in the European Union, OJ EU 2014 L 127/39.
- 7.
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Dec22/222/JHA, OJ EU 2013 L 218/8.
- 8.
From the very beginning, it is necessary to take note of the fact that the instruments of international and EU law concerned with the security of computer networks, in order to specify the object of protection, use the term “computer data”, and not “information”. The Polish legislator, in principle, identifies the concept of information with the concept of data despite the obvious differences between these two. In the light of Article 2(b) of Directive 2014/30, “computer data” is to be understood as “a representation of facts, information or concepts in a form suitable for processing in an information system, including a programme suitable for causing an information system to perform a function”. The Convention on Cybercrime adopted a similar definition. With regard to the above, computer data is a carrier (medium) of information, facts and concepts, which, only after they are converted to the form of computer data, are readable by a computer (or information) system. Computer programs fall within the scope of that concept as well. The distinction between “computer data” and “information” is important from a legal standpoint, for one may take possession of computer data; however, he/she may not be able to make of use of the information contained in it, not knowing the algorithm used to encode it, for example. The destruction of data does not always mean the destruction of information and, conversely, the seizure of data does not have to mean theft of information. Cf. Adamski (2000), p. 37 et seq.
- 9.
According to the definition formulated in Article 2(35) of the Act of Telecommunications Law a telecommunications network means “transmission systems, and commutation or redirecting devices, as well as other resources, such as inactive network elements, enabling the sending, reception or transmission of signals through wires, radio waves, optical waves or other means using electromagnetic energy, regardless of their kind”. These are, for instance, satellite networks, permanent networks relying on the commutation of connections (circuit switching, in other words, commutation of channels or circuits, consists in establishing, on demand, a “permanent” dedicated connection between two or more network points for their exclusive use for the duration of the communication session) and the commutation of packets (packet switching—a method of data transmission which consists in grouping data into packets, each of which may reach its destination via a different route; the process of transferring packets is called routing and takes place between several network nodes—routers), cable television networks or power networks which enable the transmission of signals. Commutation devices are devices used for circuit switching (e.g. switchboards), whereas redirecting devices are devices used for packet switching (mainly routers). Commutation or redirection devices are not always required for signal transmission. There are networks that do not contain them. Cf. Krasuski (2015), Commentary on Art. 2(35); Piątek (2019), Commentary on Art. 2(35); Radoniewicz (2016), pp. 278–282.
- 10.
Wróbel and Zając (2017) Commentary on Art. 267 PC.
- 11.
Kardas (2000), p. 71.
- 12.
- 13.
- 14.
See more Radoniewicz (2021).
- 15.
The interpretation of the concept, basically from the very moment it appeared in the Penal Code, created problems (cf. Radoniewicz 2016, pp. 275–278; Siwicki 2013), which intensified after Poland ratified the Convention on Cybercrime. Since Article 267(2) of the PC was added by way of the 2008 amendment, connected with the implementation of Framework Decision 2005/222, it would be advisable to construe the term according to the definition set out in the Act and in Directive 2013/40, which replaces it, namely, both as a single device that processes computer data and a set of such devices, in other words, a network (see earlier observations). A lot of errors were made in the translation of the Convention on Cybercrime. One of them was translating the term “computer system” as “system informatyczny” [information system]. As mentioned earlier, the substantive scope of the concept of a computer system, as defined in the Convention, is narrower than the one of an “information system” as applied in Directive 2013/40. That calls into question the scope of the concept of the information system in view of the Penal Code. It is important to stress that, although the Convention on Cybercrime, upon its ratification, became part of the legal order, the definition of an “information system” (computer system) may not be applied directly, owing to the problems discussed. The existing confusion is intensified by the fact that, in the translation of the definition of computer data in Article 2(b) of the Convention (computer data translated as “dane informatyczne” [information data]), the translator used the concept of a computer system (“computer data means a representation of facts, information or concepts in a form suitable for processing in a computer system, including a programme suitable for causing an information system to perform a function”). In addition, the term “computer system” was used in the translation of the Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems of 28 January 2003 (Polish Journal of Laws of 2015, item 2015, item 730). Cf. Radoniewicz (2019a), pp. 42–47; Radoniewicz (2016), pp. 244–249, 275–285.
- 16.
Botnets, which are networks of computers on which the offender (without the users’ knowledge) installed special programmes—the so-called zombies (hence the infected computers are called “zombie computers”), which are booted up under remote direction at a certain moment, e.g. in order to launch a dDoS attack. Since it is possible to use a tremendous number of computers (even several thousand, spread all over the world), the actual source of the attack remains unknown. At present, in the Internet, one may obtain both programmes designed to launch DoS attacks and “ready-to-use” botnets to launch dDoS attacks. In addition, botnets can be used, among other things, to send spam (unwanted e-mail messages). Cf. Adamski (2013), pp. 68–69.
- 17.
DoS attacks (denial-of-service attacks) usually aim at impairing the operation of a network (and blocking the network). In principle, one can assume that they consist in generating huge network traffic leading to the hung-up of a server, or to an overload of a router or network devices. They may be also targeted at specific computers, disabling their communication with the server. Their “enhanced” versions are dDoS attacks (distributed denial-of-service attacks), which make use of botnets.
- 18.
See more Radoniewicz (2021).
- 19.
- 20.
Computer eavesdropping is a colloquial term for the surveillance of information systems. It is often called, not entirely correctly, sniffing which is only one of its techniques. There are two types of computer eavesdropping: the passive one, when the offender only reads the information being accessed, and the active one, when the offender modifies the data that is transmitted, e.g. by redirecting the transmission to somewhere else in the network.
- 21.
It is worth noting that Directive 2013/40 does not stipulate that the offender committing an act of illegal interception of data must satisfy any other premises in order for penal responsibility to be imposed—e.g. “dishonest” intent or acting for a specific purpose (“Member States shall take the necessary measures to ensure that intercepting, by technical means, non-public transmissions of computer data to, from or within an information system, including electromagnetic emissions from an information system carrying such computer data, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor”—Article 6 of Directive 2013/40).
- 22.
First of all, one should indicate the provisions of the Criminal Procedure Code, the Act of 6 April 1990 on the Police Service (Consolidated text, Polish Journal of Laws of 2020 item 360, as amended), the Act of 24 May 2002 on the Internal Security Agency and the Foreign Intelligence Agency (Consolidated text, Polish Journal of Laws of 2020 item 27, as amended).
- 23.
See more Radoniewicz (2017a), pp. 181–196.
- 24.
In the light of Article 3(1) of the Act on the Computerisation of the Operations of Entities Performing Public Tasks, hereinafter: the Act on Computerisation, it is a “material or device designed to save, store and read data in digital form”, which encompasses all data carriers such as: floppy disks, which are rare at present, hard drives (magnetic data carriers), CDs and DVDs (optical carriers), semiconductor memory (RAM—Random Access Memory, ROM—Read Only Memory, in-built memory e.g. in printers, to name a few), flash memory etc.
- 25.
Cf. Adamski (2000), pp. 64–65.
- 26.
Kardas (2000), p. 88.
- 27.
- 28.
- 29.
- 30.
See more Radoniewicz (2019b), pp. 199–209.
- 31.
- 32.
Pursuant to Article 2(3) of the Act on Computerisation, this corresponds to a set of compatible hardware and software which together ensure the processing and storage, as well as sending and receiving data via telecommunication networks, by means of the appropriate end-point device, within the meaning of the Telecommunication Law; the same definition can be found in the Act of 18 July 2002 on Providing Services by Electronic Means (Consolidated text, Polish Journal of Laws of 2017, item 1030 as amended). It is assumed that an information system serves the purpose of processing data, while a telecommunication system is used for sending such data. Hence, the ICT system is an information system (in which computer data is processed) connected to a telecommunications network, via which it can send and receive data. Cf. Konarski (2004), pp. 62–64; Radoniewicz (2016), pp. 282–284.
- 33.
At present, the concept is not defined in any legal instrument. An ICT network is a set of ICT systems, in other words, information systems in which data is processed, interconnected telecommunications networks by means of which data is transferred between those systems. It is an extensive structure, created as a result of the convergence of information technology and telecommunications. Cf. Konarski (2004), pp. 62–64; Radoniewicz (2016), p. 284; Świerczyński (2009), p. 39; Urbanek (1999), pp. 4–5.
- 34.
Adamski (2005), pp. 58–59.
- 35.
Wróbel and Zając (2017), Commentary on Art. 269a PC.
- 36.
Adamski (2005), p. 58.
- 37.
Wróbel and Zając (2017), Commentary on Art. 269a PC.
- 38.
Radoniewicz (2020), pp. 252–255.
- 39.
- 40.
The justification to the government’s bill amending the Penal Code and Certain Other Acts, form No. 1186, section 4.6.
- 41.
On (the lack of) penal responsibility for identifying gaps in information systems and networks—a legal opinion of the Foundation of Frank Bold and the Cracow Institute of Criminal Law, http://blog.frankbold.pl/bug-bounty/. Accessed on 1.12.2020.
- 42.
As regards problems that arise from this fact, cf. Radoniewicz (2016), pp. 347–349.
- 43.
The fact that the crime under Article 268(2) of the PC is not included in the list appears less problematic—the same programmes will serve one to commit the crime set out therein as in the case of acts under Article 268a(1) and 268a(2) of the PC and Article 165(1)(4) of the PC (viruses).
- 44.
By way of example, network monitors, also referred to as protocol analysers, which allow administrators to analyse network traffic, may be used by hackers as sniffers.
- 45.
Cf. Adamski (2005), p. 60.
- 46.
- 47.
B. Kunicka-Michalska thinks that it is difficult to imagine creation, acquisition or selling without the offender’s direct intent; see Kunicka-Michalska (2010), p. 748.
- 48.
According to A. Marek, the causative acts listed in Article 269b (1) of the PC may be committed with direct intent only, while indirect intent may apply solely to the intended purpose of devices, programmes, passwords, access codes and other data; see Marek (2010), p. 576. J. W. Giezek, by critically referring to the viewpoint that creation and acquisition can only be done with direct intent, stresses that it seems more probable that the crime is committed with indirect intent, when the offender only agrees that his/her conduct meets the statutory criteria of the crime, since the situation usually look as if he/she did not want to create, acquire, sell or share certain hardware or software but, with some probability only, assumed that they might turn out to be adapted to committing one of the crimes set out in the Article, agreeing that it would be just so. The author plainly suggests that the “uncertainty of diagnosis”, e.g. as regards the adjustment of hardware or software, allows one to assume that, in such a case, we are actually dealing with indirect intent only, Giezek (2014), pp. 1007–1008.
- 49.
- 50.
“Member States shall take the necessary measures to ensure that, when committed intentionally, the access without right, to the whole or to any part of an information system, is punishable as a criminal offence where committed by infringing a security measure, at least for cases which are not minor.” See also: Radoniewicz (2016), p. 459.
- 51.
See more Radoniewicz (2017b), pp. 303–317.
- 52.
Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism. OJ EC 2002 L 164/3.
- 53.
Act of 16 April 2004 Amending the Penal Code and Certain Other Acts Polish Journal of Laws of 2004, No. 93, item 889.
- 54.
Directive 2017/541/EU of the European Parliament and of the Council, of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA, OJ EU 2017 L 88/6.
- 55.
Radoniewicz (2019c), pp. 193–205.
- 56.
References
Adamski A 2000) Prawo karne komputerowe, Warsaw
Adamski A (2005) Cyberprzestępczość – aspekty prawne i kryminologiczne, Studia Prawnicze 4
Adamski A (2007) Nowe ujęcie cyberprzestępstw w kodeksie karnym – ale czy lepsze?, Prawo Teleinformatyczne 3
Adamski A (2013) Botnety jako zagadnienie prawno-kryminologiczna na tle doświadczeń amerykańskich, Prokuratura i Prawo 1
Bukowski S (2006) Przestępstwo hackingu, Przegld Sdowy 4
Gienas P (2005) Uwagi do przestępstwa stypizowanego w art. 269b Kodeksu karnego, Prokurator 1
Giezek J (2012) In: Giezek JW (ed) Kodeks karny. Część ogólna. Komentarz, Warsaw
Giezek JW (2014) In: Giezek JW (ed) Kodeks karny. Część szczególna. Komentarz, Warsaw
Górniok O (2005) In: Górniok O et al (eds) Kodeks karny. Komentarz, vol 2, Gdańsk
Górniok O (2006) In: Górniok O et al (eds) Kodeks karny. Komentarz, Warszawa
Kalitowski M (2012) In: Filar M (ed) Kodeks karny. Komentarz, Warsaw
Kardas P (2000) Prawnokarna ochrona informacji w polskim prawie karnym z perspektywy przestępstw komputerowych. Analiza dogmatyczna i strukturalna w świetle aktualnie obowiązującego stanu prawnego, Czasopismo Prawa Karnego i Nauk Penalnych 1
Konarski X (2004) Komentarz do ustawy o świadczeniu usług drogą elektroniczną. Warszawa
Kozłowska-Kalisz P (2020) In: Mozgawa M (ed) Kodeks karny. Praktyczny komentarz, Lex/el
Krasuski A (2015) Prawo telekomunikacyjne. Komentarz, Lex/el
Kunicka-Michalska B (2010) In: Wąsek A, Zawłocki R (eds) Kodeks karny. Część szczególna. Komentarz. Komentarz do artykułów 222-316, vol II, Warsaw
Marek A (2010) Kodeks karny. Komentarz, Warsaw
Piątek S (2019) Prawo telekomunikacyjne. Komentarz, LEX/el
Piórkowska-Flieger J (2012) In: Bojarski T (ed) Kodeks karny. Komentarz, Warsaw
Radoniewicz F (2015) Techniki implementacji do polskiego porządku prawnego postanowień decyzji ramowych Rady Unii Europejskiej dotyczących prawa karnego materialnego, Przegld Prawa Konstytucyjnego 3
Radoniewicz F (2016) Odpowiedziaość karna za hacking i inne przestępstwa przeciwko komputerowym i systemom informatycznym, Warsaw
Radoniewicz F (2017a) Podsłuch komputerowy. In: Chałubińska-Jentkiewicz K, Kakareko K, Sobczak J (eds) Prawo prywatności jako reguła społeczeństwa informacyjnego. C.H. Beck, Warszawa
Radoniewicz F (2017b) Ujęcie przestępstw przeciwko ochronie informacji w Kodeksie karnym a postanowienia dyrektywy 2013/40/UE dotyczącej ataków na systemy informatyczne – aspekty wybrane. In: Kitler W, Taczkowska-Olszewska J (eds) Bezpieczeństwo informacyjne. Aspekty prawno-administracyjne, Warsaw
Radoniewicz F (2019a) In: Kitler W, Taczkowska-Olszewska J, Radoniewicz F (eds) Ustawa o krajowym systemie cyberbezpieczeństwa. Komentarz, Warsaw
Radoniewicz F (2019b) Przestępstwo “sabotażu informatycznego” (art. 269 k.k.). In: Badźmirowska-Masłowska K (ed) System bezpieczeństwa w cyberprzestrzeni RP. Warsaw
Radoniewicz F (2019c) Zwalczanie cybeterroryzmu w prawie UE – aspekty karnomaterialne. Cybersecurity and Law 2
Radoniewicz F (2020) Przestępstwo zakłócenia sieci teleinformatycznej – wybrane aspekty karnomaterialne oraz techniczne. In: Przestępczość teleinformatyczna 2019, “Rocznik Bezpieczeństwa Morskiego”
Radoniewicz F (2021) Przestępstwo hackingu – wybrane aspekty techniczne oraz karnomaterialne. In: Przestępczość teleinformatyczna 2020, “Rocznik Bezpieczeństwa Morskiego” – in press
Siwicki M (2013) Cyberprzestępczość, Legalis
Świerczyński M (2009) In: Gołaczyński J, Kowalik-Bańczyk K, Majchrowska A, Świerczyński M,Ustawa o świadczeniu usług drogą elektroniczną. Komentarz. Oficyna, LEX/el
Urbanek A (1999) In: Chustecki J et al Vademecum teleinformatyka, Warsaw
Wróbel W, Zając D (2017) In: Wróbel W, Zoll A (eds) Kodeks karny. Komentarz. Część szczególna, t. II, cz. II, Komentarz do artykułów 117-277d k.k., Warsaw, LEX/el
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2022 The Author(s)
About this chapter
Cite this chapter
Radoniewicz, F. (2022). Cybercrime and Cyberterrorism in Polish Law. In: Chałubińska-Jentkiewicz, K., Radoniewicz, F., Zieliński, T. (eds) Cybersecurity in Poland. Springer, Cham. https://doi.org/10.1007/978-3-030-78551-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-78551-2_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78550-5
Online ISBN: 978-3-030-78551-2
eBook Packages: Law and CriminologyLaw and Criminology (R0)