With the rapid advancement of digitalization and the transition of many industries from analog foundations to digital infrastructures, lawmakers have had to increasingly grapple with the issue of computer crime over the last 30 years. The emergence of the internet and the growing societal prevalence of digital infrastructures created a new breeding ground for criminals. In the early 1990s, so-called “computer offenses” were incorporated into the Swiss Criminal Code, through provisions intended to address the evolving landscape of cybercrime. However, ongoing progress in the digital realm has seen cybercriminals develop new opportunities, tools, and methods to carry out their activities, necessitating repeated revisions of the criminal provisions for digital offenses. On November 23, 2001, Switzerland signed the Council of Europe Convention on Cybercrime, which aimed to establish international standards. The Convention came into force in Switzerland on January 1, 2012, requiring the Swiss legislature to implement its guidelines and objectives into national law. Only a few adjustments to the Swiss Criminal Code and Mutual Assistance Act were needed: for instance, Article 143bis of the Swiss Criminal Code was amended. How are such cyberattacks legally classified?
In Swiss criminal law, cyberattacks can fall under Articles 143, 143bis para. 1, 144bis para. 1, and 179novies of the Swiss Criminal Code. Because research in the digital legal domain is limited and the progress of digitization is ongoing, Switzerland’s computer offense provisions have been formulated broadly and vaguely.
Article 143 of the Swiss Criminal Code establishes the offense of unauthorized data acquisition. This provision criminalizes “Any person who for his own or for another's unlawful gain obtains for himself or another data that is stored or transmitted electronically or in some similar manner and which is not intended for him and has been specially secured to prevent his access.” The protected legal interest under this provision comprises both the undisturbed right to control computer data (so-called "computer peace") and under certain circumstances the victim's property.
The object of attack under Article 143 of the Swiss Criminal Code is data. According to prevailing doctrine, data encompasses "all notations that can be the subject of human communication, provided they can be processed, stored, or transmitted in coded form by a data processing system" (Stratenwerth/Jenny/Bommer, BT/17, §14 N 25). To constitute the offense of unauthorized data acquisition, a cyberattack must siphon off data from the victim and transmit them to the perpetrator without authorization; destruction of software or hardware is not covered by Article 143. Furthermore, the wording of the legal provision requires that access to the acquired data was specially secured. Depending on the industry and the data sensitivity, various access security measures are deemed sufficient, taking into account the individual case. For instance, a bank must implement more stringent measures to protect customer data than a photographer who stores wedding photos of clients. Access security measures may include features like firewalls and fingerprint or password protections. For an attack using ransomware to extort the victim, culpability under Article 143 of the Swiss Criminal Code depends on whether the ransomware transfers data to the perpetrator. Relatedly, Article 156 of the Swiss Criminal Code concerns extortion and is especially applicable to cases of ransom demands. Criminal culpability for social engineering is determined by specific circumstances: Article 143 applies only if the perpetrator attempts to gain passwords to overcome specific access barriers. In summary, Article 143 of the Swiss Criminal Code covers the unauthorized acquisition or transmission of data to the perpetrator (data theft).
Article 143bis of the Swiss Criminal Code establishes the offense of unauthorized intrusion into a data processing system. This provision criminalizes “Any person who obtains unauthorized access by means of data transmission equipment to a data processing system that has been specially secured to prevent his access.” The protected legal interest here is the rightful owner’s privacy and decision-making freedom, which should grant them free choice over access to secure data processing systems. This provision relates to classic cyber-hacking (for example, see https://www.teichmann-it.com/services/cyberhacking.html) – unauthorized entry into data processing systems. For the offense to be committed, the hacked device or IT system must be foreign and, as under Article 143, securely protected. In summary, Article 143bis of the Swiss Criminal Code covers intrusion into a foreign, secure IT system (cyber-hacking).
Art. 144bis of the Swiss Criminal Code establishes the offense of data damage. This provision criminalizes “Any person who without authority alters, deletes or renders unusable data that is stored or transmitted electronically or in some other similar way.” The protected legal interest here is authority over intact data. The acts of alteration, deletion, and rendering unusable constitute the offense, and a certain degree of damage is required for liability. Furthermore, the interference must be irreversible and unauthorized. Use of malware and ransomware can damage hardware and software, thereby fulfilling the elements of the offense. In summary, Article 144bis encompasses data sabotage.
Art. 179novies of the Swiss Criminal Code establishes the offense of unauthorized acquisition of personal data. This provision criminalizes “Any person who without authorization obtains from a data collection personal data or personality profiles that are particularly sensitive and that are not freely accessible.” The protected legal interest here is the individual's personality. Particularly sensitive personal data are defined by Art. 5 lit. c of the Federal Data Protection Act (DSG). The definition includes religious and political views, health data, genetic and biometric data, data on criminal prosecutions, and data on social assistance measures. Regarding acquisition, merely gaining knowledge of such data is sufficient to fulfill this offense criterion. Cybercriminals primarily employ malware and ransomware for the unauthorized acquisition of particularly sensitive personal data or personality profiles, with (spear) phishing their usual attack method. Brute force and social engineering are also employed to overcome potential access barriers. In summary, Article 179novies pertains to the unauthorized acquisition of personal data.
The future formulations of Criminal Code provisions must align with the state of digitization and, as much as possible, be closely tailored to current possibilities, means, and methods used by perpetrators. Legislative and research bodies must constantly monitor the need to adapt and enact criminal provisions. It is essential to prevent a significant gap between legal norms and actual cyberattacks.