One Wrong Crawling Program Led to Computer Network Intrusion Charges? Understanding the Boundaries

1. Overview of Automated Programs and Legal Issues

In today’s online marketing environment, the use of automated reply programs has become commonplace. Automated technologies have significantly improved efficiency in various areas including advertising posts, content distribution, and customer interactions. However, questions continue to arise about the potential legal liabilities when these automated reply programs place excessive load on portal sites or social media platforms or interfere with their normal operations.

Whether automated programs can be classified as ‘malicious programs’ under the Information and Communications Network Act is a critical legal issue for both developers and users. This article analyzes the criteria for determining when automated marketing programs are considered ‘malicious programs’ subject to legal sanctions, focusing on the Uijeongbu District Court 2017No309 decision and the Supreme Court 2017Do16520 decision in South Korea.

2. Analysis of Uijeongbu District Court 2017No309 and Supreme Court 2017Do16520 Decisions

Case Background

The defendants sold multiple automated programs they had developed through a site specializing in advertising automation software. The main functions of these programs included:

• Automatically posting content and images on cafes, blogs, etc. on portal sites such as Naver and Daum
• Automatically extracting member IDs from Naver cafes
• Searching for Naver users and automatically writing messages or comments and sending messages

The prosecution indicted the defendants for violating Article 48(2) of the former Information and Communications Network Act, claiming that these programs constituted ‘malicious programs’ capable of interfering with the operation of information and communication systems, and that the defendants distributed these programs through sales.

Prosecution’s Argument

The prosecution argued that the buyers of these programs made repetitive requests for specific tasks in a short time, generating excessive load (traffic) on portal site servers. This allegedly created 5 to 500 times more server load than normal human operation, producing effects similar to a DDoS attack and interfering with server operations.

Court’s Decision

While the first instance court found the defendants guilty, both the appellate court (Uijeongbu District Court) and the Supreme Court acquitted them. The main reasoning of the appellate court was as follows:

1. Degree of ‘Operational Interference’: The court held that ‘operational interference’ by malicious programs under Article 48(2) of the former Information and Communications Network Act refers to serious threats comparable to ‘damage, destruction, alteration, or forgery’ of information and communication systems. The court determined that merely causing greater load than normal is insufficient to decisively conclude that a program can substantially interfere with the operation of an information and communication system.
2. Insufficient Evidence: There was no evidence that even if the programs were used simultaneously by multiple buyers, serious disruptions such as server downtime actually occurred on Naver or other portal sites. Given the vast processing capacity of portal sites, the court found it unlikely that the increased load from individual programs could have a significant impact.
3. Principle of Legality: The court pointed out that considering a program ‘malicious’ merely because the possibility of disruption cannot be ruled out under extreme assumptions (e.g., an enormous number of people using it simultaneously) would be an overly broad interpretation of the penal provisions, contrary to the principle of legality (nulla poena sine lege).

3. Legal Definition and Criteria for ‘Malicious Programs’

In its 2017Do16520 decision, the Supreme Court set forth the following legal principles regarding ‘malicious programs’:

Nature of the Crime of Distributing Malicious Programs (Danger Crime)

The Supreme Court clarified that the offense under Article 48(2) of the former Information and Communications Network Act is established by the mere act of transferring or distributing programs that ‘can’ damage, destroy, alter, forge, or interfere with the operation of information and communication systems. It is a ‘danger crime’ that does not require actual occurrence of such results.

Criteria for Determining ‘Malicious Programs’

Whether a program constitutes a ‘malicious program’ should be determined based on the program itself, considering the following factors comprehensively:

• The program’s intended use and technical configuration
• Its operational method
• Its impact on information and communication systems
• Whether the system operator consented to the program’s installation

Specific Reasons for Acquittal

The Supreme Court found that the programs in this case were not ‘malicious programs’ for the following reasons:

1. These programs essentially just automated tasks that ordinary users could perform manually (posting articles/comments, sending messages, etc.) and repeated them at a faster pace, using the same paths and methods.
2. Although some programs had features to use proxy servers to bypass IP blocking, this was not a method of damaging the system or physically interfering with its function, but merely helping users pass without triggering IP blocking causes within the system’s expected operation.
3. Crucially, there was no evidence that the use of these programs actually interfered with the functional performance of the portal site’s information and communication systems or caused disruptions such as server downtime.

4. Punishability of Automated Actions that Cause Load on Portal Services

According to the court’s decision, automated programs that merely place load on services are not easily classified as ‘malicious programs’ in themselves. However, legal sanctions may still be possible in the following cases:

1. Causing Serious Operational Disruptions like Server Downtime: When the use of a program actually severely interferes with the normal operation of a service, causing disruptions such as server downtime
2. Application of Other Legal Regulations: Even if not classified as ‘malicious programs’ under the Information and Communications Network Act, there could be other legal liabilities from violating spam regulations, terms of service (civil liability), or business interference under the Criminal Act
3. System Damage, Destruction, Alteration, or Forgery: When an automated program goes beyond merely generating load and has functions that damage or alter system data

5. Comparison with the Fraudulent Clicks Case (Supreme Court 2010Do14607)

This decision shows different aspects of illegality assessment for automated programs compared to the previous ‘Fraudulent Clicks Case’ (Supreme Court 2010Do14607).

Applied Laws and Focus of ‘Interference’

• Fraudulent Clicks Case: The key to the guilty verdict was that automated ‘input of false information’ caused the system to operate differently from its original purpose, resulting in ‘interference with information processing’ and disrupting business (under the Criminal Act). ‘Information and communications network interference’ (undermining stable network operation) under the Information and Communications Network Act was not recognized.
• Automated Marketing Programs Case: The issue was whether the programs themselves constituted ‘malicious programs’ under the Information and Communications Network Act. The court held that for a program to ‘be capable of interfering with system operation,’ the interference must be serious enough to be comparable to ‘damage, destruction, alteration, or forgery,’ making it difficult to recognize programs that merely increase server load as malicious.

Context of ‘Maliciousness’ Determination

• Fraudulent Clicks Case: The focus of maliciousness was on the ‘falsity of information’ created by automated actions and the resulting ‘distortion of business results.’
• Automated Marketing Programs Case: The focus was on the program’s destructive capabilities, specifically its ‘potential risk’ to directly threaten the fundamental operation of the system, though the court set a very high standard for this.

6. Comparison with the Druking Case (Supreme Court 2020Do16062)

Unlike the 2017No309 decision where automated marketing programs were not recognized as ‘malicious programs,’ in the so-called ‘Druking Case’ (Supreme Court 2020Do16062), the use of automated programs was found to constitute computer interference with business. Understanding the differences between these two decisions provides important insights for evaluating the legal risks of automated programs.

Overview of the Druking Case

In the Druking case, the defendant operated an automated program called the ‘King Crab’ system. This system:

• Automatically and repeatedly logged into portal sites through multiple mobile phones connected to the King Crab management server
• Bypassed same-user access restrictions by changing IP addresses, deleting cookies, and modifying User Agent values
• Mechanically and repeatedly clicked to like/dislike or recommend/oppose comments on news articles on portal sites

Using this system, from December 2016 to February 2018, the defendant sent over 88 million like/dislike click signals to manipulate the rankings of more than 1.18 million comments on news articles on a specific portal site.

Grounds for the Guilty Verdict

The court recognized the crime of interference with business by damaging computer systems for the following reasons:

1. Constituting Input of False Information or Improper Instructions:
   • Sending click signals through the King Crab system to disguise them as clicks from actual users constituted input of ‘false information’
   • Sending signals to manipulate online public opinion, contrary to the system’s original purpose of ranking based on members’ genuine opinions, constituted input of ‘improper instructions’
   • Using others’ IDs and passwords was also deemed a violation of terms of service and improper instructions
2. Recognition of Interference with Information Processing:
   • The click signals sent through the King Crab system caused the system to misidentify them as clicks from actual users, interfering with normal information processing
   • This was recognized as causing ‘interference’ with information processing by making the information processing device perform functions inconsistent with its intended purpose
   • Even though portals made efforts to prevent abuse and not all manipulation attempts succeeded, the crime was established as long as there was an ‘abstract risk’ of business interference

Key Differences from the Automated Marketing Programs Case

1. Differences in Purpose and Intent:
   • Druking Case: Intentional system bypass and false information input aimed at manipulating online public opinion
   • Marketing Programs Case: Commercial purpose automation without malicious intent to attack systems
2. Nature of Input Information:
   • Druking Case: Clear input of ‘false information’ disguised as clicks from actual users
   • Marketing Programs Case: Merely automating tasks that regular users could perform
3. Degree of System Impact:
   • Druking Case: Distorting the fundamental operating principle of the comment ranking system, undermining the system’s purpose itself
   • Marketing Programs Case: Simple server load increase with no evidence of damage to basic system functions
4. Differences in Legal Application:
   • Druking Case: Application of computer interference with business under the Criminal Act (information processing interference due to false information input)
   • Marketing Programs Case: Examination of applicability of malicious program distribution under the Information and Communications Network Act (possibility of system operation interference)
5. Social Impact and Severity of Legal Interest Infringement:
   • Druking Case: Serious crime severely damaging online public opinion formation and even hindering election processes
   • Marketing Programs Case: Commercial advertising purpose with relatively lower severity of social legal interest infringement

Through this comparison, we can see that the likelihood of an automated program being punished varies greatly depending on △the illegality of its purpose △the falsity of input information △the extent of distortion of system operating principles △the severity of social legal interest infringement. The Druking case, in particular, was subject to legal sanctions because it intentionally distorted the core purpose of the system – ‘public opinion formation based on users’ genuine intentions’ – rather than merely increasing system load.

7. Legal Considerations for Developing and Using Automated Programs

Developers and users of automated programs should consider the following legal precautions:

1. Technical Characteristics of Programs: Functions that could damage systems or seriously interfere with normal operations should be excluded as much as possible.
2. Compliance with Terms of Service: If a service’s terms of service prohibit the use of automated tools, violating this may result in account suspension and civil liability.
3. Reasonable Usage Limitations: It is advisable to limit request frequency or volume to reasonable levels to avoid placing excessive load on services.
4. Compliance with Spam Regulations: Automated message sending should not violate spam regulation provisions of the Information and Communications Network Act.
5. Compliance with Information Security Regulations: When collecting or processing personal information, relevant regulations such as the Personal Information Protection Act must be observed.
6. Prohibition of False Information Input: As seen in the Druking case, inputting false information or using system bypass techniques to deceive systems can be punished as computer interference with business.

8. Relevant Regulations and Recent Trends

The main regulations and recent trends related to automated programs are as follows:

1. Article 48 of the Information and Communications Network Act (Prohibition of Information and Communications Network Interference): Prohibits the transfer or distribution of malicious programs, with violations punishable by up to 5 years imprisonment or fines up to 50 million won.
2. Article 314 of the Criminal Act (Interference with Business): Punishable by up to 5 years imprisonment or fines up to 15 million won for interfering with another’s business by inputting false information or improper commands into information processing devices, thereby interfering with information processing.
3. Recent Trends: As automation technology advances, court judgment criteria continue to evolve. Legal evaluation of automated systems applying AI and machine learning technologies is expected to become an increasingly important issue.

9. Legal Risk Management Strategies for Businesses

Businesses developing or using automated programs can consider the following strategies to manage legal risks:

1. Legal Review and Consultation: Obtain legal expert review before program development and release to identify potential legal risks and establish response measures.
2. Guideline Establishment: Establish internal guidelines for the development and use of automated programs to minimize legal risks.
3. Monitoring System Implementation: Continuously monitor the impact of automated program use on services and implement systems to respond promptly if issues arise.
4. Industry Trend Awareness: Continuously monitor automated program-related legal precedents and industry trends to adapt to changing legal environments.
5. Communication with Service Providers: When possible, communicate in advance with service providers whose services the automated programs will use to clearly understand permitted ranges and limitations.

K&P Law Firm in South Korea has successfully represented corporate clients in automated program-related legal disputes and has expertise in handling complex legal issues at the intersection of the Information and Communications Network Act and the Criminal Act. We support businesses in effectively managing legal risks while pursuing innovation in the evolving legal environment accompanying the advancement of automation technology.