[1] The scope of acts prohibited by Article 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

[2] Criteria for determining “justifiable access authority” under Article 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

[3] Whether a third party has legitimate authority to access an information and communications network where a user consented to the use of his/her ID and password by informing him/her of such ID and password (negative)

[4] The case holding that in a case where the defendant sent a e-mail to the military commander by accessing the military internal computer network, etc. between the immediate superior officer's ID and password that he became aware of in the course of his duties, it constitutes an act of intrusion into the information and communications network without access authority as provided by Article 48 (1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

[1] Unlike Article 22(2) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. and Article 19(3) of the former Act, Article 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. prohibits an act of "influence into an information and communications network without legitimate access authority or beyond permitted access authority" without infringing or damaging protective measures against the information and communications network. Thus, even if the infringement or damage of the protective measures is not accompanied by the infringement or damage, the act of intrusion by using another person's identification mark (a ID and password) or by inputting an improper order that enables the exemption of restrictions on protective measures is prohibited.

[2] Article 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. is not a provision to protect users' trust or interests, but to protect the stability of an information and communications network itself and the reliability of such information. Thus, the person who grants access authority or grants permission to the said provision is a service provider. Therefore, in cases where a third party, other than a user, has access to an information and communications network, whether such access authority exists shall be determined based on the access authority granted by the service provider.

[3] Even in cases where a user consented to the use of an information and communications network by informing the user of his/her ID and password and allowing a third party to use it, it is reasonable to deem that the third party has no legitimate authority to use it, in principle, except in cases where the use by the third party is limited to a person who acts as an agent for the third party or a person who acts as an agent for the third party, and it is merely a case where the use by the user is used for the benefit of the user according to social norms, such as the case where the user is used for the benefit of the user, or where the service provider is deemed to have granted the right to consent to the use by the third party, or where the service provider notifies the service provider of the situation that the service provider allowed the third party

[4] The case holding that in case where the defendant sent a e-mail to the military commander by accessing the military internal computer network, etc. between the immediate superior officer's ID and password that he became aware of in the course of his duties, it constitutes an act of intrusion into the information and communications network without access authority as provided by Article 48 (1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

[1] Article 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. / [2] Article 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. / [3] Article 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. / [4] Article

Defendant

Defendant

Attorney So-young

High Court for Armed Forces Decision 2004No125 Decided January 11, 2005

The appeal is dismissed.

1. Facts charged and summary of the judgment of the court below

The summary of the facts charged of this case is that the non-indicted 1, a superior officer of the defendant, was allowed to send a report on his duties to the Army Headquarters, etc. on behalf of the defendant, and the defendant was also aware of the ID and password through an official notification system to the officers and soldiers under his control. On two occasions, the defendant entered the ID and passwords of the defendant's computer in excess of the authorized access authority over two times, and access the Army Web-mail and the Handbrids system to the military commander, who was in the name of the military commander in the name of the order, and then came up with the first military commander in the name of the military commander in order to take disciplinary action against the maximum (the name of the defendant). The personnel management process is not a problem. The court below found the defendant guilty of the defendant's intrusion into the web-mail and handbook of the Army that is an information and communications network or the account of the other person without access authority over each information and communications network. The court below found the defendant guilty of the violation of the access authority over each other's personal information and communications network.

2. Judgment on the grounds of appeal (to the extent of supplement in case of supplemental appellate briefs not timely filed)

First, Article 22(2) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 6360 of Jan. 16, 2001) and Article 19(3) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (amended by Act No. 6360 of Jan. 16, 2001) prohibit the act of infringing or damaging such protective measures in an unlawful or unjustifiable manner on the premise that both information and communications service providers should take protective measures to ensure the stability of information and communications network and the reliability of information. However, Article 48(1) of the Information and Communications Network Act, which applies to the facts charged in the instant case, prohibits the act of “infringe into an information and communications network without legitimate authority or beyond the authorized authorized access authority” without having infringed or damaged such protective measures. Thus, even if the said protective measures do not entail any infringement or damage, the Information and Communications Network Act prohibits the act of entering in an unlawful way such as using or restricting another person’s identification codes or password.

Furthermore, Article 48(1) of the Information and Communications Network Act is not a provision to protect users' trust or interests, but a provision to protect the stability of the information and communications network itself and the reliability of the information, as shown in the title of Chapter 6 of the Information and Communications Network Act, to which the above provision belongs, and thus, the subject who grants access authority or grants permission to the information and communications network is a service provider. Therefore, if a third party, other than a user authorized by the service provider, connects the information and communications network, whether the access authority exists shall be determined on the basis of the access authority granted by the service provider.

Therefore, unlike the actual space, it is difficult to clearly confirm who is an offender. The identification code, such as ID and password, indicates the character of the offender. Thus, it may impair the stability of information and communications network and the reliability of information contained therein, as in the case of so-called hacking, etc. physically impairing protective measures due to the abuse of anonymousness, such as reckless sharing, etc., and by unlawful means. Thus, even if the user consented to the use of the information and communications network by notifying and using his/her ID and password, it is limited to a third party's act of using it directly by social norms, such as using it for the user's interest, or if it is deemed that the service provider granted a third party the right to consent to use it, or if the service provider informed a third party of the situation that the service provider had the third party use it, in principle, it is reasonable to deem that the third party's access right is not reasonable.

As to the facts charged in this case, it is difficult to see that the defendant sent a e-mail for the benefit of the defendant to the ledger in his name by accessing the Army Web mail or hand room system with the ID and password of the above non-indicted 1 and sending the e-mail for the benefit of the defendant to the ledger in his name. It cannot be said that the service provider can not be deemed as a case where the access authority granted by the sub-government to the sub-government can be deemed as being directly used by the sub-government. In addition, it is difficult to see that the service provider in the inside the military or electronic computer network or electronic settlement system gives the service provider the right to allow the sub-government who is the user to use his own identification mark in mind. The use of the defendant as stated in the facts charged is a separate character and it is difficult to see that the service provider consented to the use of the access authority granted by the sub-government for his own interest. Thus, the defendant's access to the web-mail and the sub-mail account by using the sub-government mark constitutes an act of intrusion without any legitimate access authority.

Therefore, the judgment of the court below which convicted him of the facts charged that he infringed on an information and communications network without legitimate access authority, not on the information and communications network but on the part of the allowed access authority, is somewhat inappropriate. However, it is just in the conclusion that each act of the defendant as stated in the facts charged constitutes an illegal intrusion as stipulated in Article 48 (1) of the Information and Communications Network Act, and the judgment below erred by misapprehending the legal principles on the interpretation of Article 48 (1) of the Information and Communications Network Act on the ground that the defendant's act does not constitute a crime.

3. Conclusion

Therefore, the appeal is dismissed. It is so decided as per Disposition by the assent of all participating Justices on the bench.

Justices Lee Hong-hoon (Presiding Justice)