Human Rights Education

Article 1: “Anyone who gains illegal access to data, computers and telecommunication systems, which are protected by security measures, can be punished by imprisonment terms ranging between 91 days and one year, or the payment of a fine between five million rials [Equivalent approximately to 150 US dollars] to 20 million rials [around 600 US dollars], or both.

Article 1 of the Cyber Crimes Law defines a specific crime, the occurrence of which in the eye of the law requires the following criteria to be satisfied. In other words, the “material element” of the crime which Article 1 defines consists of:

1. Access should have been gained to data, or computer or telecommunication systems

2. These data, or computer and telecommunication systems, should be protected by security measures

Therefore, the material element of the crime which Article 1 of the Cyber Crimes Law refers to is the perpetration of an action which is termed as a “a positive [active] physical action”, or a specific deed that a person has to physically perform.

Question: What is the outcome and result of the action which is perpetrated?

Answer: The outcome is to gain access to the data or computer or telecommunication systems which belong to another party.

Question: Is gaining access to any data or computer system a crime?

Answer: The Article considers access to the data or systems which are protected by security measures as a criminal activity.

Question: What does the term “security measures” exactly mean?

Answer: Although the legislators have not fully clarified their specific definition of security measures, given that the phrase “illegal access” is mentioned right at the start of the Article’s wording, it seems the legislators were thinking of security measures in their broad and inclusive context. On this basis, the legislators were thinking about a wide range of cases, including instances where a person has protected all of his data or computer systems by passwords, filters or computer lock devices, or cases where he has protected only those data and systems which can be accessed [sentence as written].

Question: Does this Article of the law apply to the security or law enforcement officials, or anyone else investigating the case, when they compel the defendant to unlock his computer system or provide them with his own or a third party’s password?

Answer: Yes. The article clearly mentions the word “anyone” – and this term is all-inclusive, such as security officials, the court investigators, interrogators, court magistrates and judges. There are no exceptions.

Question: When the security officers confiscate and take away the laptop computers or the hard disk drives of the defendants, do they have the right to break into these protected data and systems and gain access to the information recorded in these computers?

Answer: No, because the above-mentioned Article has considered as a crime any type of unlawful access to protected data and systems, unless in cases where gaining such an access is backed by a warrant issued by the judicial officials representing the courts or the prosecutor.

Question: What is the punishment for this crime?

Answer: The legislators have envisaged the two punishment methods of imprisonment and cash fine for this crime. The minimum prison term envisaged is 91 days and the maximum is one year. Also, the minimum and maximum amounts of fine are 5 million and 20 million rials, respectively.  However, these two punishments can be carried out in three ways:

A) The defendant may receive only a prison sentence

B) The defendant may be sentenced only to payment of a cash fine, and based on Article 54 of the same law, the amount of the fine can be changed every three years, according to the rate of inflation. The amount is proposed by the head of the Judiciary and should be approved by the cabinet.

C) The perpetrator can be sentenced to both punishments, that is to say imprisonment and fine.

Note: In Article 27 of this Law, the legislators have specified a number of conditions and criteria whose presence will aggravate the severity of the punishments of the offender, increasing the cash fine or the prison term, or both, by two-thirds of the original maximums of the two punishments. For example, the maximum prison term of one year can be increased to one year, eight months and one day, while the maximum cash fine of 20 million rials can rise to over 34 million rials.

Question: What are the conditions which can attract these aggravated penalties?

Answer:  Article 27 of this Law has enumerated the individuals who will receive these aggravated sentences if they perpetrate certain crimes. Accordingly, these individuals are:

I) If any of the following officials perpetrate cyber-related crimes as a result of their official positions and duties, their punishments will be more severe by an additional two-thirds of the penalties envisaged by the law: All formal and contractual employees or agents of the governmental – or government-affiliated –  organizations and institutions; municipalities; revolutionary institutions and foundations (such as for instance, the Oppressed Foundation, or the State Audit Office) or organizations which function due to regular funding by the government; the institutions which operate under the authority of the Office of the Supreme Leader; employees of the Judiciary, Legislative and Executive branches of state; members of the Armed Forces; individuals holding senior judicial positions (such as judges and magistrates).

To elaborate on the meaning of officials perpetrating cyber crimes because of their positions and responsibilities, one can give this example concerning the case of a government employee who has been provided with a computer, and is in an official role and position which allows him access to some computer or telecommunication information. However, he has been told that he does not have the authority to enter, access or intercept any information in the system. When this employee, despite having full knowledge about not having the right to access the computer data, decides to enter the system and monitor the data there unlawfully, he will – if his crime is proven – receive a punishment which can be heavier than an ordinary person’s penalty for the same crime.

II) Any person who has been legally licensed to control and manage computer and telecommunication networks, and then embarks on cyber-related crimes as a result of the opportunities provided by his position. This is because, according to the law, the public expects these individuals who control and manage their networks to be honest and trustworthy individuals. Therefore, they have absolutely no right to encroach on people’s private domains inside computer systems and networks.

III)  Individuals who have the opportunity to access and monitor the data or portals affiliated to various governmental institutions, or to organizations which are responsible for providing public services.

IV) When the crime is perpetrated in an organized manner on the basis of advance planning and coordination.

V) When the crime happens extensively and in a large scale. For instance, when a person commits the crime more than twice, or when he enters a system illegally on several separate occasions.

The Cyber Crimes Law does not provide a clear definition of these criminal acts, and the legislators have merely given a few examples and instances of computer-related criminal activities, and have then determined the appropriate punishments for them. Before going into each of the individual articles of this law, and subjecting them to legal analysis in a simple language, I believe it is necessary to provide a clear definition of some of the main concepts used in the said law.

The Data: The term “data” in effect refers to all the information which enter the computer in the form of either digits, numbers, letters or various forms of symbols and signs, and are subsequently processed by the computer. The information which is fed to the computer are in the form of either text, or voice (audio) or film (visual). Therefore, whenever  the law talks about “data”, the legislators mean the kind of information which has entered the computer and has undergone processing there, and is then ready to become the computer’s “output” for dissemination. In order to determine cyber crimes, each of the relevant factors should be studied carefully so as to identify the constituent parts of the defined crimes. It is in this way that one can ascertain if a crime defined by the Cyber Crimes Law has actually taken place.

It should be noted that all offences and crimes should have three essential constituent elements. In other words, a specific action or deed can be considered as an offence or crime only if it contains all the three essential elements for the occurrence of a crime, and if even just one of these is absent, then it is not possible to label an action as a crime for certain. This situation is similar to living organisms, who need brain, heart and lungs, and without any of these, their life cannot be sustained.

Question: Which are the three constituent elements of a crime?

Answer:  These three constituent elements are: The legal element; the material element [or the element of conduct; actus reus]; and the mental (or the judicious) element of crime [mens rea]. A crime is like a living organism whose existence is conditional upon the concurrent presence of all three legal, material and mental elements.

The “legal element” of a crime is about the specific article of the law which considers a given act as an offence, and prescribes a specific punishment for it. For instance, Article 588 of the Islamic Penal Law – which declares the acts of giving and receiving bribes as crimes and envisages certain punishments for them – is the legal element for the crime of bribery.

The material element of a crime is the actual physical conduct whose perpetration constitutes a crime in the eye of the law, and because of this, people know that the act should not perpetrated. In other words, if someone carries out an act which the law has defined as a crime, then it is said that the material element of the crime has been fulfilled. In the legal terminology, this processes is described as an actual and material “positive action” – that is to say, any kind of action or deed which is physically perpetrated [as against crimes which result from failure to do something – for example, pay tax]

For example, the law states that if someone puts his hand in another person’s pocket and removes its content without permission, he has committed theft which can be punished. The fundamental essence of this action, that is putting one’s hand inside another person’s pocket and taking out its content, without informing the owner or obtaining his permission, can be defined as the material element of the crime of theft.

Of course, for some crimes, the material element is the failure to do what is required. For instance, a husband is duty-bound to pay his divorced wife maintenance money, and if he fails to do so, he has committed the crime of failing to fulfil his financial commitments. In the legal terminology, it is said that the failure to perform an action constitutes the material element for that particular crime.

A person who commits an unlawful act is termed as the “perpetrator”.

Question: What is the mental or judicious element of a crime?

Answer:  For a crime to actually take place in practice, the person who has perpetrated it must be aware that his conduct constitutes a crime for which the law has envisaged punishments. When a person carries out an action with the full knowledge that his conduct is unlawful and bears penalties and sanctions for him, it is said that the crime has occurred with intent, and the perpetrator has had malice. The mental element of a crime therefore refers to the presence of intent and purpose by the perpetrator of an unlawful action. In effect, it is the malice and ill intention of the perpetrator which forms the mental or judicious element of crime.

There are two categories of criminal malice and ill-intention:

General Malice: In any crime, general malice denotes an awareness of the unlawfulness of a conduct, and carrying it out, regardless, with full intent and purpose. In other words, the mere fact that a person has perpetrated an act while being aware of its criminality means that he has acted with criminal intent, and as such, that particular crime has in practice taken place.

Specific Malice: In some crimes, apart from the prerequisites of awareness of the unlawfulness of a specific conduct, and having a will and intent to carry it out, the perpetrator should also be seeking a result and outcome for himself too. The specific result or consequence that the criminal seeks and expects from his criminal action is referred to as “specific malice”.

For instance, with regards to the unlawful action of gaining unauthorized entry into another person’s home, the mere fact the perpetrator is aware that he does not have the right to enter that home, but still goes ahead and does it by intent and on purpose, allows one to conclude for certain that the crime of illegal trespassing has occurred. In this particular crime, the perpetrator has not achieved any other result.  However, in the case of embezzlement, the embezzler is seeking to win over some assets and wealth from the person whom he embezzles. In the law too, the crime of embezzlement occurs at the point that the perpetrator of the crime achieves the said result, and here, his mere awareness of the criminal nature of his action, together with his intent to deceive another person so as to take away his assets are not enough to enable one to conclude that the crime of embezzlement has actually occurred. Instead, additionally, the presence of a specific malice and ill-intention – that is say taking away the victim’s assets – is also necessary for the crime of embezzlement to occur in the eyes of the law. Therefore, in some crimes, to satisfy the mental element of the crime in question, all that is required is the awareness of the criminality of the action, and the perpetrator’s intent and purpose, while in other crimes, in addition to the factors of awareness and intent, there is also a need for the perpetrator to be pursuing a specific ill-intention and malice.

With the approval of the Cyber Crimes Law on 5 Khordad 1388 [26 May 2009], another chapter was added to the 29 chapters of the Islamic Penal Law. Given that explaining legal concepts in layman terms can assist both the law specialists and ordinary people in understanding the precise meanings of the concepts, which the legislators had in mind originally, the Centre for the Supporters of Human Rights, with the help and cooperation of Ms Mahnaz Parakand, an Iranian lawyer, has tried to shed light on the content of the above-mentioned law purely from a legal point of view, and by using simple, plain language, which is being expressed in a question and answer format. The CSHR recommends that everyone who works with computers in one way or another should study this article. In addition, by reading the article that follows, while you become familiar with a section of the Iranian laws, you also learn more about the scope of censorship, and more generally, the extent of the restrictions imposed on the freedom of expression in Iran.

In the original draft of this law, the following definitions have been provided for some terms and concepts, and before we embark on studying the law itself, we should essentially learn more about the technical concepts and definitions used by its legislators.

A) Computer System: Any machinery or a set of machines made up of interlinked hardware and software, which all operate by executing auto-processing programmes.

B) Communication System: Any kind of electronic transition of data between a source (that is to say an optic source or transmitter) and an optical receiver through one or several communication channels, and on the basis of protocols which the receiver can readily comprehend and interpret.

C) Computer data: Any kind of representation of events, information and concepts in a manner conducive to the task of processing inside a computer system – which essentially includes a suitable programme – thereby allowing the computer system to perform its tasks. Data is valuable from a financial point of view.

D) Traffic of data: Any kind of data which is generated by computers within the chain of communications so as to trace the route of a link from its source to its destination. These data will include the source, the destination, the route, time, date, volume, length [duration] and the type of function and service that is performed.

E) Information: This concept comprises data, text, image, voice, code, computer programme, software, and database, or the microfilm and microfiche material which has been generated by the computer system.

F) Subscriber information: Any kind of information and data which is held by the service provider and relates to the subscribers to the service. These include the type of service being provided, the technical requirements, the subscription period, the identity of the subscribers, their IP address, or their postal and physical address, their phone numbers and other personal details .

G) Service Provider: Any individual or legal entity who provides the subscriber to its services with the means for establishing a link with a computer system, or processes or stores computer data on behalf of the provider of communication services, or the subscribers to that service.