New Methods of Financial Fraud and Policy Response: Cyber-Financial Fraud Utilizing Technology
- LanguageKorean
- Authors Daekeun Kim, Seoksoon Im, Sangwook Kang, Kibom Kim
- ISBN979-11-87160-31-1
- Date December 01, 2016
- Hit356
As frauds such as voice phishing that target many unspecified persons become more sophisticated, new forms of financial frauds (hereinafter “new financial frauds”) have emerged as a social problem. Using technology, these frauds take advantage of security weaknesses that are exposed amidst the changing ICT environment and target a wide range of victims. The recent rise of such crimes is due to the professional meticulous technology used, which makes investigation or exposure difficult. Another reason is that as the amount of each individual damage incurred is generally small, victims are less motivated to report the crime. There are applicable laws to new financial frauds, however, they are overlapped and scattered across a wide range of laws including the Criminal Act, Act on Promotion of Information and Communications Network Utilization and Information Protection, and etc. (hereinafter “Act on Information and Communications Network”), Special Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud. There are also a range of related institutions including the police, prosecution, ministries such as the Ministry of Science, ICT and Future Planning and Ministry of Government Administration and Home Affairs, Financial Services Commission, and the Korea Internet and Security Agency. Above all, new financial frauds occur in ways that are difficult to categorize, both in conceptual and practical terms, thereby undermining the accuracy in estimating the amount of damage caused.
Taking notice of such limitation, this research redefines the concepts and categories of new financial frauds, aiming to establish the fundamentals in designing criminal and other policy responses. In order to do so, this thesis looks at the estimation of the real damage incurred by new financial frauds and draws implications in relation to criminal policies. In particular, it analyzes various aspects of new financial frauds in relation to the general public (e.g. awareness, experience of both perpetrators and victims, concerns, views on solutions) to estimate the social cost caused. It also aims to identify the occurring rate and damage of crimes beyond the findings of institutions.
Although new financial frauds are becoming more variant and complicated, they remain consistent in that their ultimate goal is "money" or profit in property. These frauds that ultimately seek to acquire profit in property are subject to fraud (use of computers, etc.) or extortion under the Criminal Act. There are also many punishment provisions under various Acts including Personal Information Protection Act, Act on Information and Communications Network, and countless others which may be applied to different stages of such crimes. At a glance, no specific faults are found in penalty provisions. However, there have been consistent criticism that each statutory penalty is excessive, and that the excessive number of applicable laws create confusion in the course of application. Fundamentally, new financial frauds should be viewed as having a mixed characteristic of financial crime, organized crime and high-tech crime. Therefore, although the relevant department of competent ministries such as prosecution and police will be determined depending on the classification of new financial fraud, it is essential for departments to cooperate with each other rather than to hold one department responsible. In addition to cooperation between domestic ministries, international cooperation in criminal justice is particularly important because new financial fraud organizations are generally point organizations and are located abroad beyond the reach of domestic police force and jurisdiction. Also, creating a procedure that enables quick remedial measures for innocent and good willed (indirect) victims is a challenge that must be addressed. Regarding damage reimbursement for direct victims, there are existing measures such as the Reimbursement Policy for Telecommunications Fraud which were established to hasten compensation of relatively small amounts of damage. However, the policy requires civil proceedings making it the more inconvenient for victims. Therefore, realignment of reimbursement measures is deemed necessary.
Related legal cases and policies of other countries show that although there are slight differences in detail, the differences do not imply significant meaning. The policies are generally similar in that they regulate stealing of personal and financial information, as well as acquiring of illegal profits and money laundering. Unfortunately, the legislative system of other countries is too different from the Korean system to use as reference. One thing common, however, is that there is a considerable number of complex laws applicable for new forms of financial frauds. This is because new financial fraud is an action or a phenomenon that manifests or occurs in a significantly complex form. Considering the complexity of such action or phenomenon, the response systems of Korea and other nations seem very inadequate. From stealth and collection of personal and financial information to production and circulation of malicious codes, illegal possession and gain of profit, and money laundering, the single term, “new forms of financial fraud,” is a mixture of various complex crimes. However, when responding to new financial frauds, crimes are classified into different categories such as cybercrime and financial crime and addressed separately. In short, it can be summarized as “Complication and Integration of Criminal Action or Criminal Phenomenon vs. Departmentalization of Response System.” The gap or inadequacy between the phenomenon and response is seen not only in Korea but also other countries. This implies a need to establish a close cooperation system between competent departments in each criterion, or a need to establish an “Integrated Response Center.” At the same time as enhancing cooperation among domestic institutions, it is important to establish a system for international assistance in criminal justice as new financial frauds are taking place at the international and organizational level. It may seem that content-wise, existing conventions such as the Convention on Cybercrime and United Nations Convention against Transnational Organized Crime (UNCTOC) have already formed the basis of a cross-border cooperation system. To be true, although the Convention on Cybercrime is not of great benefit to Korea regarding substantive law, it does have significance in terms of international cooperation as it promotes assistance in criminal justice. However, in reality, international cooperation is limited due to tension between the legal system and legal implementation. Also, as long as tension remains between the country requesting and the country being requested of cooperation and countries adhere to the principle of state sovereignty, international cooperation will be a challenge. This is because assistance in criminal justice can only be effective when it is based on mutual confidence and will of each party.
For an effective criminal policy response, calculating the social cost of related crimes is deemed meaningful. However, there is lack of empirical and reliable research on estimating the social cost of cybercrime. Previous works focused on sporadic topics such as estimating the social cost of single large scale attacks (e.g. hacking, DDoS, etc.) and crimes (e.g. online gambling and illegal Sports Toto). On the other hand, there is lack of research on the social cost of new financial frauds. Therefore, this research aims to draw an estimation of the social cost caused by new financial frauds in Korea, using a cost-estimating model aplicable to all cybercrimes. According to the estimation, in 2015, the social cost of new financial frauds amounted to KRW 1.802 trillion. Specifically, prevention cost amounted to KRW 351.3 billion, and resulting cost considering the loss of property based on polls amounted to KRW 660.8 billion, accounting 32.5% and 61.2% respectively of the total social cost. Comparatively, response cost amounted to KRW 68.1 billion reaching less than 7% of the total social cost. This implies that the proportion of response cost is significantly smaller than that of the resulting cost. However, the estimated figures of the resulting and prevention cost show differently when in relation to the overall cost of crime. The proportion of the resulting cost is relatively smaller and that of the prevention cost is relatively higher. Based on this estimation, it is possible to think that the low resulting cost is because relatively more investment was made in preventing crimes. If this is the case, it is also possible to draw a positive conclusion that the reduction in resulting cost is because a reasonable amount of time and investment is being put into preventing new financial frauds. Contrary to the above conclusion, a completely different conclusion is drawn when loss of property is calculated based on the figures from the National Policy Agency. The prevention cost remains the same at KRW 351.3 billion, but the resulting cost is amounted to KRW 3.6557 trillion, thereby respectively accounting to 8.6% and 89.7%. This means that the proportion of the resulting cost is much higher, even than the overall cost of crime, and consequently the proportion of the prevention and response cost much lower. Based on these figures, it can be concluded that investment in preventing and responding to new financial frauds are not substantial even when general crime is included in the calculation. To reduce the resulting cost reaching almost KRW 4 trillion, more investment should be made into prevention. Furthermore, 85% of the prevention cost is used in prevent crimes on an individual level (e.g. information activities and preventative action, education on crime prevention, etc.), which implies that most of the prevention is done on an individual level. Thus, prevention on the national level is unreasonably insufficient. However, it is difficult to deny that the above estimates hold limitations to a certain level due to factors such as the relatively new and not yet established concept of new financial fraud, intrinsic limitation national police agency data holds, and difficulty in categorization of the flexible concept.
Based on the above research outcomes, this paper suggests measures to improve the following legal system.
First, the Penalty Provision (Article 15-2(1)) under the current Special Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud does not substantially reflect the nature of property crime report of Telecommunications Bank Frauds. Also, Article 15-2(2) stating “Inputting data or instructions into computers of other information processing units by using other person’s data he or she acquires,” is a crime subject to greater degree of criticism than the crime causing victims to input data in that the criminal may continue committing the same crime by inputting data themselves until he or she is exposed. Therefore, it is inappropriate to regulate the same statutory penalty to subparagraph 2 as subparagraph 1. Thus, it is necessary to classify the constituents of Telecommunications Bank Fraud under the current Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud as 1) actions using technological measures to steal information related to individuals (e.g. sending spam mails, circulation malicious programs, etc.; 2) actions to steal personal and financial information; 3) actions incurring loss of property; based on the seriousness of the damage caused by the crime rather than the doer, in order to differentiate statutory penalties respectively to such classification. The above suggestion should be implemented considering that new financial frauds have the characteristic of a “converged crime,” meaning it may occur in forms of crimes that begin as information crime and be completed as property crime, or crimes that have characteristics of information crime but ultimately take place in the form of property crime. This means that implementation should accompany policy discussions on issues such as strengthening the identifications procedure of victims, establishing a delayed transfer system, streamlining the compensations procedure of small damages. At the same time, it should also consider policies regarding leakage and misuse of personal information, and rapid alteration procedures of such information.
In the case telecommunications business operators perceive the facts related to new financial frauds as good faith, it is necessary to create exemption provisions for actions related to removal and invalidation of information. Where there is reasonable evidence to suspect such action crime, business operators such as telecommunications service providers may take measures to block and notify the sender (receiver if necessary) of the reason, and in the case the block is removed due to the objection of the sender (receiver if necessary), business operators are exempt from compensating the damage. Such exemption provision is expected to give telecommunications business operators some leeway in their responsibility to compensate for damage, and allow them to more actively develop preventative measures to new financial frauds. In addition, it is necessary to establish grounds under the Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud for confiscation of personal and financial information acquired through telecommunications bank frauds, and also create well written provisions that may order destruction of personal information possessed even by criminals already convicted of committing the crime.
In the course of practical investigations, response systems should be focused on threats not respective single cases. First, an investigation team exclusively for new financial frauds should be assigned and operated among major regional public procurement services including Seoul, Gyeonggi, and Busan. When cases are reported and accepted at police stations across the country, the data is entered into the criminal justice information system. Next, one of the regional public procurement services with an exclusive investigation team receives the information and transmits the investigation. Simultaneously, the national policy agency analyzes various factors such as the method used in crime, account number, identification number, phone number, method used in money laundering, and patterns of malicious programs, to specify a certain criminal organization and then prioritizes the investigation. Where significant information such as a specific suspect is found as a result of the analysis on criminal information, such information is transmitted to regional public procurement services with exclusive investigation teams such as Seoul, Gyeonggi, and Busan. This is to speed up the investigation and support international joint investigation. In other words, it is necessary to build a response system where the police collect data from criminal cases, the regional public procurement services investigate criminal organizations, and the national police agency analyzes criminal information and supports international cooperation-a response system that is not centered around individual cases but threats.
On a separate note, recently, international money laundering using bitcoins have emerged to be a problem. To address this issue, it is necessary to revise the Act on Reporting and Using Specified Financial Transaction bitcoin so that exchange offices over a certain size are included in “financial company, etc.” and the action of exchanging bitcoins is included in “financial transaction,” under the Act on Reporting and Using Specified Financial Transaction Information, making it an obligation for such bitcoin exchange offices to submit Suspicious Transaction Report (STR) and Currency Transaction Report (CTR) to Financial Intelligent Units (FIUs). Based on these reports, the FIU should ensure that bitcoin transactions are included in the analysis of data. In the long-term, efforts should be put into establishing a system that shares transaction information of bitcoins even with the Egmont Group, an international network of FIUs.
Utilization of malicious programs is also a rising concern. The current Act on Information and Communications Network, addresses transmission and circulation crimes of malicious programs, but does not include penalty provisions related to production and possession of such program. Therefore, it is necessary to revise the Act on Information and Communications Network, and create new penalty provisions applicable for production and possession of malicious programs. Through these provisions, where programmers produce malicious programs at the request of criminals, and where programmers possess malicious programs for the purpose of committing crime shall be punished. However, as the problem of Dual use exists in the case of possession, an additional component stating “for the purpose of committing crime” or “for unjust purpose or purpose to gain profit” should be added to the provision. Going further, it is necessary to give criminal punishments to those that transact vulnerabilities within the system, operating system, and software with a third party for the purpose of committing crime. However, it must be noted that regulation of transactions related to providing and purchasing vulnerabilities should not be unconditional as they may enhance system security as well as research and technology development. Therefore, it is necessary to create a provision "prohibition of transaction of vulnerabilities" following Article 48 (Prohibition on Intrusive Acts, etc. on Information and Communications Network) and Article 48-2 (Countermeasures, etc. against Intrusion Cases) under the Act on Information and Communications Network, to legislate the prohibition of "transaction including offering and purchase of the system's or program's vulnerabilities to a third party for the purpose of committing crime."
Lastly, there is a need to create immediate preservation measures in order to carry out investigation addressing highly volatile data. Most advanced countries have already legislated related policies, or joined the Council of Europe’s Convention on Cybercrime are offering their cooperation at Korea's request. Korea, however, is failing to cooperate due to the absence of legal ground. The immediate preservation of data is a different concept to the judge’s submission order provided in Article 106(2) under the Criminal Procedure Act. And even if investigation agencies order preservation of data, additional examination procedures such as requesting provision of communication confirmation data or warrant of search and confiscation is needed by the court which means it is difficult to deem investigation agencies of having excessive authority.
Therefore, where investigation agencies urgently need to preserve related data such as communication confirmation data or content of communication due to possibilities of the data being lost or affected, it is necessary to create a system regarding the order of immediate preservation measures under Acts such as the Criminal Procedure Act, or Act on Information and Communications Network, so that investigation agencies (or permission of the court) can order telecommunications business operators to store such data for a certain period of time.
Taking notice of such limitation, this research redefines the concepts and categories of new financial frauds, aiming to establish the fundamentals in designing criminal and other policy responses. In order to do so, this thesis looks at the estimation of the real damage incurred by new financial frauds and draws implications in relation to criminal policies. In particular, it analyzes various aspects of new financial frauds in relation to the general public (e.g. awareness, experience of both perpetrators and victims, concerns, views on solutions) to estimate the social cost caused. It also aims to identify the occurring rate and damage of crimes beyond the findings of institutions.
Although new financial frauds are becoming more variant and complicated, they remain consistent in that their ultimate goal is "money" or profit in property. These frauds that ultimately seek to acquire profit in property are subject to fraud (use of computers, etc.) or extortion under the Criminal Act. There are also many punishment provisions under various Acts including Personal Information Protection Act, Act on Information and Communications Network, and countless others which may be applied to different stages of such crimes. At a glance, no specific faults are found in penalty provisions. However, there have been consistent criticism that each statutory penalty is excessive, and that the excessive number of applicable laws create confusion in the course of application. Fundamentally, new financial frauds should be viewed as having a mixed characteristic of financial crime, organized crime and high-tech crime. Therefore, although the relevant department of competent ministries such as prosecution and police will be determined depending on the classification of new financial fraud, it is essential for departments to cooperate with each other rather than to hold one department responsible. In addition to cooperation between domestic ministries, international cooperation in criminal justice is particularly important because new financial fraud organizations are generally point organizations and are located abroad beyond the reach of domestic police force and jurisdiction. Also, creating a procedure that enables quick remedial measures for innocent and good willed (indirect) victims is a challenge that must be addressed. Regarding damage reimbursement for direct victims, there are existing measures such as the Reimbursement Policy for Telecommunications Fraud which were established to hasten compensation of relatively small amounts of damage. However, the policy requires civil proceedings making it the more inconvenient for victims. Therefore, realignment of reimbursement measures is deemed necessary.
Related legal cases and policies of other countries show that although there are slight differences in detail, the differences do not imply significant meaning. The policies are generally similar in that they regulate stealing of personal and financial information, as well as acquiring of illegal profits and money laundering. Unfortunately, the legislative system of other countries is too different from the Korean system to use as reference. One thing common, however, is that there is a considerable number of complex laws applicable for new forms of financial frauds. This is because new financial fraud is an action or a phenomenon that manifests or occurs in a significantly complex form. Considering the complexity of such action or phenomenon, the response systems of Korea and other nations seem very inadequate. From stealth and collection of personal and financial information to production and circulation of malicious codes, illegal possession and gain of profit, and money laundering, the single term, “new forms of financial fraud,” is a mixture of various complex crimes. However, when responding to new financial frauds, crimes are classified into different categories such as cybercrime and financial crime and addressed separately. In short, it can be summarized as “Complication and Integration of Criminal Action or Criminal Phenomenon vs. Departmentalization of Response System.” The gap or inadequacy between the phenomenon and response is seen not only in Korea but also other countries. This implies a need to establish a close cooperation system between competent departments in each criterion, or a need to establish an “Integrated Response Center.” At the same time as enhancing cooperation among domestic institutions, it is important to establish a system for international assistance in criminal justice as new financial frauds are taking place at the international and organizational level. It may seem that content-wise, existing conventions such as the Convention on Cybercrime and United Nations Convention against Transnational Organized Crime (UNCTOC) have already formed the basis of a cross-border cooperation system. To be true, although the Convention on Cybercrime is not of great benefit to Korea regarding substantive law, it does have significance in terms of international cooperation as it promotes assistance in criminal justice. However, in reality, international cooperation is limited due to tension between the legal system and legal implementation. Also, as long as tension remains between the country requesting and the country being requested of cooperation and countries adhere to the principle of state sovereignty, international cooperation will be a challenge. This is because assistance in criminal justice can only be effective when it is based on mutual confidence and will of each party.
For an effective criminal policy response, calculating the social cost of related crimes is deemed meaningful. However, there is lack of empirical and reliable research on estimating the social cost of cybercrime. Previous works focused on sporadic topics such as estimating the social cost of single large scale attacks (e.g. hacking, DDoS, etc.) and crimes (e.g. online gambling and illegal Sports Toto). On the other hand, there is lack of research on the social cost of new financial frauds. Therefore, this research aims to draw an estimation of the social cost caused by new financial frauds in Korea, using a cost-estimating model aplicable to all cybercrimes. According to the estimation, in 2015, the social cost of new financial frauds amounted to KRW 1.802 trillion. Specifically, prevention cost amounted to KRW 351.3 billion, and resulting cost considering the loss of property based on polls amounted to KRW 660.8 billion, accounting 32.5% and 61.2% respectively of the total social cost. Comparatively, response cost amounted to KRW 68.1 billion reaching less than 7% of the total social cost. This implies that the proportion of response cost is significantly smaller than that of the resulting cost. However, the estimated figures of the resulting and prevention cost show differently when in relation to the overall cost of crime. The proportion of the resulting cost is relatively smaller and that of the prevention cost is relatively higher. Based on this estimation, it is possible to think that the low resulting cost is because relatively more investment was made in preventing crimes. If this is the case, it is also possible to draw a positive conclusion that the reduction in resulting cost is because a reasonable amount of time and investment is being put into preventing new financial frauds. Contrary to the above conclusion, a completely different conclusion is drawn when loss of property is calculated based on the figures from the National Policy Agency. The prevention cost remains the same at KRW 351.3 billion, but the resulting cost is amounted to KRW 3.6557 trillion, thereby respectively accounting to 8.6% and 89.7%. This means that the proportion of the resulting cost is much higher, even than the overall cost of crime, and consequently the proportion of the prevention and response cost much lower. Based on these figures, it can be concluded that investment in preventing and responding to new financial frauds are not substantial even when general crime is included in the calculation. To reduce the resulting cost reaching almost KRW 4 trillion, more investment should be made into prevention. Furthermore, 85% of the prevention cost is used in prevent crimes on an individual level (e.g. information activities and preventative action, education on crime prevention, etc.), which implies that most of the prevention is done on an individual level. Thus, prevention on the national level is unreasonably insufficient. However, it is difficult to deny that the above estimates hold limitations to a certain level due to factors such as the relatively new and not yet established concept of new financial fraud, intrinsic limitation national police agency data holds, and difficulty in categorization of the flexible concept.
Based on the above research outcomes, this paper suggests measures to improve the following legal system.
First, the Penalty Provision (Article 15-2(1)) under the current Special Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud does not substantially reflect the nature of property crime report of Telecommunications Bank Frauds. Also, Article 15-2(2) stating “Inputting data or instructions into computers of other information processing units by using other person’s data he or she acquires,” is a crime subject to greater degree of criticism than the crime causing victims to input data in that the criminal may continue committing the same crime by inputting data themselves until he or she is exposed. Therefore, it is inappropriate to regulate the same statutory penalty to subparagraph 2 as subparagraph 1. Thus, it is necessary to classify the constituents of Telecommunications Bank Fraud under the current Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud as 1) actions using technological measures to steal information related to individuals (e.g. sending spam mails, circulation malicious programs, etc.; 2) actions to steal personal and financial information; 3) actions incurring loss of property; based on the seriousness of the damage caused by the crime rather than the doer, in order to differentiate statutory penalties respectively to such classification. The above suggestion should be implemented considering that new financial frauds have the characteristic of a “converged crime,” meaning it may occur in forms of crimes that begin as information crime and be completed as property crime, or crimes that have characteristics of information crime but ultimately take place in the form of property crime. This means that implementation should accompany policy discussions on issues such as strengthening the identifications procedure of victims, establishing a delayed transfer system, streamlining the compensations procedure of small damages. At the same time, it should also consider policies regarding leakage and misuse of personal information, and rapid alteration procedures of such information.
In the case telecommunications business operators perceive the facts related to new financial frauds as good faith, it is necessary to create exemption provisions for actions related to removal and invalidation of information. Where there is reasonable evidence to suspect such action crime, business operators such as telecommunications service providers may take measures to block and notify the sender (receiver if necessary) of the reason, and in the case the block is removed due to the objection of the sender (receiver if necessary), business operators are exempt from compensating the damage. Such exemption provision is expected to give telecommunications business operators some leeway in their responsibility to compensate for damage, and allow them to more actively develop preventative measures to new financial frauds. In addition, it is necessary to establish grounds under the Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud for confiscation of personal and financial information acquired through telecommunications bank frauds, and also create well written provisions that may order destruction of personal information possessed even by criminals already convicted of committing the crime.
In the course of practical investigations, response systems should be focused on threats not respective single cases. First, an investigation team exclusively for new financial frauds should be assigned and operated among major regional public procurement services including Seoul, Gyeonggi, and Busan. When cases are reported and accepted at police stations across the country, the data is entered into the criminal justice information system. Next, one of the regional public procurement services with an exclusive investigation team receives the information and transmits the investigation. Simultaneously, the national policy agency analyzes various factors such as the method used in crime, account number, identification number, phone number, method used in money laundering, and patterns of malicious programs, to specify a certain criminal organization and then prioritizes the investigation. Where significant information such as a specific suspect is found as a result of the analysis on criminal information, such information is transmitted to regional public procurement services with exclusive investigation teams such as Seoul, Gyeonggi, and Busan. This is to speed up the investigation and support international joint investigation. In other words, it is necessary to build a response system where the police collect data from criminal cases, the regional public procurement services investigate criminal organizations, and the national police agency analyzes criminal information and supports international cooperation-a response system that is not centered around individual cases but threats.
On a separate note, recently, international money laundering using bitcoins have emerged to be a problem. To address this issue, it is necessary to revise the Act on Reporting and Using Specified Financial Transaction bitcoin so that exchange offices over a certain size are included in “financial company, etc.” and the action of exchanging bitcoins is included in “financial transaction,” under the Act on Reporting and Using Specified Financial Transaction Information, making it an obligation for such bitcoin exchange offices to submit Suspicious Transaction Report (STR) and Currency Transaction Report (CTR) to Financial Intelligent Units (FIUs). Based on these reports, the FIU should ensure that bitcoin transactions are included in the analysis of data. In the long-term, efforts should be put into establishing a system that shares transaction information of bitcoins even with the Egmont Group, an international network of FIUs.
Utilization of malicious programs is also a rising concern. The current Act on Information and Communications Network, addresses transmission and circulation crimes of malicious programs, but does not include penalty provisions related to production and possession of such program. Therefore, it is necessary to revise the Act on Information and Communications Network, and create new penalty provisions applicable for production and possession of malicious programs. Through these provisions, where programmers produce malicious programs at the request of criminals, and where programmers possess malicious programs for the purpose of committing crime shall be punished. However, as the problem of Dual use exists in the case of possession, an additional component stating “for the purpose of committing crime” or “for unjust purpose or purpose to gain profit” should be added to the provision. Going further, it is necessary to give criminal punishments to those that transact vulnerabilities within the system, operating system, and software with a third party for the purpose of committing crime. However, it must be noted that regulation of transactions related to providing and purchasing vulnerabilities should not be unconditional as they may enhance system security as well as research and technology development. Therefore, it is necessary to create a provision "prohibition of transaction of vulnerabilities" following Article 48 (Prohibition on Intrusive Acts, etc. on Information and Communications Network) and Article 48-2 (Countermeasures, etc. against Intrusion Cases) under the Act on Information and Communications Network, to legislate the prohibition of "transaction including offering and purchase of the system's or program's vulnerabilities to a third party for the purpose of committing crime."
Lastly, there is a need to create immediate preservation measures in order to carry out investigation addressing highly volatile data. Most advanced countries have already legislated related policies, or joined the Council of Europe’s Convention on Cybercrime are offering their cooperation at Korea's request. Korea, however, is failing to cooperate due to the absence of legal ground. The immediate preservation of data is a different concept to the judge’s submission order provided in Article 106(2) under the Criminal Procedure Act. And even if investigation agencies order preservation of data, additional examination procedures such as requesting provision of communication confirmation data or warrant of search and confiscation is needed by the court which means it is difficult to deem investigation agencies of having excessive authority.
Therefore, where investigation agencies urgently need to preserve related data such as communication confirmation data or content of communication due to possibilities of the data being lost or affected, it is necessary to create a system regarding the order of immediate preservation measures under Acts such as the Criminal Procedure Act, or Act on Information and Communications Network, so that investigation agencies (or permission of the court) can order telecommunications business operators to store such data for a certain period of time.
File
-
2448-6 신종금융사기범죄(최종).pdf
(8.46MB / Download:1882)
Download