1. Unlawful access to computer information protected by law, if this act entailed the destruction, blocking, modification or copying of computer information, -
shall be punishable by a fine in the amount of up to two hundred thousand rubles, or in the amount of the wages or other income of the convicted person for a period of up to eighteen months, or by correctional labor for a term of up to one year, or by restriction of liberty for a term of up to two years, or by forced labor for a term of up to two years, or imprisonment for the same period.
2. The same act, which caused major damage or was committed out of selfish interest, -
shall be punishable by a fine in the amount of one hundred thousand to three hundred thousand rubles, or in the amount of the wages or other income of the convicted person for a period of one to two years, or by correctional labor for a term of one to two years, or by restriction of liberty for a term of up to four years, or forced labor for a term of up to four years, or imprisonment for the same period.
3. Acts provided for in parts one or two of this article, committed by a group of persons by prior conspiracy or by an organized group or by a person using his official position, -
shall be punishable by a fine in the amount of up to five hundred thousand rubles, or in the amount of the wages or other income of the convicted person for a period of up to three years, with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years, or by restriction of freedom for a term of up to four years, or by forced labor. for a term of up to five years, or imprisonment for the same term.
4. Acts provided for in parts one, two or three of this article, if they entailed grave consequences or created a threat of their occurrence, -
shall be punishable by imprisonment for a term of up to seven years.
Notes. 1. Computer information means information (messages, data) presented in the form of electrical signals, regardless of the means of their storage, processing and transmission.
2. In the articles of this chapter, major damage is recognized as damage the amount of which exceeds one million rubles.
- Article 271.1. Violation of the rules for using the airspace of the Russian Federation
- Article 273. Creation, use and distribution of malicious computer programs
Commentary to Art. 272 of the Criminal Code of the Russian Federation
The object of this crime is social relations that ensure lawful access, creation, processing, transformation, use of computer information by the creator himself, its consumption by other users, as well as the correct functioning of a computer, computer system or their network. This crime, committed by a person using his official position, provided for in Part 2 of Art. 272 of the Criminal Code of the Russian Federation, also encroaches on the second direct object - social relations that ensure the interests of the service (Part 2 of Article 272 of the Criminal Code of the Russian Federation).
The norm of the criminal law under consideration protects computer information wherever it is contained and circulated: in computer memory, computer systems, telecommunication networks, and computer media.
The subject of the crime is information of limited access, i.e. information (messages, data), regardless of the form of their presentation, contained on computer media, in a computer, computer system or their network.
The objective side of the crime includes: actions consisting of unlawful access to computer information protected by law (restricted information); consequence - alternatively - in the form of destruction, blocking, modification, copying of information; disruption of the operation of a computer, computer system or their network; a cause-and-effect relationship between the specified action and any of the named consequences.
Restricted information includes computer information for which the law has established a special legal regime. Based on the meaning of the article in question and Art. 2 of the Federal Law of July 27, 2006 N 149-FZ “On information, information technologies and information protection”, only information recorded on a tangible medium with details that allow it to be identified is subject to protection, i.e. documented information. According to the terms of its legal regime, restricted access information is divided into:
———————————
NW RF. 2006. N 31 (part 1). Art. 3448.
1) classified as a state secret (Article 2 of the Federal Law of July 21, 1993 N 5485-1 “On State Secrets”);
———————————
NW RF. 1997. N 41. Art. 8220 - 8235.
2) confidential, i.e. documented information, access to which is limited in accordance with the legislation of the Russian Federation (Article 2 of the Law on Information). The mode of access to confidential information can be established either by its owner or directly in accordance with current legislation. An exhaustive List of information of a confidential nature is defined in Decree of the President of the Russian Federation of March 6, 1997 N 188 “On approval of the List of information of a confidential nature”: a) personal data (information about facts, events and circumstances of a citizen’s life, allowing his personality to be identified - Article 2 Law on Information), with the exception of information subject to dissemination in the media in cases established by federal laws; b) information constituting the secret of investigation and legal proceedings; c) official information, access to which is limited by government bodies in accordance with the Civil Code of the Russian Federation and federal laws (official secrets); d) information related to professional activities, access to which is limited in accordance with the Constitution of the Russian Federation and other federal laws (medical, notarial and lawyer's secrets, secrets of correspondence, telephone conversations, postal items, telegraphic or other messages, etc.); e) information related to commercial activities, access to which is limited in accordance with the Civil Code of the Russian Federation and other federal laws (trade secret); f) information about the essence of the invention, utility model or industrial design before the official publication of information about them.
———————————
Federal Law of July 29, 2004 N 98-FZ “On Trade Secrets” // SZ RF. 2004. N 32. Art. 3283.
NW RF. 1997. N 10. Art. 1127.
With respect to such information, the owner or other authorized person must take special protection measures for machine information (for example, introducing a system of access passwords or a certain discipline for working with information) limiting access to it.
Access to:
1) regulatory legal acts affecting the rights, freedoms and responsibilities of humans and citizens, as well as establishing the legal status of organizations and the powers of state bodies and local governments;
2) information about the state of the environment;
3) information on the activities of state bodies and local self-government bodies, as well as on the use of budget funds (except for information constituting state or official secrets);
4) information accumulated in open collections of libraries, museums and archives, as well as in state, municipal and other information systems created or intended to provide citizens (individuals) and organizations with such information;
5) other information, the inadmissibility of restricting access to which is established by federal laws.
Access to confidential information or information constituting a state secret by a person who does not have the necessary powers (without the consent of the owner or his legal representative) is considered unlawful, subject to special means of protecting it.
Unauthorized access to computer information is the illegal or unauthorized use of the ability to obtain information contained on computer media, a computer, a computer system or their network. At the same time, access to computer information means any form of penetration into the source of information using computer means (material and intellectual), allowing one to manipulate the received information (copy, modify, block or destroy it).
At the same time, taking possession of a personal computer or a computer storage medium (floppy disk, disk) as property cannot be qualified as access to computer information and entails liability for a crime against property or arbitrariness. Likewise, the fact of destruction or distortion of computer information contained on a computer carrier through external influence on it with heat, magnetic waves, or causing mechanical damage in any other way does not form an objective side of the crime in question. Unlawful access to computer information is charged to the relevant person in conjunction with the crimes for the commission of which such access was carried out. For example, in cases where fraudulent actions involve unlawful entry into someone else’s information system or other unlawful access to legally protected computer information of credit institutions, or the creation of deliberately malicious computer programs, modifications to existing programs, the use or distribution of malicious computer programs , the act is subject to qualification under Art. 159 of the Criminal Code of the Russian Federation, and also, depending on the circumstances of the case, under Art. 272 or art. 273 of the Criminal Code of the Russian Federation, if as a result of unlawful access to computer information, destruction, blocking, modification or copying of information, disruption of the operation of a computer, computer system or their network occurred.
The corpus delicti of this crime is material in nature and presupposes the mandatory occurrence of one of the consequences:
1) destruction of information is rendering information or part of it unusable, regardless of the possibility of its recovery. The transfer of information to another computer medium is not considered in the context of criminal law to be the destruction of computer information only if, as a result of these actions, the access of legitimate users to the information was not significantly hampered or excluded. Destruction of information does not mean renaming the file where it is contained, nor does it automatically “supplant” old versions of files with the latest ones;
2) blocking of information - the result of an impact on a computer, computer system or their network, the consequence of which is the inability for some time or constantly to carry out the required operations on computer information completely or in the required mode. In other words, information blocking is the performance of actions leading to restriction or closure of access to a computer system and the information resources it provides, artificially impeding access of legitimate users to computer information, not related to its destruction.
Disabling a computer program should be distinguished from the destruction and blocking of computer information. Disabling a computer program may be considered in appropriate cases as a crime under Art. Art. 141, 267, 273, 281 and others of the Criminal Code of the Russian Federation. If the reason for the failure of a computer program is the destruction or blocking of computer information that the program must operate, the act should be classified as illegal access to computer information.
3. Modification of information - making changes to computer information (including changing its parameters). Current legislation allows the following types of legal modification of programs and databases by persons lawfully possessing this information: a) modification in the form of correcting obvious errors; b) modification in the form of changes to programs, databases for their operation on the user’s technical means; c) modification in the form of private decompilation of the program to achieve the ability to interact with other programs.
4. Copying information - creating a copy of existing information on another medium, i.e. transfer of information to another medium separate from the computer while maintaining unchanged original information, reproduction of information in any material form: by hand, by photographing text from the display screen, as well as reading information by intercepting computer radiation, etc.
Reproduction of information should be distinguished from copying computer information. In the latter case, the information is repeated not on a medium separate from the original, but on the original medium (for example, several files of the same content are organized in the computer’s disk memory) or on a homogeneous medium remaining at the user’s disposal (for example, a copy is located in disk memory, forming a system with this computer, or on a floppy disk deliberately left in the computer).
5. Disruption of the operation of a computer, computer system and their network - disruption of the operation of the program, leading to the impossibility of obtaining the required result from it in full or obtaining it with distortions of any kind, as well as obtaining side results resulting from violation of the established rules of its operation . Computer disruption may result from: a) damage to computer information in the proper sense of the term; b) software failure; c) violation of the integrity of the hardware on which this software is implemented; d) damage to communication systems. In this case, we are talking not only about difficulties directly related to manipulations in the computer’s memory, but also about interference that appears on the display screen, when printing and copying computer information, as well as on all kinds of peripheral devices and equipment control sensors.
The crime is completed from the moment any of these consequences occur. When establishing a causal relationship between unauthorized access and the onset of harmful consequences, it should be borne in mind that in computer systems destruction, blocking and other disruptions to the operation of the computer are possible as a result of technical malfunctions or errors in the functioning of hardware and software. In these cases, the person who has committed unlawful access to computer information is not subject to liability under this article due to the absence of a causal connection between his actions and the consequences.
The subjective side of the crime in question is characterized by guilt in the form of intent or negligence.
The general subject of the crime is a sane person who has reached the age of sixteen.
In Part 2 of Art. 272 of the Criminal Code of the Russian Federation provides for such qualifying criteria as the commission of a crime: a) by a group of persons by prior conspiracy; b) an organized group; c) using his official position; d) a person who has access to a computer, computer system or their network. The content of the first three qualifying features basically corresponds to the content of similar features of previously considered crimes. A person who has access to a computer, a computer system or their network is an employee of a body or organization who, by virtue of law or contract, has the right to use the relevant computer, computer system or their network or has other powers in relation to the relevant computer information, the procedure for handling it or modes of its use (such persons may be system programmers, persons supervising operators, database administrators, etc.).
Is there any responsibility at all for researching and hacking someone else’s program, service, or network?
If we talk about current Russian laws, then yes, there are. When a researcher tests someone else's product for vulnerabilities or penetrates someone else's network without the owner's knowledge and consent, his actions may be considered illegal. And the consequence of such actions may be the onset of various types of liability: civil, administrative and criminal.
What laws are we talking about?
To a greater extent, the study of vulnerabilities (as well as possible liability in the event of illegal acts) concerns those laws that are listed below. Please note that this is not the entire list: this article does not address issues related to personal data, secrets protected by law (state, medical, banking, etc.) and some other issues. For now we will talk about the following three laws:
- Civil Code;
- Code of Administrative Offences;
- Criminal Code.
In what cases will a bughunter be held liable?
It all depends on the specific circumstances of the case, as well as on the consequences that arose after a specific study (testing, hacking). Depending on them, it will be determined whether such actions of the baghunter are an offense or not, a crime or not, whether he is subject to liability of the appropriate kind or not.
Judicial practice under Article 272 of the Criminal Code of the Russian Federation
Appeal ruling of the Judicial Collegium for Criminal Cases of the Supreme Court of the Russian Federation dated June 25, 2019 N 5-APU19-55
Responsibility for these acts is also provided for by Russian criminal legislation and corresponds to Part 3 of Art. 272, part 4 art. 159.6 of the Criminal Code of the Russian Federation. The statute of limitations for attracting Bogdan Z.P. criminal liability has not expired. Bogdan Z.P. is a citizen of the Republic of Belarus, which is confirmed by relevant documents.
Resolution of the Presidium of the Supreme Court of the Russian Federation dated July 14, 2021 N 6P21
According to the verdict of the Oktyabrsky District Court of Krasnoyarsk dated July 8, 2021, Gobuzov A.S. convicted of a combination of 3 crimes provided for in Part 1 of Art. 272 of the Criminal Code of the Russian Federation, 5 crimes provided for in Part 1 of Art. 273 of the Criminal Code of the Russian Federation, 14 crimes provided for in Part 2 of Art. 272 of the Criminal Code of the Russian Federation, 2 crimes provided for in Part 1 of Art. 159 of the Criminal Code of the Russian Federation, 55 crimes provided for in Part 2 of Art. 159 of the Criminal Code of the Russian Federation, as well as Part 3 of Art. 159, part 4 art. 159 of the Criminal Code of the Russian Federation, on the basis of Part 3 of Art. , art. of the Criminal Code of the Russian Federation to 4 years 5 months of imprisonment in a general regime correctional colony. Preventive measure for A.S. Gobuzov in the form of a written undertaking not to leave the place and proper behavior was changed to detention. Gobuzov A.S. taken into custody in the courtroom. The term of serving the sentence for Gobuzov A.S. It was decided to count from July 8, 2021 and to count into it the time of detention from January 17, 2021 to May 6, 2019 and from July 8, 2021 to the day the sentence entered into force in accordance with paragraph “b” of Part 3.1 of Art. . The Criminal Code of the Russian Federation (as amended by Federal Law No. 186-FZ of July 3, 2021) at the rate of one day of detention for one and a half days of serving a sentence in a general regime correctional colony.
Important point
The role of computer information in the system of legal relations that arise in the information sphere is still a highly controversial subject. The debate on this issue has not yet ended with the formulation of a legislative and scientific definition that would become generally accepted. Analyzing Article 272 of the Criminal Code of the Russian Federation, it should be noted that it is valid only if the information is protected by law, is contained on computer media, in a computer, and acts as an intangible value.
How can a researcher reduce the risk of liability?
Liability can be excluded in situations where the researcher’s actions do not violate the law, rights and legitimate interests of third parties. For example, the risks of liability can be reduced when the research is conducted with the knowledge and consent of the owner (copyright holder) of the software product being studied. This may be a written consent on his part (a bilateral agreement or another written form of consent, at least electronic correspondence), or it may be a general agreement to conduct such activities (the Bug Bounty program will be just such an agreement). The main thing is that the researcher has evidence to support consent.
In addition, the research must not cause harm to the person or property of other third parties, or violate copyright. It is also worth reading the terms of use of the product under study: they may contain provisions that could lead to additional troubles for the researcher if he is sued. This recommendation also applies to Bug Bounty programs: after all, they can sometimes present surprises.
And of course, we should not forget that everything depends on specific circumstances, so in different cases the answers to the same questions may differ.
What do you need to know about civil liability?
First of all, you need to know that it can occur due to the following circumstances:
- The study entailed copyright infringement.
- Damage to person or property was caused during the study.
- The terms of use (license) of the object under study were violated.
Case 1. Copyright
In most cases, the site or program under study is a full-fledged object of copyright. Consequently, its copyright holder has the exclusive right in relation to such an object (Article 1270 of the Civil Code of the Russian Federation). This means that, as a general rule, it is the copyright holder who determines whether his object can be copied (in whole or in part), or whether changes, distortions, or modifications can be made to it.
To understand, let’s imagine a situation: after examining a service for vulnerabilities, a researcher copied part of the program code of this service and saved it on his own storage device. Such copying is the use of a copyrighted object (program code) by reproducing it. This means that, in fact, the copyrighted object was used by the researcher without the consent of the copyright holder. Formally, this will be considered a violation of the latter’s rights.
Therefore, if during a vulnerability study, (even fragmentary) copying, modification, alteration, or distortion of the copyright object under study is made, then formally this can be recognized as a violation of the exclusive right of its copyright holder to its object. Below is the simplest example from practice.
Terms of use of materials from the site registre.ru
Materials posted on the website www.registre.ru belong to Profdelo LLC and are prohibited from reprinting. In case of illegal reprinting of site materials, the violator pays the copyright holder a penalty in the amount of 10,000 rubles for each article or part of the article.
https://www.registre.ru/copyright.html
What is meant by “materials” is not clear. There is also no mention that this rule applies only to published articles. Therefore, if we imagine a situation that when testing this site for vulnerabilities, some materials (be it the texts of unpublished articles or fragments of script code) were copied by a researcher, then with certain reservations it can be considered that with such copying he violated the copyright of the owner of this site.
If we talk about the amount of liability for such a violation in monetary terms, it is defined in Article 1301 of the Civil Code of the Russian Federation:
- from ten thousand to five million rubles (at the discretion of the court);
- twice the cost of a license for the object under study (for its use in the manner in which it was used during the study).
The defendant may also be required to compensate the copyright holder for losses incurred during the research. However, the law does not limit the amount of such damages. Therefore, if the copyright holder can prove their size (even if it is more than five million), then the declared amount will have to be paid. How losses will be proven is another question beyond the scope of this article.
Case 2. Damage to person or property
In addition to copyright infringement, liability is also provided for harm to a person or property (Chapter 59 of the Civil Code of the Russian Federation). As a general rule, harm caused to the person or property of a citizen, as well as harm caused to the property of a legal entity, is subject to compensation in full by the person who caused the harm. In turn, the suspect is released from compensation for losses if he proves his innocence.
This can be explained more clearly like this. Let's imagine a situation: there is a software package that is responsible for the automatic supply of hot water to residential buildings. If vulnerability research caused the failure of this complex, then the owner will have the right to expect to recover from the researcher all losses incurred by him (including the cost of repairs and restarting of the equipment). If the same actions caused damage to property in those houses to which the water supply was provided by the software package, then the owners of the apartments (as well as the owners of the damaged property in the apartments) will also have the right to expect to recover their losses.
That is, it should be understood that if, as a result of testing, an expensive and complex software product is disabled, then the consequences can be serious, as well as liability for them. And monetary penalties here can easily exceed the limits that we talked about when considering cases of copyright infringement.
Case 3. Violation of terms of use (license)
Often, the object of research (be it a website, software application or other service) has its own terms of use. They may be called rules of use, terms of service, software license, or something else. Under these conditions, additional responsibility may be provided for the user for the actions he performs in relation to the object of study.
See the example above about the Profdelo website. Although the copyright provisions are incorrectly written there, we can assume that in this case the researcher is liable for violating the terms of use of the site - ten thousand rubles for each article or part thereof.
In addition, there may be talk of compensation for losses to the owner of the resource under study. A couple of examples for clarity.
Terms of use of the site
The User undertakes to reimburse Snob Media LLC for losses, including legal costs, resulting from the User’s materials, non-compliance with the provisions of this Agreement or violation of the rights of third parties, regardless of whether the User is registered or not. The User is personally responsible for actions when using the Site, including, but not limited to, payment of the cost of Internet access during such use.
https://snob.ru/basement/term
Terms of service
- Indemnification If you violate these Terms of Service, as well as other legal requirements, if you violate the rights of third parties and if legal action is initiated as a result of such violation, you agree that the Company and its affiliates, managers, agents, employees, services or content providers , distributors and sellers are exempt from legal liability in connection with such violation. You further agree to indemnify the foregoing entities for all losses, damages, civil liability and expenses (including reasonable attorney's fees and other legal costs) incurred as a result thereof.
https://ru.besv.com/terms-of-service/
According to these texts, a researcher whose actions lead to losses for the owners of the sites snob.ru and ru.besv.com may be held liable for these losses. And if guilt is proven, he will be forced to pay damages.
There are even resources whose terms of use explicitly prohibit searching for vulnerabilities.
Rules and conditions for registration on the Masters of Taste website
In particular, Users must not: […]
- attempt to assess or test the vulnerability of the Site, as well as violate the security rules and user identification systems of the Site without the prior written consent of the Organizer.
https://mastersoftaste.club/legal
Terms of use (offer) of the site kartatalanta.ru
By using the Site, the Registered User undertakes not to violate or attempt to violate the information security of the Site, which includes: […]
- 5.2. attempts to check the vulnerability of the Site’s security system, violation of the registration and authorization procedure without the permission of the Contractor;
https://kartatalanta.ru/text/terms.php
Therefore, before testing for the vulnerabilities of a specific software product, it would be useful to familiarize yourself with the rules of its use: see if they mention prohibitions of such actions and whether potential liability for them is indicated.
What are the administrative responsibilities?
The Code of Administrative Offenses of the Russian Federation contains an extensive list of possible violations in the field of information protection, among which two points can be distinguished.
The first is engaging in activities in the field of information protection (except for information constituting a state secret) without obtaining a special permit (license) in the prescribed manner, if such a permit (such license) is mandatory (mandatory) in accordance with federal law - Article 13.13 of the Code of Administrative Offenses . Possible liability: an administrative fine of up to one thousand rubles with or without confiscation of information security means for individuals, up to three thousand rubles for officials and up to twenty thousand rubles with or without confiscation of information security means for legal entities.
The second point is the disclosure of information, access to which is limited by federal law (except for cases where the disclosure of such information entails criminal liability), by a person who has gained access to such information in connection with the performance of official or professional duties - Article 13.14 of the Code of Administrative Offences. Possible liability: an administrative fine of up to one thousand rubles for individuals and up to five thousand rubles for officials.
Administrative liability may be imposed separately from civil liability. That is, some violations do not lie in the civil law plane, so you can also be brought to administrative liability if the corresponding offense is provided for in the Code of Administrative Offenses.