Cybercrime

Crime is related to information technology and information networks in three ways:

1. The cyber environment is merely a channel or tool for some traditional form of crime, such as financial fraud.
2. Illegal content is distributed through the network, such as pornography or hate speech.
3. The crime is directed at information and its technology, i.e. information systems and networks.

With the exception of the last point, it is difficult to present a general international perspective. The content of communication is particularly problematic, because different societies have different views on what is sufficiently illegal to require criminal-law treatment. However, the definition of illegal content is included, at least in the case of child pornography, in the Council of Europe’s Convention on Cybercrime, the so‑called Budapest Convention. It also includes an article on violations of intellectual property rights.

The Budapest Convention is from 2001, and by May 2026 it had been ratified by 82 states. These include the USA but not China. The convention has significantly contributed to harmonising both laws on cybercrime and the rules for international assistance between states. The Second Additional Protocol (2022), among other things, promotes cooperation and the transfer of electronic evidence from one country to another—in future; as of May 2026, it had been ratified by 4 parties.

Elsewhere in this material there is a classification of crime enabled by and amplified by information networks. It divides all of the points 1, 2 and 3 mentioned at the beginning, and brings out various characterisations of different types of crime. In this chapter, however, the treatment is based only on the law, from a Finnish perspective, and the focus is only on points 2 and 3. We begin with point 3.

Crimes against information systems

An important legislative perspective on information security is captured in the title of a doctoral dissertation: The criminal law protection of data processing peace. The author is Antti Pihlajamäki (University of Helsinki, 2004). The subtitle specifies this as: “Regulation of data crimes in the Finnish Criminal Code,” and at the same time describes the topic of this subsection.

“Peace” appears directly in the Criminal Code in connection with information security. Chapter 24 is about Violation of privacy, peace and personal reputation. Alongside its provision on domestic privacy (§1), provision on ”Violation of communication peace” (§1a), was added at the end of 2013, which criminalises intentionally disturbing messages and calls (and the actual name in English of this provision is Harrassing communications).

The reform of the Criminal Code (39/1889) in 1995 introduced a chapter “38 Data and communications offences”, which today defines the offences listed below. There have been several additions after 1995. (The more formal expression for the term basic is basic form):

• Secrecy offence and violation (§ 1–2; offence being the more serious act)
• Violation of the secrecy of communications (§ 3–4, basic and aggravated) *
• Interference with communications (§ 5–7, basic, aggravated and petty) *
• Interference with an information system (§7a–b, basic and aggravated, from 2007, updated 2015) *
• Unlawful access to an information system (§ 8 and 8a, basic and 2007: aggravated; all updated 2015) *
• Offence involving a protection decoding system (§ 8b, from 2001, updated 2014)
• Data protection offence (§ 9, updated in 2018)
• Identity theft (§ 9b, from 2015)

In the cases of violation of communication secrecy, unlawful access, and interference with information systems and communications, even attempts are punishable (marked above with *). In these cases, the actual effect may not occur despite the attempt, but traces often remain. This is different in breaches of secrecy, where an unsuccessful attempt would be quite difficult to prove. In cases where attempts are punishable, damage may also occur to the target, for example when security systems must be renewed. Port scanning, for example, may be considered an attempted unauthorised access. In contrast, according to an amendment in 2011 (Chapter 28 §7), using an internet connection via an unsecured wireless network is no longer considered unauthorised use.

The 2001 addition Offence involving a protection decoding system supplements the unauthorised access provision (§ 8) in Chapter 38 (by being § 8b) by defining in which situations it is a crime to handle a device or software for decoding protected media content (such handling is merely prohibited in another law; see its § 269). The topic also complements the 2005 prohibition in the Copyright Act against bypassing protection measures (§ 50a)—in simplified terms, the Copyright Act concerns the protection of recordings and the Criminal Code concerns the protection of transmissions. The provision Data protection offence naturally refers to the Data Protection Regulation and Act.

Earlier as well (i.e. before 1995), the Criminal Code could be applied to data-related offences: for example, the provisions on unauthorised use in the “Theft chapter” (Chapter 28 §7–9), and the provisions on Fraud in Chapter 36 (§1–3). Unauthorised use included, and still includes, intrusion into an information system (now separately regulated as unlawful access, which may occur even without intrusion), and fraud includes, for example, falsifying results of a computation (clarified in §1 in 2003). Giving false testimony has long been prohibited by law (8th Comm.). A more recent offence is providing false personal data. It does not belong to fraud, but to Chapter 16 on offences against public authorities (§5).

Chapter 30 of the Criminal Code prescribes punishment for industrial espionage (§4), violation of a business secret (§5), and misuse of a business secret (§6). Information that is “less strictly secret” than a business secret is a trade secret. It is commercially valuable precisely because it is not generally known. If its owner protects it reasonably well, it is also protected under the Trade Secrets Act (595/2018), which also lays down provisions on technical measures. A trade secret can be much more open to interpretation than a business secret under criminal law, and therefore similar kinds of information should be handled with caution.

More serious than business secrets are national secrets. These are regulated in Chapter 12 of the Criminal Code concerning offences of treason. The minimum penalty for disclosure is four months’ imprisonment, and unlike the other disclosure offences mentioned above, security secrets must be avoided from being disclosed even negligently, that is, through gross carelessness, under penalty of at least a fine. Naturally, even attempting disclosure is punishable. The fine granularity of legislative work is evident in that the Criminal Code also contains another type of secrecy offence: breach of official secret (Chapter 40 §5), where attempt is not punishable but negligence is taken into account. When reading the law, however, one must consider the whole, because the same act may fulfil the elements of multiple offences, and many provisions refer in the following way: “unless a more severe punishment is provided elsewhere in law.”

A denial-of-service attack may be judged as criminal mischief under Chapter 34 §1 of the Criminal Code. Chapter 34 also includes an important and quite information-security-specific addition from 2007: Endangerment of data processing using malware or devices, or other people’s passwords. Section 9a criminalises the production, distribution, and acquisition for use of these, and 9b in turn criminalises (malicious) possession, the offence being termed Possession of a data system offence device. Section 9a also prohibits distributing instructions for making malware. Amendments in 2007 and later in 2015 improved EU harmonisation. In 2015, among other things, the mentioned acquisition for use was added, and at the same time a new concept was introduced into Chapter 35 §§3a–c: criminal damage to data (b = aggravated, c = petty). Unauthorised encryption of data is also included here, meaning that creators of ransomware are held liable (the actual term in English is concealment).

The Criminal Code also defines what kind of information is illegal. This topic will be discussed later.

Most cybercrimes are offences prosecuted on complaint, meaning that the police will not begin to investigate them unless the injured party reports them and demands punishment for the offender. Technical investigation by the police is sometimes referred to as forensics. In serious crimes, including cybercrimes, telecommunications monitoring (etc.) may be used in investigation (Coercive Measures Act Chapter 10) or already in prevention or detection (Police Act Chapter 5).

In 2019, Chapter 5a on civilian intelligence was added to the Police Act, which regulates the information gathering of the Security and Intelligence Service for national security purposes. At the same time, the Military Intelligence Act entered into force. These two intelligence perspectives do not impose obligations on citizens or information security professionals, but the latter, at least, may have opinions on the technologies and their scope when legislation is developed.

Answer the questions.

Question 1

Teemu Teekkari is trying to find out what services are provided by an operator’s email server. He knows the address, but he does not know which IMAP/POP/SMTP/ROCK services are in use.

Instead of using a search engine, he cleverly investigates the target machine by performing a port scan. How does Finnish law regard such port scanning?

Scanning ports owned by others is allowed.

Scanning ports owned by others is prohibited.

The law does not address the matter.

This is one of the offences explicitly defined in detail in the Network Act.

Question 2

What if the machine being scanned and the networks used belonged to Teemu himself?

You may scan your own machine as much as you want.

You are not allowed to scan even your own machine.

Question 3

The Criminal Code protects various kinds of secrets, but which of the following are not mentioned in it? (They are also not mentioned in the material.)

state secret

military secret

national secret

business secret

community secret

trade secret

shared secret

communications secrecy

Question 4

Select the correct statements.

According to the Criminal Code, unauthorised access also includes using someone else’s username and password to intrude into an information system.

If disclosure of information is a crime, then attempting to disclose it is also a crime.

Even attempting to interfere with communications is prohibited.

In 1995, all legislation related to information security (except data protection and copyright) was consolidated into the Criminal Code.

The Criminal Code has been amended multiple times regarding cybercrime since the major reform of 1995.

Providing false personal information is, according to the law, one form of identity theft.

No, the other way around: identity theft is one form of providing false personal information.

A person can be punished for possession of a cybercrime tool even if they have not used it or even attempted to use it.

Illegal or otherwise undesirable information

One of the central tasks of societies and communities is to protect their members from various kinds of harm. These can include

• physical violence (external and internal wars, crimes…),
• health threats (epidemics, toxic food, environment…)
• economic threats (value of money, cheap imports, labour; income differences…)
• psychological threats: to working conditions, work ability, mental health, morality, citizen satisfaction, party loyalty, the popularity of those in power, research funding…

Psychological threats can be extremely complex and may also affect economic matters and, through them, even lead to violence. In psychological threats, the issue is largely about information, and not only in the sense that “knowledge adds to the agony”. The concrete content of the threat varies between different societies and communities (e.g. religious ones), and naturally also between target groups (e.g. children of different ages).

A community can protect its members from harmful information by setting restrictions on the dissemination and use of information, i.e. (roughly) on sale and purchase/possession. Some restrictions are in laws, but most exist only in culture—from the level of nations through social classes and religious and other communities down to companies, families, and households. In addition to restrictions, many communities use the opposite method, i.e. they provide “better information”. Depending on the situation and scale, this may take the form of brainwashing, propaganda, education, advertising, preaching, lobbying, brand building, or more forceful information influence. The latter is presented briefly in this course in connection with state actors and its identification is examined separately separately. Below, only restrictions on information will be discussed.

Regulation based on law is most effective when it concerns the dissemination of information, because dissemination is to some extent centralised. However, peer-to-peer networks between private computer users present a serious challenge to this. It is even much more difficult to restrict the use of information media or information services. Here, we move into the area of ethical regulation, where content filtering based on voluntariness or community-level rules can be applied as part of basic information security.

Some types of information are so harmful that their dissemination is prohibited by criminal law. A traditional example is pornography, although the norms have become more lenient over time. The legal term is sexually obscene material. A person distributing such material, or graphic violent imagery, may receive up to two years’ imprisonment, unless the material qualifies as journalism or art. Pornography and violence are addressed in Chapter 17 of the Criminal Code (Offences against public order). Journalism or art are not mitigating factors in Chapter 11 (War crimes and crimes against humanity). According to that chapter, information, opinions, or other messages that constitute agitation against a population group must be destroyed or kept only in one’s own possession. According to Chapter 17 §19, even possession of a sexually obscene image depicting a child is prohibited.

In Finland, the classification and distribution of audiovisual content is supervised by the Finnish Arts and Culture Agency (KUVI, specifically its KAVI section). The provision of content harmful to children is restricted by age ratings. This is based on the Act on Audiovisual Programmes (710/2011). Games also use corresponding markings for age limits and content: PEGI (Pan European Game Information).

One form of protection against harmful information is spam filtering. Similar in purpose is ad filtering, which is part of content filtering. Closely related, but much more general, is the basic civic ability to avoid being deceived. In principle, this could be seen as protecting oneself from deceptive information. Through the internet, such information has become increasingly widespread, and protection has failed sufficiently often even in Finland that the Finnish Competition and Consumer Authority maintains a comprehensive “scam website” (2008–). Deceptive messages aimed at obtaining personal data are known as phishing. They may also take the form of spam messages. More on spam and phishing is covered elsewhere in the course material.

Another type of information threat is cyberbullying. Automatic detection has been examined in the dissertation “Experts and machines united against cyberbullying” (2014). Different forms of online harassment and bullying are discussed elsewhere in the course material .

The Act on Electronic Communications Services (917/2014) includes Sections 182–184 concerning the responsibility of service providers for content that violates Criminal Code (and also refers to copyright). A purely technical intermediary is not responsible for content, but for example the administrator of a discussion forum may be prosecuted, for instance, for agitation against a population group (§184). The latter follows directly from Criminal Code (Chapter 11 §10: “Anyone who makes available to the public or … distributes or keeps available information …”, 2011), while the Communications Services Act defines limitations of liability and their conditions. Between a technical intermediary (§182) and a storage provider (§184) lies the technical caching service (§183). For this as well, exemption from liability requires the prompt removal of illegal material in certain situations, but naturally the responsibility of the storage provider (e.g. a blogging service) is the greatest: the service provider avoids liability provided that it removes (makes unavailable) the stored information without delay once it becomes aware that it is apparently in violation of Criminal Code.

Select one or more options.

Question 1

Select the correct statements.

Communities protect their members from harmful information mainly through laws.

Restricting the use of information services is a protection method that can be implemented through laws and is easy to enforce.

Information can be so harmful that criminal law is needed to prevent its dissemination.

Providers of electronic communication services also have responsibility for content that violates Criminal Code.

Protection from harmful information is the same everywhere in the world.

Artistic value may render even graphic depictions of violence legal, even though they otherwise would not be.

Hate speech is not explicitly defined in Criminal Code, but in some cases it can be interpreted as agitation against a population group.

Posting submission...