정보통신망법 상 정보통신망침입죄에 대한 비판적 고찰 (Critical Review of Intrusive Acts on Information and Communications Network Criminalized by Act on Information and Communications Network)

This paper proposes legislative adjustment to the current Act on Promotion of Information and Communications Network Utilization and Information Protection, ect(hereafter Act on ICN) after discussing several interpretative problems regarding so called ‘hacking’, that is, intrusive acts on information and communications network prescribed on article 48 - (1) of Act on ICN. The necessity of criminal punishment against intrusive acts on information and communications network has arisen more severely as cyber security matters to a great extent in our daily lives. Criminal punishment against hacking has been more extensive since 1987 when the name of the offence was ‘intrusive and destructive acts on computer networks’ - the origin of the offense. Throughout this process, a number of problems occurred in relation to legal interest protected by the code and corpus delicti as follows;First, legal interest is not properly described in the article. Initially the article seems to protect information and communications networks owned by provider of information and communications services. However, interpretation of legal interest has gradually become blurred due to the rise of personal PC and especially smart phones. Although the extent of protection can expand by interpretational flexibility of the article considering the purpose of enactment, this interpretational measure cannot completely cover substantial difference between the extent of damage caused by infringement on computer systems of service providers and those of individuals.
Second, the definition of information and communications network is not clear enough. When originally enacted, the act seemed to describe individual computer or communication network limited to specific orientations. These days, however, ‘Internet’ connects all the computers all at once, therefore, the information and communications network can easily stretches out indefinitely. Under these circumstances, the term ‘network’ in the code goes against the rule of clarity; the code cannot simply specify which network was compromised from a perpetrator’s end of the rink all the way to a victim’s. The legal statutes of the U.S., Germany and the Council of Europe(Convention on Cybercrime) use the term ‘computer’ or ‘system’ instead of ‘network’, which provides many legislative implications.
Third, the concepts of access and intrusion are ambiguous. While the subject of intrusion is clearly stipulated as information and communications network, the subject of access does not exist. It could mean both: the network, the same as intrusion, and a specific piece of information within the network. Legal appraisal varies according to which approach is taken; if the subject of access is the network itself, access is the prior step to intrusion, so it can be treated as ‘attempted crime’. If it is the letter, access failure to targeted information within the network can still constitute an intrusion to network. In particular, the concept of access should be more clearly defined since it is essential to interpretation of a normative term, ’authority for access’.
In order to solve aforementioned interpretative problems, several legislative amendments should be put in place. First of all, legal interest and corpus delicti ought to be set down in a more detailed matter; the article should clarify whether to protect individual PCs and smart phones. It is possible that the Act on ICN only prescribes the protection of networks owned by service providers and the others - personal gadgets - shall be covered by penal code. Or a new legislation can be enacted so as to include both subjects. Secondly, the extent of network in the article should be narrowly interpreted, and eventually the code should incorporate the terms like ‘computer’ and ‘system’ in the light of overseas cases. Finally, by clarifying the concept of access and intrusion, the same act should be treated equally in any circumstances no matter who interprets it legally.
This paper tries to provide theoretical background under which legal stability and openness of Internet are ensured at the same time. It also intends to provide meaningful implications to discourses regarding culpability of intrusive acts on information and communications network as well as validity of punishment against attempted crime. This research hopes to contribute to a possible new enactment process in addition to the current one because the article 48 - (1) is virtually functioning as fundamental legislation for cyber security.

This paper proposes legislative adjustment to the current Act on Promotion of Information and Communications Network Utilization and Information Protection, ect(hereafter Act on ICN) after discussing several interpretative problems regarding so called ‘hacking’, that is, intrusive acts on information and communications network prescribed on article 48 - (1) of Act on ICN. The necessity of criminal punishment against intrusive acts on information and communications network has arisen more severely as cyber security matters to a great extent in our daily lives. Criminal punishment against hacking has been more extensive since 1987 when the name of the offence was ‘intrusive and destructive acts on computer networks’ - the origin of the offense. Throughout this process, a number of problems occurred in relation to legal interest protected by the code and corpus delicti as follows;First, legal interest is not properly described in the article. Initially the article seems to protect information and communications networks owned by provider of information and communications services. However, interpretation of legal interest has gradually become blurred due to the rise of personal PC and especially smart phones. Although the extent of protection can expand by interpretational flexibility of the article considering the purpose of enactment, this interpretational measure cannot completely cover substantial difference between the extent of damage caused by infringement on computer systems of service providers and those of individuals.
Second, the definition of information and communications network is not clear enough. When originally enacted, the act seemed to describe individual computer or communication network limited to specific orientations. These days, however, ‘Internet’ connects all the computers all at once, therefore, the information and communications network can easily stretches out indefinitely. Under these circumstances, the term ‘network’ in the code goes against the rule of clarity; the code cannot simply specify which network was compromised from a perpetrator’s end of the rink all the way to a victim’s. The legal statutes of the U.S., Germany and the Council of Europe(Convention on Cybercrime) use the term ‘computer’ or ‘system’ instead of ‘network’, which provides many legislative implications.
Third, the concepts of access and intrusion are ambiguous. While the subject of intrusion is clearly stipulated as information and communications network, the subject of access does not exist. It could mean both: the network, the same as intrusion, and a specific piece of information within the network. Legal appraisal varies according to which approach is taken; if the subject of access is the network itself, access is the prior step to intrusion, so it can be treated as ‘attempted crime’. If it is the letter, access failure to targeted information within the network can still constitute an intrusion to network. In particular, the concept of access should be more clearly defined since it is essential to interpretation of a normative term, ’authority for access’.
In order to solve aforementioned interpretative problems, several legislative amendments should be put in place. First of all, legal interest and corpus delicti ought to be set down in a more detailed matter; the article should clarify whether to protect individual PCs and smart phones. It is possible that the Act on ICN only prescribes the protection of networks owned by service providers and the others - personal gadgets - shall be covered by penal code. Or a new legislation can be enacted so as to include both subjects. Secondly, the extent of network in the article should be narrowly interpreted, and eventually the code should incorporate the terms like ‘computer’ and ‘system’ in the light of overseas cases. Finally, by clarifying the concept of access and intrusion, the same act should be treated equally in any circumstances no matter who interprets it legally.
This paper tries to provide theoretical background under which legal stability and openness of Internet are ensured at the same time. It also intends to provide meaningful implications to discourses regarding culpability of intrusive acts on information and communications network as well as validity of punishment against attempted crime. This research hopes to contribute to a possible new enactment process in addition to the current one because the article 48 - (1) is virtually functioning as fundamental legislation for cyber security.