Automation and Crime: Penalties for System Abuse

1. Background and Overview of the Case

While internet and automation technologies offer various conveniences, they also generate new types of crimes through misuse. Particularly with the growth of the online advertising market, cases of using automated programs to neutralize competitors’ advertising effects or gain unfair advantages have emerged, leading to complex legal issues.

The South Korean Supreme Court case 2010Do14607 is a landmark ruling that examined whether the use of malicious programs to manipulate internet search results and fraudulently click on advertisements constituted violations of the Network Act and criminal obstruction of business. This judgment provides a clear perspective on the conditions under which automated actions can be deemed illegal.

In this case, the defendant, as the CEO of a company, distributed free software through the company’s website while secretly installing a malicious program called ‘eWeb.exe’ through an ‘ActiveX’ control on users’ computers without their knowledge. This malicious program performed the following functions:

1. Manipulation of search rankings and related search terms:

• Regularly downloaded task instruction lists from the defendant’s company server
• Automatically entered specific keywords in Naver’s search box and automatically clicked on specified website links
• Artificially generated related search terms or auto-complete words for specific search terms and unfairly elevated search result rankings for certain companies

2. Fraudulent clicking on sponsored advertisements (click fraud):

• Despite actual users not entering search terms or clicking on advertisements, the program mimicked as if users had actually performed these actions
• Transmitted false click signals to Naver’s relevant system servers, causing financial damage to advertisers

2. Key Legal Issues

In this case, the defendant was indicted on the following charges:

1. Unauthorized network access (violation of Article 48(1) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection)
2. Network disruption (violation of Article 48(3) of the former Network Act)
3. Computer interference and business obstruction (violation of Article 314(2) of the Criminal Act)

The legal issues for each charge are as follows:

• Whether installing a malicious program on users’ computers constitutes unauthorized network access
• Whether false clicks and manipulated search term inputs caused a “disruption” to the information network
• Whether inputting false search and click information through automated programs constitutes computer interference and business obstruction

3. Court’s Ruling on Unauthorized Network Access

The Supreme Court of South Korea found the defendant guilty of unauthorized network access.

The Court viewed the defendant’s act of installing the malicious program (‘eWeb.exe’) on users’ computers in a way that users could not clearly recognize as the starting point of network infiltration. Although the installation occurred during users’ downloading of free programs, the Court determined that unauthorized network access had been committed for the following reasons:

• The existence and functions of the malicious program were not clearly disclosed to users
• After installation, the program communicated with the defendant’s company server and transmitted false signals without the users’ consent
• These actions constituted unauthorized access that exceeded the legitimate access rights to information communication systems and connected networks

Therefore, the deceptive installation exploiting users’ passive consent and subsequent unauthorized actions were recognized as illegal infiltration prohibited by the Network Act.

4. Court’s Ruling on Network Disruption

The Supreme Court found the defendant not guilty of network disruption.

The Court provided clear interpretation standards for “network disruption” and “improper commands” as stipulated in Article 48(3) of the Network Act:

Strict Definition of ‘Network Disruption’

• ‘Network disruption’ refers to a state where the core functions of an information network (collecting, processing, storing, searching, transmitting, and receiving information) are physically disabled or their performance is significantly impeded in a tangible way
• This envisions situations such as system downtime or service unavailability due to speed reduction, where the stable operation of the network itself is threatened

Interpretation Standards for ‘Improper Commands’

• ‘Improper commands’ must be of a nature that can cause network disruption
• Beyond merely being commands that the system does not expect, they refer to commands that execute programs not anticipated by the system’s purpose, or unauthorized modification, deletion, addition of individual system program commands, or alteration of the entire program that could harm network stability

Reasons for Not Guilty Verdict

The defendant’s malicious program, which automatically entered search terms in Naver’s search box and clicked on specific websites, utilized the type of information (search term input signals, website click signals) that Naver’s system was designed to process normally.

Although the content was false and did not reflect the actual intentions of users, the Court determined that it was difficult to consider these signal transmissions as directly causing “disruption” to the stable operation of Naver’s information network, such as physical damage to the network or server downtime.

Separate from the issue of potentially undermining the reliability or fairness of search results, the Court did not find that the legal interest of “stable operation of the information network” that Article 48(3) of the Network Act aims to protect was directly infringed.

5. Court’s Ruling on Computer Interference and Business Obstruction

The Supreme Court found the defendant guilty of computer interference and business obstruction.

Input of ‘False Information’

The Court specified that the malicious program’s transmission of signals to Naver’s related system servers, pretending as if users had performed search actions or clicks when they actually hadn’t, constituted inputting “information that contradicts objective truth,” or “false information,” into information processing devices.

Occurrence and Meaning of ‘Interference with Information Processing’

Due to this input of “false information,” Naver’s relevant systems (search ranking determination system, advertisement click counting system, etc.) misidentified these actions as valid user activities and processed information accordingly.

As a result, the Court determined that the information processing device’s inability to properly perform its original intended functions (reflecting accurate user interests, providing fair search results, calculating advertising costs based on valid clicks) or its performance of distorted functions contrary to its purpose constituted “interference with information processing” that actually occurred.

Recognition of Specific Business Obstruction

The Court recognized that such false information input and the resulting information processing interference directly obstructed Naver’s core business of providing search term services and the advertising business of receiving legitimate advertising fees from advertisers and providing effective advertising services.

The Court viewed that specific risks of business obstruction arose, such as advertisers depleting their advertising budgets on invalid clicks and Naver losing the reliability of its search results and advertising systems.

Since this offense can be established merely with the “risk” of business obstruction, having characteristics of an abstract risk offense, the Court held that the crime is established if actual interference with information processing occurs and the risk of business obstruction is created, regardless of whether search rankings actually changed or advertising fees were refunded.

6. Legal Implications of the Judgment

This Supreme Court decision (Supreme Court of South Korea, March 28, 2013, Case No. 2010Do14607) provides important guidelines for legal interpretation of digital crimes using automated programs and malicious code, offering the following in-depth implications:

Clear Conceptual Distinction Between ‘Network Disruption’ and ‘Information Processing Interference’

• ‘Network disruption’ (Network Act) focuses primarily on the physical and functional stability and availability of the network infrastructure itself
• ‘Information processing interference’ (criminal business obstruction) is a broader concept that encompasses situations where the content or process of information handled by the information processing system is distorted, preventing the system from achieving its intended purpose and compromising the fairness, accuracy, and reliability of business operations

This provides a basis for holding legally accountable systems that may appear to be functioning normally from a technical perspective but produce results based on false information.

Legal Assessment Between ‘Technical Normality’ and ‘Content Falsity’ of Actions

The Court clarified that even if the commands or data transmitted by automated programs to systems take a normal form that the system can accept and process technically (e.g., standard HTTP requests), if the content is “false” and does not correspond to objective facts, and such false information induces the system to make incorrect judgments or processing, this constitutes “input of false information” under criminal law and can be punishable.

Strengthening Ethical and Legal Responsibility of Automation Technology

This judgment emphasizes that program developers or operators using automated means have a legal and ethical responsibility to consider not only technical efficiency but also the truthfulness of the results produced by automated actions and their potential impact on others’ rights or legitimate business operations.

In particular, it warns that severe legal sanctions can be imposed for misusing automation technology with the intent to distort competitive order or cause unfair damage to others.

Practical Meaning of ‘Information Processing Interference’ in Business Obstruction

The Court clarified that ‘information processing interference’ does not necessarily mean only physical destruction or operational failure of a system, but also includes the state where a system misidentifies false information as true and processes it, thereby failing to perform accurate and fair information processing according to its intended purpose. This broadens the scope of criminal response to increasingly sophisticated cyber crimes.

K&P Law Firm in Songdo, Incheon, South Korea has recently successfully resolved legal disputes related to automated programs by representing internet service providers, and provides comprehensive legal advice to help companies safely and legally utilize automation technology.