Cybercrime in France: An Overview
1. FACTORS AFFECTING THE RISE OF CYBERCRIME IN FRANCE
Though there can be many factors which affect the rise of cybercrime, some major environmental characteristics of Internet in France which affect the most are:
Firstly, the number of Internet users is increasing rapidly. In Feb. 2005, it was estimated that the number of Internet users was 25 millions, which is larger than 8, 500, 000 in 2000 , and is about 41.2 % of the whole population in France . Among those 25 millions of people, 7 millions are connected to a high-speed (broadband) Internet such as ADSL or cable modem which is 100 times faster than the ordinary dial-up modem, paying only 20 euros per month .
Secondly, there are about 236. 874 servers in France and many PC bangs (Internet cafés) around the country, which are equipped with broadband Internet connection. The fee for using Internet PCs in PC bangs is only 1 euro per hour. These PC bangs are used to attack computers, to defraud some, or to obtain the information that will allow the perpetrator to assume a victim’s identity and commit fraud on a grand scale.
Thirdly, cyber communities created on French forums are being abused by criminals as hotbeds for illegal activities, such as sales of illegally copied products, or sexually obscene materials. Those communities are also used as a place to exchange technologies and experiences concerning the modus operandi of cybercrime.
Finally, the development of multimedia network game industry affects the increase of cybercrime in France. As the Internet game industry prospers, many people are indulging themselves in variety of network games. Consequently, some of them are getting confused between “real life” and the “life in cyber space”. So, they want a higher level in cyberspace, which derive some crimes such as Internet fraud concerning game items and cyber money. For example, some people want to get power easily in virtual reality of online games, so they want to buy some items or weapons of those games even they have to pay so much money on those. Criminals abusing those psychological states of victims commit crimes concerning the online games.
2. CURRENT STATUS OF CYBERCRIME IN FRANCE
**2.1 Types of Cybercrime **
There are several ways we can categorize the various cybercrimes. We can divide them into two very board categories: one, those crimes committed by violent or potentially violent criminals, and two, nonviolent crimes. Violent or potentially violent crimes that use computer networks are of highest priority for obvious reasons: these offenses pose a physical danger to some person or persons. Types of violent or potentially violent cybercrime include: Cyberterrorism; Assault by threat; Cyberstalking and Childporngraphy.
However, most cybercrimes are nonvioent offenses, due to the fact that a defining characteristic of the online world is the ability to interact without any physical contact. The perceived anonymity and “unreality” of virtual experiances are the elements that make cyberspace such an attractive “place” to commit crimes. Nonviolent cybercrimes can be further divided into several subscategories: Cybertrespass; Cybertheft; Cyberfraud; Destructive cybercrimes and Other cybercrimes.
2.2 Cybercrime Offences in 2004 According to the Office Central de Lutte contre la Criminalité liée aux Technologies de l’Information et de la Communication (O.C.L.C.T.I.C.). Published in Rapport Senat n° 321:
Year 2004 Total 59.964 offences Illegal fabrication of credit cards: 49.914 offences Ilegal use of credit card numbers online: 8.470 offences. Online pornography: 576 offences. Defamation and Sexual Assault: 333 offences. Cybertrespass: 285 offences. Software Piracy: 268 offences. Others: 118 offences.
As it has been mentioned before, the rapid development of Internet infrastructure and other factors such as popularity of PC bangs, Internet communities and growth of game industry can be regarded as the main reasons for that increase. In addition, the foundation of L’Office Central de Lutte contre la Criminalité liée aux Technologies de l’Information et de la Communication (O.C.L.C.T.I.C.) can be one of the reasons. In other words, victims know where to report their damages more clearly than before the foundation, and the fact that the more aggressive measures to the cyber crimes have been brought could be one of the factors which can explain the rapid increase in this crime.
**2.3 Cybercrime Case Law **
**2.3.1 Cyberfraud **
Serge Humpich, the 36 year-old engineer who discovered flaws in the chip-based security of French credit cards, was sentenced in Feb. 2000 (GCB v. Humpich) in Paris . Under the ruling issued by the 13th correctional chamber, he was sentenced to a suspended prison sentence of 10 months, 12.000 francs (approx. £1.200) in fines, and one symbolic franc in damages to the Groupement des Cartes Bancaires . His computer equipment has been seized, as well as the document that he had filed with the INPI (France’s patents and trademarks office), detailing his findings. Humpich began studying credit card security four years ago. When he discovered significant flaws in the authentication system, he contacted the Groupement des Cartes Bancaires, through lawyers, to negotiate a “technology transfer” of his discovery, for an undisclosed amount (estimates of up to £20M were never confirmed by either party). During Court hearings held on January 21 it was revealed that Humpich had committed only one fraud (when he bought metro tickets using cards he made), performed at the instigation of the GCB, and using the blank cards that it had supplied. Little did he know that the GCB had already contacted the authorities, and that his phone was tapped. Humpich was later arrested, his equipment seized, and his house (as well as his lawyer’s offices) raided by police.
**2.3.2 Trade Marks **
In October 2003, a French court has ruled against Google France in an intellectual property dispute (Sté Viaticum et Sté Luteciel v. Sté Google France) saying the company must pay a fine for allowing advertisers to tie their text notices to trademarked search terms .
The Lower Court of Nanterre required Google France to pay 70.000 euros (about $81.400) to two companies that owned the rights to certain words. Google France sold the use of these words to advertisers through its AdWords program. AdWords permits individuals and companies to place advertisements on the Google home page that appear when a specific search term is used. A spokesman for Google said Wednesday that the company would appeal. “As this is an ongoing legal matter, we cannot provide further comment,” spokesman David Krane said. Travel agencies Luteciel and Viaticum sued Google in December 2002, after the search company refused to curb the use of disputed words in the AdWords program. Luteciel and Viaticum claimed intellectual property rights in “bourse des vols” and “ bourse des voyages,” which roughly translate to travel market and airflight market. The French court concluded that Google France violated the country’s intellectual property code that, translated, “prohibits, in the absence of authorization of its owner, the use of a trademark for products or services identical to those indicated in the recording.”
The judgement of October 2003 was upheld by Versailles court of appeal in 10 March 2004. Google was ordered to pay US$103,000 in damages to the French travel companies Luteciel and Viaticum. Users who searched on Google using these companies’marks as key words were also provided with links to competitor companies’websites. The court found that Google should have prevented its clients from using key words which infringed trademarks.
**2.3.3 Software Piracy **
In Feb. 2005, a French teacher was fined €10.200 ($13.300) in France’s first major illegal file-sharing prosecution ( France Bater v. Alain Oddoz) . Alain Oddoz, 28 years old was arrested on 18 August 2004 following an investigation into music-sharing information site France Barter by French law enforcement agencies. The teacher, one of 302 regular users of the site, was accused of sharing 30GB of music files. The teacher paid €3.000, with the rest deferred to a later date. The fine could have been much worse. Music industry representatives had asked the Pontoise court to impose a €28.366 fine. In recent months European music industry trade bodies have actively pursued file-sharers through the courts, albeit with a lower profile than the Recording Industry Ass. of America’s highly publicised anti-P2P lawsuits.
However, in March 2005, the Montpellier Court of Appeal has released in (Ministère Public, FNDF, SEV, Twientieth Century Fox et a. v/ Aurélien D) an individual from prison who was sued for copying almost 500 movies on the Internet, burning them and sharing them with friends. The decision was based on Article L-122-5 of the French Intellectual Property Code which states that “authors can’t forbid copies or reproductions that are only intended for the private use of the copyist.” Although this decision seems to provide the impression that private use may be a defense against a claim of online copyright infringement, there are still approximately 50 similar criminal cases pending, and in the past, infringers have been sentenced.
**2.3.4 Malicious Code **
In March 2005, the Tribunal correctionnel de Paris has ruled in (Tegam v. Tena Guillaume) that security researcher Guillaume Tena acted unlawfully in publishing proof of concept code to highlight security flaws in ViGuard, an antivirus product, from French company Tegam. Tena was given a suspended fine of €5,000 ($6,700 or £3,480) in a case that could have big implications for security research in France. Four years ago Tena (AKA Guillermito) released proof of concept code to highlight security bypass and worm evasion flaws in ViGuard. He produced exploits showing that Tegam’s generic anti-virus failed to stop “100 per cent of known and unknown viruses” as claimed. Tena posted his findings to a French Usenet newsgroup in the summer of 2001 before re-publishing the research on a website in March 2002. Tegamd denounced Tena as a “terrorist”, and sent in the lawyers. In June 2002, Tena was prosecuted over alleged violations of French copyright law. Tegam argued a warez version of its software was used in Tena’s tests and claimed that he decompiled or disassembled ViGuard and distributed part of its source code on his website. Tena denies these accusations. Tegam claims tens of thousands of ViGuard users in France. However, the product is little used outside the country. The case against Tena came to trial at a Tribunal correctionnel in Paris in January. A verdict - returned in March 2005 - found against the security researcher, who will be fined €5,000 if he re-offends within the next five years.
**2.3.5 Online Defamation **
In LICRA and UEJF v. Yahoo! Inc, Yahoo! was sued in France for violating a French law that prohibits the exhibition of Nazi memorabilia. The Tribunal de Grande Instance de Paris ordered Yahoo! to limit the display of Nazi memorabilia and images on Yahoo!-hosted auction sites in the U.S. Such displays, while illegal in France, are protected by the First Amendment in the United States . The French court reasoned that because the offensive materials were accessible in France – and hence caused harm to French citizens – the court had the power to penalize Yahoo! in the U.S. for non-compliance with its domestic hate speech statutes. Because enforcement of the French order would require action against Yahoo! and its assets in the United States, Yahoo! in turn sought relief from the order in the form a declaratory judgment making the order unenforceable stateside. Before a California district court, Yahoo! sought a declaration that the French court has no jurisdiction over Yahoo’s U.S.-based operations, and that the French court’s order violates rights guaranteed by the U.S. Constitution. Yahoo! argued that only a U.S. court has jurisdiction to determine if the French order is enforceable in the United States. The California court agreed, and on First Amendment grounds invalided enforcement of the French order in the U.S. The court concluded that : “The French order’s content and viewpoint-based regulation, while entitled to great deference as an articulation of French law, clearly would be inconsistent with the First Amendment if mandated by a court in the United States. What makes this case uniquely challenging is that the Internet in effect allows one to speak in more than one place at a time. Although France has the sovereign right to regulate what speech is permissible in France, this Court may not enforce a foreign order that violates the protections of the United States Constitution by chilling protected speech that occurs simultaneously within our borders”.
The decision in Yahoo! is important for another reason: the French court’s focus on Yahoo’s ability to discern where its content was received. Based on the testimony of expert witnesses, the French court concluded that Yahoo! had the technological capacity to know with 90% accuracy where it was distributing its online content. In the Third Circuit decision in COPA discussed above, we saw the court imagining the next stage of online regulation: a net that is zoned so as to permit prohibitions of content based on community norms. In effect, the French court in Yahoo! sought to actualize that vision. Whereas geographic-location technologies may not be readily available and cost-efficient at present, an increasingly important question for net regulation in the future will be the ability to control not merely types of content but the flow of information.
2.3.6 Skype Banned in Research Institutions
In Sep. 2005 the French government banned the use of Skype at research institutes and universities in France. Skype is a popular voice-over-Internet protocol (VoIP) that allows users on its network to speak to each other over the Internet for free. Skype can also be used to make and receive calls through standard phone lines for a fee, and to receive voicemail messages. French authorities have cited concerns over Skype’s “network security” as the main reason for the ban. Critics, however, contend that communications through Skype are sufficiently protected with the use of encryption technology. They argue that one reason for banning Skype may be the loss of revenue suffered by French competitors in the VoIP market.
2.3.7 Spam
In June 2005, The Paris commercial court in (AOL and Microsoft v. K-Foot) has ordered a French entrepreneur to pay EUR 22,000 (USD 27,000) in damages and interest for having sent out a flood of unsolicited e-mail messages, or spam, the US online service provider AOL. The court also said he would have to pay EUR 1,000 for any spam message sent out following the ruling, according to AOL, which lodged the complaint in conjunction with software giant Microsoft. The sender, a direct marketing specialist, was an AOL subscriber and was alleged to have created electronic addresses with Microsoft’s free e-mail service Hotmail, using a false identity.
**2.3.8 Cybertrespass **
According to the AFP, a 17-year-old French hacker who defaced websites in Australia, Britain, and the United States with political messages has been arrested in Paris in July 2003 and ordered to stay away from the internet while on parole. The teenager, who cannot be named for legal reasons but who was known on the web under the nickname DKD, plastered home pages with messages « for example in favour of the Palestinians or against the US government », a police chief for the northern city of Lille, Eric Voulleminot, said. The hacker was arrested on June 23 at home in a western Paris suburb, where he was living with his parents while he completed his last year of high school. He was tracked down by French police specialised in computer crime investigating the case of a police station website that had been altered. Technical investigations and confessions from the young man have established that around 2000 websites were attacked: around 20 in France, between 20 and 30 in Britain, and the rest in Australia and the United States, including the (US) Navy site. The teenager was released on parole because his hacking didn’t have major consequences, but he has to check in regularly with police and is banned from connecting to the Internet, he said.
**3. LEGISLATION APPROACH **
There is no uniform law that regulates all kinds of cybercrime in France. In addition to the independent and specialized laws in IT and Telecommunications, provisions which regulate cybercrimes are scattered throughout many legislations:
3.1 Criminal Law (Penal Code)
Categories
Unauthorised Access to Automated Data Processing Systems
Codification Article 323-1 Fraudulently accessing or remaining within all or part of an automated data processing system
Punishment One year’s imprisonment and a fine of € 15,000. Where this behaviour causes the suppression or modification of data contained in that system, or any alteration of the functioning of that system, the sentence is two years’ imprisonment and a fine of € 30,000.
Codification Article 323-2 The fraudulent introduction of data into an automated data processing system or the fraudulent suppression or modification of the data that it contains
Punishment Three years’ imprisonment and a fine of € 45,000.
Article 323-3 Use of counterfeited or altered public electronic data
Three years’ imprisonment and a fine of € 45,000.
Article 323-4 The participation in a group or conspiracy established with a view to the preparation of one or more offences set out under articles 323-1 to 323-3, and demonstrated by one or more material actions
Punished by the penalties prescribed for offence in preparation or the one that carries the heaviest penalty.
Article 323-7 Attempt to commit the misdemeanours referred to under articles 323-1 to 323-3
Subject to the same penalties
Violations of Personal Rights Resulting from Computer Files or Processes
Article 226-16 To carry out, or to cause to be carried out, the automated processing of data containing names without having observed, prior to the operation, the preliminary formalities laid down by law
Three years’ imprisonment and a fine of € 45,000, even where committed by negligence.
Article 226-17 To carry out, or to cause to be carried out, the automated processing of data containing names without taking all useful precautions to preserve the confidentiality of such information and in particular to prevent it being tampered with, damaged or communicated to unauthorised third parties
Five years’ imprisonment and a fine of € 300,000.
Article 226-18 The collection of data by fraudulent, unfair or unlawful means, or the processing of name-bearing information relating to a natural person despite this person’s opposition, where this objection is based on legitimate grounds
Five years’ imprisonment and a fine of € 300,000.
Article 226-19 Apart from the cases set out by law, the recording or preserving in a computerised memory, without the express agreement of the persons concerned, of name-bearing data which, directly or indirectly reveals the racial origins, political, philosophical or religious opinions, trade union affiliations or the sexual morals of the subjects
Five years’ imprisonment and a fine of € 300,000
Article 226-20 The preserving of information in a name-bearing form beyond the length of time stated in the request for advice or in the preliminary statement made before the implementation of the computerised processing, without the agreement of the National Commission for Data-processing and Civil Liberties
Subject to the same penalties
Endargenment of Minors
Article 227-23 Taking, recording or transmitting the picture or representation of a minor with a view to circulating it, where that image or representation has a pornographic character
Three years’ imprisonment and a fine of € 45,000. The same penalty applies to the distribution of such a picture or representation, and its import or export, or causing it to be imported or exported. The penalties increased to five years’ imprisonment and a fine of € 75,000 where, for the circulation of the image or representation of a minor, use was made of a communication network open for the circulation of messages to an unrestricted public. Retaining such an image or representation is punished by two years’ imprisonment and a fine of € 30,000.
Article 227-24 The manufacture, transport, distribution by whatever means and however supported, of a message bearing a pornographic or violent character or a character seriously violating human dignity, or the trafficking in such a message
Is punished by three years’ imprisonment and a fine of € 75,000, where the message may be seen or perceived by a minor.
Article 434-15-2 Illegal use of a cryptation key
A penalty of three years’ imprisonment and a fine of € 45,000
Article 434-23 Assuming the name of another person in circumstances that lead or could have led to the initiation of a criminal prosecution against such a person
Punished by five years’ imprisonment and a fine of € 75,000.
Resale Royalty Right
Articles L. 335-1 & L. 335-3
Any edition of writings, musical compositions, drawings, paintings or other printed or engraved production made in whole or in part contrary to the laws and regulations relating to the property of authors
Three years’ imprisonment and a fine of € 300,000.
Offences credit cards
LSQ 15 XI 2001 Art. 35 – 39 & 40
Seven years’ imprisonment
Interception
Art. 706-95
Authorised by the judge for a duration of 15 days.
Gambling
Art. 1er-L 12VII 1983 mod.1 Perbn II
Three years’ imprisonment and a fine of € 45,000.