Article 1: “Anyone who gains illegal access to data, computers and telecommunication systems, which are protected by security measures, can be punished by imprisonment terms ranging between 91 days and one year, or the payment of a fine between five million rials [Equivalent approximately to 150 US dollars] to 20 million rials [around 600 US dollars], or both.
Article 1 of the Cyber Crimes Law defines a specific crime, the occurrence of which in the eye of the law requires the following criteria to be satisfied. In other words, the “material element” of the crime which Article 1 defines consists of:
1. Access should have been gained to data, or computer or telecommunication systems
2. These data, or computer and telecommunication systems, should be protected by security measures
Therefore, the material element of the crime which Article 1 of the Cyber Crimes Law refers to is the perpetration of an action which is termed as a “a positive [active] physical action”, or a specific deed that a person has to physically perform.
Question: What is the outcome and result of the action which is perpetrated?
Answer: The outcome is to gain access to the data or computer or telecommunication systems which belong to another party.
Question: Is gaining access to any data or computer system a crime?
Answer: The Article considers access to the data or systems which are protected by security measures as a criminal activity.
Question: What does the term “security measures” exactly mean?
Answer: Although the legislators have not fully clarified their specific definition of security measures, given that the phrase “illegal access” is mentioned right at the start of the Article’s wording, it seems the legislators were thinking of security measures in their broad and inclusive context. On this basis, the legislators were thinking about a wide range of cases, including instances where a person has protected all of his data or computer systems by passwords, filters or computer lock devices, or cases where he has protected only those data and systems which can be accessed [sentence as written].
Question: Does this Article of the law apply to the security or law enforcement officials, or anyone else investigating the case, when they compel the defendant to unlock his computer system or provide them with his own or a third party’s password?
Answer: Yes. The article clearly mentions the word “anyone” – and this term is all-inclusive, such as security officials, the court investigators, interrogators, court magistrates and judges. There are no exceptions.
Question: When the security officers confiscate and take away the laptop computers or the hard disk drives of the defendants, do they have the right to break into these protected data and systems and gain access to the information recorded in these computers?
Answer: No, because the above-mentioned Article has considered as a crime any type of unlawful access to protected data and systems, unless in cases where gaining such an access is backed by a warrant issued by the judicial officials representing the courts or the prosecutor.
Question: What is the punishment for this crime?
Answer: The legislators have envisaged the two punishment methods of imprisonment and cash fine for this crime. The minimum prison term envisaged is 91 days and the maximum is one year. Also, the minimum and maximum amounts of fine are 5 million and 20 million rials, respectively. However, these two punishments can be carried out in three ways:
A) The defendant may receive only a prison sentence
B) The defendant may be sentenced only to payment of a cash fine, and based on Article 54 of the same law, the amount of the fine can be changed every three years, according to the rate of inflation. The amount is proposed by the head of the Judiciary and should be approved by the cabinet.
C) The perpetrator can be sentenced to both punishments, that is to say imprisonment and fine.
Note: In Article 27 of this Law, the legislators have specified a number of conditions and criteria whose presence will aggravate the severity of the punishments of the offender, increasing the cash fine or the prison term, or both, by two-thirds of the original maximums of the two punishments. For example, the maximum prison term of one year can be increased to one year, eight months and one day, while the maximum cash fine of 20 million rials can rise to over 34 million rials.
Question: What are the conditions which can attract these aggravated penalties?
Answer: Article 27 of this Law has enumerated the individuals who will receive these aggravated sentences if they perpetrate certain crimes. Accordingly, these individuals are:
I) If any of the following officials perpetrate cyber-related crimes as a result of their official positions and duties, their punishments will be more severe by an additional two-thirds of the penalties envisaged by the law: All formal and contractual employees or agents of the governmental – or government-affiliated – organizations and institutions; municipalities; revolutionary institutions and foundations (such as for instance, the Oppressed Foundation, or the State Audit Office) or organizations which function due to regular funding by the government; the institutions which operate under the authority of the Office of the Supreme Leader; employees of the Judiciary, Legislative and Executive branches of state; members of the Armed Forces; individuals holding senior judicial positions (such as judges and magistrates).
To elaborate on the meaning of officials perpetrating cyber crimes because of their positions and responsibilities, one can give this example concerning the case of a government employee who has been provided with a computer, and is in an official role and position which allows him access to some computer or telecommunication information. However, he has been told that he does not have the authority to enter, access or intercept any information in the system. When this employee, despite having full knowledge about not having the right to access the computer data, decides to enter the system and monitor the data there unlawfully, he will – if his crime is proven – receive a punishment which can be heavier than an ordinary person’s penalty for the same crime.
II) Any person who has been legally licensed to control and manage computer and telecommunication networks, and then embarks on cyber-related crimes as a result of the opportunities provided by his position. This is because, according to the law, the public expects these individuals who control and manage their networks to be honest and trustworthy individuals. Therefore, they have absolutely no right to encroach on people’s private domains inside computer systems and networks.
III) Individuals who have the opportunity to access and monitor the data or portals affiliated to various governmental institutions, or to organizations which are responsible for providing public services.
IV) When the crime is perpetrated in an organized manner on the basis of advance planning and coordination.
V) When the crime happens extensively and in a large scale. For instance, when a person commits the crime more than twice, or when he enters a system illegally on several separate occasions.