Data Theft: the French Court of Cassation Refines the Godfrain Law [by General (2S) Marc Watin-Augouard]

French Court of Cassation, Criminal Division, no. 14-81336, judgement of 20 May 2015: Navigating inside an automated data processing system is fraudulent from the moment that the data trespasser realises that the website is protected. Retrieval of files without the owner’s consent is an act of ‘electronic data theft’.

In 2012, an Internet user navigating under the pseudonym Bluetouff used a VPN (virtual private network) to enter the extranet website of the French Agency for Food, Environmental and Occupational Health & Safety (ANSES), a French operator of critical infrastructures (OIV). He downloaded data (82 GB) that he stored on several media and partly released without the agency’s authorisation.

Owing to a system failure, he gained access normally authorised by access control based on username and password.

For these reasons, he was prosecuted before the District Court of Créteil for:

• – fraudulent access to an automated data processing system, an offence under Article 323-1, par. 1, of the French Penal Code, and punishable by Articles 323-1, par. 1, and 323-5 of said penal code;
• – fraudulent navigation inside an automated data transmission system, an offence under and punishable by said articles; and
• – data theft to the detriment of the ANSES, an offence under Articles 311-1 and 311-3 of the French Penal Code and punishable by Articles 311-3 and 311-14 (par. 1, 2, 3, 4 and 6) of said code.

In a judgement of 23 April 2013, the court acquitted Bluetouff. According to the court, fraudulent access had to be ruled out, as he was able to enter the website owing to a technical failure, not an act of ‘piracy’. Fraudulent navigation was also ruled out, since the trespasser could have thought that the data he gained access to were open-access data. As for document theft, the court considered theft to be fraudulent removal of the property of another, pursuant to Article 311-1 of the French Penal Code. The ANSES was never dispossessed of files that remained accessible and available on their website, so there was no removal of data, and therefore no theft.

The prosecution filed an appeal, and the case was brought before the Paris Court of Appeal, which, in a judgement of 5 February 2014, upheld the judgement of the District Court with respect to non-fraudulent access. In another case (Paris CA, 30 October 2002, Kitetoa vs Tati), in the court’s judgement, erroneous access to an unsecured website could not be considered an offence. As for the other two infractions, the Court of Appeal found Bluetouff guilty of fraudulent navigation and data theft. Regarding fraudulent navigation, the Court of Appeal stressed that after Bluetouff accessed the website, he was able to observe by browsing its data structure that access was subject to authentication requirements. Thus, he was “aware of the illegal nature of visiting the automated data processing system and downloading obviously protected data“. In a judgement of 20 May 2015, the Criminal Division of the French Court of Cassation upheld the judgement of the Paris Court of Appeal. Concerning the theft sentence, the French Court of Cassation had previously described a copy of data as theft (Cass. Crim., no. 07-84.002, 4 March 2008, X vs Graphibus). In his pleading on the Bluetouff case, Public Prosecutor Frédéric Desportes stated the following [1]: “While respecting the principle of strict interpretation of criminal law, you have always been able to adapt accusations to technological developments, thereby ensuring that the aims of the legislature are achieved and thus that both the letter and the spirit of the law are applied. This is particularly true of theft, the definition of which has been seen to have a certain plasticity. […] It would be paradoxical for fraudulent removal of an insignificant paper document to be punishable by three years of imprisonment, but not the removal of thousands of strategic files, since such files are merely digital or digitised documents capable of being printed and thus taking on material form“. It should be noted that Law 2014-1353 of 13 November 2014 reinforcing counter-terrorism provisions now sanctions data retrieval (Art. 323-3 of the French Penal Code), thus putting an end to the debate on ‘data theft’. But this law was enacted after the fact and could not be applied to this case.

There could be new developments in the Bluetouff case in the event of an appeal before the ECHR.

[1] Source: Next INpact