COMPUTER CRIMES
Supreme Court of Cassation: computer fraud, the concept of 'digital identity' also applies in cases of home banking.
The notion of digital identity, which integrates the aggravating circumstance pursuant to Article 640-ter, third paragraph of the Criminal Code, does not presuppose a validation procedure adopted by the PA, but also finds application in cases of use of access credentials to private computer systems.
The defendant was sentenced by the Court for the offence of money laundering, for having made available to unknown persons his bank account where money from the offences of unauthorised access to a computer system and computer fraud had flowed. The Court of Appeal, partially reforming the first instance sentence, qualified the act under Article 640-ter of the criminal code and redetermined the sentence in favour of the man.
The defendant thus appealed to the Court of Cassation, claiming violation of the law and defective motivation with regard to the existence of the aggravating circumstance pursuant to paragraph 3 of Article 640-ter of the criminal code. He points out that the trial results do not prove the existence of theft or undue use of the digital identity, a concept that cannot be adapted to the case under examination, in which, in order to access the victim's bank account, an electronic key had been used to communicate the access code to be used from time to time.
In ruling No. 13559 of 3 April, the Second Criminal Section rejected the appeal.
The notion of digital identity, which integrates the aggravating circumstance in question, is not restricted to the validation procedures adopted by the PA, but also applies in the case of the use of access credentials to computer systems managed by private individuals.
In fact, the legislator has not provided any definition of digital identity.
The doctrine has pointed out that the translation into criminal law of definitions taken from external sources finds an obvious obstacle in the fact that they are conceptualisations or methodological indications functional to the specific measures to which they pertain.
The Office of the Attorney General has stated that 'digital identity is commonly understood as the set of information and resources granted by a computer system to a particular user of that system under an identification process (...)'.
Although it is, therefore, a concept destined to be defined in the future, the defence's argument that claims to limit digital identity only to validation procedures adopted by the PA duly certified cannot be accepted, excluding access procedures by means of credentials to privately managed computer systems such as home banking services or online sales platforms.
And these indications, expressed with regard to the use of personal credentials for access to so-called home banking systems or similar, can also be applied to the illegitimate use of so-called PINs and electronic keys that produce a code to perform the banking transaction, since in all cases, what matters is that 'the access data to the computer system from time to time compulsorily entered by the agent directly or through the use of electronic devices, uniquely and uniquely identify a particular person by means of numbers or letters according to a unique sequence intended to be used (. .) only by the holder or a person authorised by him'.
Finally, it can be confirmed that the unauthorised use of the electronic key belonging to the account holder integrates the contested aggravating circumstance and presupposes, however, upstream, an unauthorised use of the account access credentials inherent in the person of its holder.
The defendant was sentenced by the Court for the offence of money laundering, for having made available to unknown persons his bank account where money from the offences of unauthorised access to a computer system and computer fraud had flowed. The Court of Appeal, partially reforming the first instance sentence, qualified the act under Article 640-ter of the criminal code and redetermined the sentence in favour of the man.
The defendant thus appealed to the Court of Cassation, claiming violation of the law and defective motivation with regard to the existence of the aggravating circumstance pursuant to paragraph 3 of Article 640-ter of the criminal code. He points out that the trial results do not prove the existence of theft or undue use of the digital identity, a concept that cannot be adapted to the case under examination, in which, in order to access the victim's bank account, an electronic key had been used to communicate the access code to be used from time to time.
In ruling No. 13559 of 3 April, the Second Criminal Section rejected the appeal.
The notion of digital identity, which integrates the aggravating circumstance in question, is not restricted to the validation procedures adopted by the PA, but also applies in the case of the use of access credentials to computer systems managed by private individuals.
In fact, the legislator has not provided any definition of digital identity.
The doctrine has pointed out that the translation into criminal law of definitions taken from external sources finds an obvious obstacle in the fact that they are conceptualisations or methodological indications functional to the specific measures to which they pertain.
The Office of the Attorney General has stated that 'digital identity is commonly understood as the set of information and resources granted by a computer system to a particular user of that system under an identification process (...)'.
Although it is, therefore, a concept destined to be defined in the future, the defence's argument that claims to limit digital identity only to validation procedures adopted by the PA duly certified cannot be accepted, excluding access procedures by means of credentials to privately managed computer systems such as home banking services or online sales platforms.
And these indications, expressed with regard to the use of personal credentials for access to so-called home banking systems or similar, can also be applied to the illegitimate use of so-called PINs and electronic keys that produce a code to perform the banking transaction, since in all cases, what matters is that 'the access data to the computer system from time to time compulsorily entered by the agent directly or through the use of electronic devices, uniquely and uniquely identify a particular person by means of numbers or letters according to a unique sequence intended to be used (. .) only by the holder or a person authorised by him'.
Finally, it can be confirmed that the unauthorised use of the electronic key belonging to the account holder integrates the contested aggravating circumstance and presupposes, however, upstream, an unauthorised use of the account access credentials inherent in the person of its holder.
