CC BY
28
УДК 342.92
DOI: 10.21209/2227-9245-2019-25-10-99-111
PROTECTION OF PERSONAL INFORMATION IN THE ERA OF RISK SOCIETY ЗАЩИТА ЛИЧНОЙ ИНФОРМАЦИИ В ЭПОХУ ОБЩЕСТВА РИСКА
Shi Yanan,
Director of the research center for criminal justice of Renmin University of China shiyanan@ruc.edu.cn
Ши Янань,
Исследовательский центр уголовного правосудия при Народном университете КНР, г. Пекин
Chen Zhenwei,
Renmin University of China 2018000236@ruc.edu.cn
Чэнь Чжэньвэй,
Народный университет КНР, г. Пекин
A study on cyber fraud shall be based on clearly understanding of the basic features of cyber fraud. Cyber crime is a kind of crime of information, which means the offender manipulates personal information to cheat the victim to attain his goal. If predicting the development of cyber fraud, it will be more and more dependent on personal information. The key issue of controlling cyber crime is to protect personal information. Although the interest of personal information to someone cannot be regarded as a private right, to protect personal right is very important to safeguard the personal and property security of citizens. So the definition of personal information shall be made with the perspective of personal and property security. For the finding of cyber fraud, the relevant agencies and courts shall fully recognize such features and distinguish it from offline crimes.
When dealing with cyber fraud, the authors view "Governance" as co-governance and foresee the focus of cyber fraud governance as cooperation between different entities, as well as enhancement of information exchange between different subjects. In prevention and punishment of cyber fraud, special attention should be paid to the work of Internet enterprises. Besides, the administrative and judicial agency should strengthen cooperation with Internet enterprises, fully exerting the enthusiasm of Internet enterprises and also respecting the commercial interests and corporate reputation of Internet enterprises
Key words: cyber fraud; cyber crime; personal information; joint crime; information crime; manipulation; cheating; victim; personal safety; property security
Исследования кибермошенничества должны основаться на четком понимании основных особенностей киберпреступности. Киберпреступление является разновидностью информационного преступления. Преступник манипулирует личной информацией с целью обмануть жертву для достижения своей цели. Развитие кибермошенничества все больше зависит от личной информации, поэтому главным вопросом является защита личной информации. Хотя интерес к личной информации не может рассматриваться как частное право, защита личных прав очень важна для обеспечения личной и имущественной безопасности граждан. Таким образом, определение личной информации должно быть сделано с точки зрения личной и имущественной безопасности. Для установления кибермошенничества соответствующие органы и суды должны в полной мере признавать такие особенности и отличать их от преступлений, совершаемых вне сети
Ключевые слова: кибермошенничество; киберпреступность; личная информация; совместная преступность; информационное преступление; манипуляция; обман; жертва; личная безопасность; имущественная безопасность
/ntroduction. There is no doubt that the problem of cybercrime in China is very serious now. Such cases had accounted for nearly 1 /3 of the total number of crimes in 2016, and in recent
two years this number is still increasing [1]. At same time, so-called the cases of traditional crimes, especially violent crimes have been obviously deceased. For example, homicide cases
99
© Ши Янань, Чэнь Чжэньвэй, 2019
per 100 000 persons occurred in 2015 in China Mainland, much lower than most other jurisdictions [6]. From the process of the fall of "traditional crimes" and the rise of cyber crimes, it shows a trend clearly: networking of "traditional" criminal means and continuous emergence of new cyber crimes will be the mainstream of development of crimes. And, nowadays, cyber fraud crimes are regarded as the most serious kind of cyber crimes in China.
"Cyber Crime" is a term of Criminology in China. From the perspective of criminal law, cyber crimes can be divided into 4 categories: (1) network implementation of traditional crimes, or "online implementation of offline crimes"; (2) network variant of traditional crimes, or "only implementation of the kind of traditional crimes"; (3) derivative crimes of "traditional crimes"; (4) cyber attack, or "real cyber crime". From the status quo of cyber crimes, the last type is the most popular one which can be said that such cases are been doing every moment in high density. However, in China, very few cases have been investigated by the agencies and convicted by the courts because most of such cases cannot be found by the victims and the public. Only when such an attack caused a serious damage to property right or other important interests, or social disturbance, some agencies might launch an investigation [7]. Currently the public concern the first category of cyber crime because such crimes threaten or violate individual rights and interests directly and then they become the agencies' priority. From the perspective of national security, cyber attacks are the most harmful because they have a greater impact on national political, economic, and military security.
Compared with offline crimes, cyber crimes have three features: (1) anonymous organized. Under the present circumstances of cyber crimes, the "lone wolf" network attacks still exist in a certain range, but there is a certain structure of organized crime in most of cyber criminal cases which were detected, and online organized crimes are characterized by anonymity, temporary organization and individual constant activities. An organized implementation of cyber crime is connected through information network, and its temporary feature does not affect its organized implementation. From this point of view, the network underground industry is a typical network organized crime. (2) Highly reliable on network platform. Platforms can provide "markets" for the offenders to collecting
information, communicating with potential partners and looking for victims. (3) Highly reliable on personal information. To some extent, the offenders of cyber crimes manipulate personal information in order to commit crimes more smoothly and successfully. Statistics show that 280 million customers had been estimated to be stolen in 2017, rising to 500 million in 2020, while the cost of cybercrime will soar to $8 trillion in the next five years [5].
Analyzing the status and trend of cyber crime, cyber property crimes are still the main object of public concern, especially cyber fraud. So the government put more resources on fighting against such criminal cases. To prevent cyber fraud, it is vital to strengthen the protection system of personal information, and to punish cases, the doctrine of fraud shall be reshaped so as to solve the problem of application of criminal law. This paper will focus on cyber fraud and propose some suggestions on prevention and punishment of this kind of cyber crimes.
The key issue of preventing cyber fraud is to protect personal information
In a certain sense, the social existence of human beings is the external state of personal information. All social activities of human beings are also a process of information transmission. From this perspective, crime is also a kind of social activity, hence existing the process of information transmission. However, compared with other crimes, offenders accomplish the process of fraud by manipulating information (making false information, disguising true information and obtaining true information). From the perspective of information dissemination, fraudulent activity is a distorted process of interpersonal communication. It take advantage of the sincerity and trust, and then gains property interests. In the cyber era of fraudulent behavior, fraudulent offenders have mastered a large amount of personal information of victims in advance, so that they can implement "precise fraud". Therefore, the emphasis of governance of cyber fraud is to establish a reasonable and complete personal information protection system and mechanism at first.
Dependence of cyber fraud on personal information. As far as cyber fraud is concerned, the reason why it spreads is that the virtual space of the network can be used to carry out fraudulent activities to the greatest extent of "anonymity", and the process of implementation is completed through operating information. Although the way
of cyber fraud is constantly changeable, its process of manipulating information is not complicated and can be summarize as "two-terminals" operation process: fraud terminal (forging identity information) and victim terminal (full control of victims' personal information). However, offline fraud manipulates information more in fraud terminal, while online fraud is more concentrated on victim terminal. Of course, if we review the development of cyber fraud, there is also a process of gradual change. This change is that the focus of manipulating information is converted from fraud terminal to victim terminal. This change makes cyber fraud more accurate and efficient. The "Xu Yuyu Case", which has received extensive attention in 2016, is a typical case of "precise fraud".
From the current development situation of cyber fraud, cyber fraud cases are increasingly linked to the lack of protection of personal information. On February 27, 2013, the Xinhua Economic Research Institute and the 360 Internet Security Center released the "Situation and Challenges of Pivotal Enterprise guaranteeing Network Security". The report showed that more than half of the telecommunication network fraud cases were related to the leakage of personal information. The "Protection Survey Report of China Netizen Rights in 2016" released by Association of China Internet, also demonstrated that 51 % netizens suffered "personal information leakage" during the process of online shopping, and 84 % suffered from harassment and monetary losses due to information leakage. The amount of economic losses caused by the leakage of personal information, reached to billion yuan one year [14]. According to "China Information Security", some methods of cyber fraud are implemented by manipulating personal information.
The article also lists other types of telecom fraud, such as impersonating acquaintances to fraud, impersonating friends and relatives to counterfeit car accidents, hospitalization and harming others, etc., to fraud, counterfeiting the leader of the superior authority, the leader of the enterprise, and the judiciary agency to fraud, falsely providing test information, the fraud of "Guess who I am", threatening fraud, deceiving arrears of telephone and TV, false financial management, false customer service, counterfeiting bonuses for valuables objects, false car purchases, false house tax rebates, fictional stock inside information, false winning information,
fictional abduction, counterfeiting remittance or repayment of loans, counterfeiting subsidies and bursaries, express delivery fraud, entertainment program winning fraud, redeem points fraud, counterfeiting as a landlord message fraud, illegal traffic handling fraud, credit card fraud, medical insurance card, social insurance card fraud, the fraud of large sum of money seeking children and so on.
From the perspective of future development trends, no matter how the form of cyber fraud changes, it must always be implemented through manipulating information. If there are problems with the system and mechanism of personal information protection, It is bound to provide opportunities and convenience for cyber fraud.
The range of personal information utilized in cyber fraud. At present, there is no "Personal Information Protection Law" in China. The protection of personal information is separately stipulated by the criminal law, cyber security law, civil law, administrative regulations and interpretative regulations. Regarding the scope of citizens' personal information, on April 23, 2013, the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security jointly issued the notice, the Notice on Punishing the Criminal Activities of Infringing on Citizens' Personal Information According to the Law. And the notice considered that the information includes citizens' name, age and valid document number, marital status, work unit, education, resume, home address, telephone number and other information and data which can identify a citizen's personal identity or involve the privacy of a citizen. The provision defines the personal information of citizens by a combination of "not complete enumeration + basic characteristics". According to this definition, the basic characteristic of a citizen's personal information is the ability to identify a citizen's personal identity or involve personal privacy. This definition is basically in line with the general understanding of personal information, but its problems are also obvious. Taking cyber fraud as an example, the perpetrator uses the victim's bank card information, Alipay information, etc., and such information is difficult to be classified into identity information or private information. In addition, the notice juxtaposes the information with the data, which also has classification problems. Article 76, Item 5 of the Cyber Security Law passed by the Standing Committee of the National Peo-
ple's Congress On November 7, 2016, stipulates that "identification of identity of a natural person" is a basic feature of personal information. This definition overemphasizes personal identification and can lead to a narrow range of personal information, which is not conducive to personal information protection. Article 1 of "Interpretation of Several Issues Concerning the Application of Laws in Handling Criminal Cases Involving infringing Citizens' Personal Information" which was published by the Supreme People's Court and the Supreme People's Procuratorate ia related to personal informantion. This explanation only outlines the scope of personal information. In particular, in the sense of criminal law, the definition of "personal information" is not clear. This may lead to a too extensive understanding of the greater possibility of conviction elements in Judicial Practice. Hence, There is also a need to clarify, especially that it is necessary to define it essentially.
Before clarifying the scope of personal information, it is necessary to clarify the relationship between information, data, and corresponding rights at first. From philosophical perspective, information is the form of material and energy movements in the objective world, and the self-organizing system's dynamic response to this form [2]. This definition basically understands information from materialistic epistemology. As for understanding of personal information, it can also be placed in an objective world for non-subjective understanding, but from a legal point of view, it should be understood from the relationship between people in society. So from the broadest understanding, personal information is a symbol of various objects that can be objectively described by natural persons as social beings and in social interactions. The exchange of information between the individual and the natural world is legally only meaningful if it is recognized in social interaction. Data, the result of facts or observations, is a logical induction of objective things, and is also an unprocessed raw material used to represent objective things. From the above analysis of the definition of information and data, the relationship between information and data is the relationship between content and carrier, but not the same or interchangeable concept [17]. From a legal perspective, for people outside of a certain subject, whether it is data-based information or information recorded in the form of paper or voice, you must firstly obtain the carrier of infor-
mation, and then you can understand information record. Furthermore, from the perspective of possession, the subject, who owns the right of possessing personal data, may not be the direct correlation of personal information, while the law also does not give direct correlator the right to restrict the possession of personal data owners, but only the right to limit other people's abuse. This is very similar to the copyright relationship between personal portrait rights and photographic works.
The purpose of clarifying the relationship between information and data is to enable law to tackle issues related to personal information. The author believes that natural persons' possession and use of own information, and restrictions on using their information by others, cannot form rights separately, such as "personal information rights". Because the formation of personal information is an interactive process. Interactive partners can obtain a certain extent of possession of a message and the right to use it. In terms of civil law, the protection of personal information should still be protected by the right to privacy and tranquility. However, for criminal law, the significance of clarifying this concept lies more in the meaning of its conviction and sentencing. The legislator puts the crime of infringing citizens' personal information into the chapter of "crimes against personal rights and democratic rights" in the criminal law. Obviously, it categorizes the legal interests infringed by the crime of infringing citizens' personal information, into personal rights, but this view is debatable. The purpose of protecting personal information in criminal law, is not to protect citizens' possession and exclusive use of personal information, but to prevent others from using this information to infringe citizens' personal rights and property rights. From this perspective, the crime of infringing citizens' personal information is a preventive offense designed to prevent the occurrence of crimes that use personal information. Therefore, the criminal law protection of personal information is not so much to protect citizens' possession of personal information as it is to prevent others from using this information to infringe legitimate personal and property interests of citizens. If personal information is linked to the personal and property interests of citizens, then the understanding of personal information cannot just be limited to "identifies the personal identity of natural persons", but refers to any information that can be related to the per-
sonal and property interests of natural persons. On conclusion, there are two basis for such definition: Firstly, the possession of personal information is not a separate civil right, but a kind of information that is related to personal rights and property rights; secondly, such definition can effectively has connection with law, without the help of Formulating another legal rules. Personal information in criminal law as well as in criminal justice should also be understood with this definition.
Perfect mechanism of personal information protection is a key step of governance of cyber fraud. As mentioned above, both cyber fraud and offline fraud are committed through manipulating information, but cyber fraud is more dependent on personal information. So prevention of cyber fraud should focus on protecting personal information. In practice, we should start in four aspects:
Establishing perfect legal regulation of personal information. Although the General Principles of the Civil Law and the Cyber Security Law stipulate provisions for the protection of citizens' personal information, a relatively comprehensive regulatory system has not yet been established. The core of this regulation system is to establish the legal rules for the formation, possession, acquisition, use, transfer, destruction and development of personal information, and to carry out the necessary regulation of relevant subjects, rights and obligations and legal responsibilities. In this regulatory system, the most important issue is the problem of the possession and use of personal information. As far as direct person is concerned, whether he can restrict others to possess and use his own personal information. If the citizen has such rights, it means that the citizen has the civil right of personal information. However, as mentioned above, if citizens are confirmed to have such civil rights, it will directly limit the development of some industries, and also cause unlimited legal disputes.
Restrictions on the eligibility of possession and use of personal information, are the focus of personal information regulation. For all industries that use personal information, they should be strictly examined. The behavior that violates regulation of personal information should be imposed administrative penalties. The more complicated question is how to determine the obligations and legal responsibilities of network operators and related market entities. The fourth chapter of the "Cyber Security Law", named
"Cyber Information Security", stipulates the legal obligations of network operators in collecting and using information, and also stipulates corresponding legal responsibilities. However, these provisions are still relatively crude and lack specific operational rules. However, there are still some issuses. For example, what are the basic elements of this regulatory system? What kind of legal responsibilities should network operator shoulder? If some people violate this obligation? There is currently no supporting provision. It can be said that the establishment of a complete personal information regulation system can minimize the possibility of personal information that is obtained and used by criminals, hence helping to prevent cyber fraud cases.
According to the research of Tencent's Network Security and Crime Research Base, the way to reveal personal information include: (1) Internal staff leaks; (2) hackers invade websites to steal user data (known as "Drag"); (3) Virus Trojan stealing; (4) Phishing; (5) Violently cracking password (known as "Hit the library") [3].
Establishing reasonable judgment rules of personal information. This paper believes that personal information should not be limited to the scope of "identifying the individual identity of natural persons", but should define "personal information" from the perspective of harm to individual and property rights. In the specific judgment, it can adopt "the principle of direct association". In other words, if the information is directly related to personal rights and property rights of a subject, it could be considered as personal information protected by criminal law. Therefore, there is no reason to exclude personal whereabouts information from personal information. The same understanding is also taken in the "interpretation of cases of infringing personal information". The paragraph 1 of article 5, stipulates that "selling or providing track information and then being used by others for crime" is a "serious situation" stipulated in one of the provisions of article 253 in criminal law.
From the perspective of the dependence of cyber fraud on personal information, what is meaningful is the correlation between personal information and natural person's personal rights and property rights. While if there is a correlation, even if the information is not related to personal identity, it will have an impact on the person's interests once the criminals are obtained this kind of information. From this view, it is more in line with the purpose of law to judge the scope of
personal information with "the principle of direct association" and corresponding legal regulation.
Reasonably distinguishing types of personal information. As mentioned above, the possession and domination of personal information cannot be considered as a right, but it does not mean that the possession and control of some types of personal information cannot be defined as rights, such as personal privacy and tranquility. Therefore, in the process of establishing a personal information protection system, especially for the process of punishing related criminal proceedings, it is necessary to classify different types of personal information. There are two purposes for classifying personal information:
(1) different degrees of regulation and protection for different types of personal information;
(2) from the perspective of proportionality of punishment, setting up various types of punishment for different types of criminal proceedings of personal information. Comparatively, personal information is more important than property information; and in personal information, personal safety information is more important than general identity information. For example, both personal action information and residential information are personal safety information, which are important than general identity information. For example, some fans obtain such information and then immediately implement physical harassment for movie stars, singers, etc., and even implement a certain degree of violations.
For the classification of personal information, it can be distinguished by the idea of "Administrative Measures for the Protection of Information Security Levels", that is, according to the dangerous degree of personal information, it can distinguish between personal and property categories, and determine different degrees.
Article 7 of the Measures stipulates: "The level of security protection of information systems is divided into the following five levels: At the first level, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but it will not harm the national security, Social order and public interest. At the second level, it will seriously damage the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but not to damage national security. At the third level, it will cause serious damage to the social order and the public interest, or cause damage to the national security. At the fourth level, it will
cause particularly serious damage to the social order and the public interest, or cause serious damage to the national security. At the fifth level, it will cause particularly serious damage to national security".
While if the level of personal information is belong to criminal law punishment field, it should be considered as the highest level range. If the personal information, which is collected and obtained, is related to national security, public safety and social order, and also has the nature of state secrets, it should be treated as the state secrets; if it has not yet reached the level of state secrets and is only related to national security, it should still be treated as personal information.
Proper application of the crime of infringing citizens' personal information. As mentioned above, this article believes that the crime of infringing citizens' personal information is a kind of preventive crime, that is, setting up this crime is to protect the personal and property interests of citizens. According to "Opinions on Several Issues Concerning the Application of Laws in Handling Criminal Cases Such as Telecommunication Network Fraud" promulgated by the Supreme People's Court, the Supreme People's Procuratorate, and the Ministry of Public Security's, the judiciary should effectively curb cyber fraud by applying the crime of infringing citizens' personal information.
In applying this crime, three issues should be noted: (1) How to define "violation of relevant state regulations"? Judging from the provisions of Article 253 of the Criminal Law, the crime of infringing citizens' personal information is a regulatory offence [13]. The "relevant state regulations" refers to the provisions of laws, administrative regulations, rules and other aspects of the national level involving the management of citizens' personal information [8]. Therefore, when judging whether it violates the "relevant state regulations", it may consider the areas that are involved by specific personal information, and the interests that may be affected by specific personal information, to select applicable norms. And then we can judge the administrative illegal nature of the corresponding behavior. It should be emphasized that the premise of the composition of this crime is not a violation of civil obligations, but a violation of the obligations set by administrative law. (2) The understanding of citizens' personal information should be defined as the relevance perspective of personal and property rights. It should be emphasized that the
"citizens" here should include any natural person. (3) Accurately master the ways of behaviors of infringing personal information. More specifically, there are three ways, that is, selling or providing personal information to others, selling or providing personal information obtained in the course of fulfilling the duty or providing services, and stealing or other illegally obtaining personal information. For the third behavior, it mainly involves the understanding of "illegal acquisition". The act of deriving a citizen's personal information based on public information does not has illegal nature, but if this kind of information is transferred to others, the act should be considered illegal. The reason is that the transmission has made a certain adverse impact on personal and property interests of relevant people [11].
The problem of cyber fraud conviction needs to be noticed. As mentioned earlier, cyber fraud is a kind of "network implementation of traditional crimes". In this classification, it can be seen that the conviction of cyber fraud has two characteristics: on the one hand, in the interpretation of substantive law, since cyber fraud behavior is a specific implementation method of fraud crime, it is a crime of fraud. Based on the principle of criminal law, it must need to meet the basic characteristics of fraud. On the other hand, due to the space and specific means of cyber fraud obviously varied from offline fraud, the interpretation of constituent elements, legal application rules and even fact finding should appropriate a certain extent of adjustments in the process of handling cyber fraud cases. Considering the current difficulties in tackling cyber fraud cases, three issues should be considered in the process of handling such cases:
The problem of victims' act of disposition and meaning of disposition in cyber fraud. During the process of judging the constitution of crime of fraud, whether the victim disposes of the property based on misunderstanding, is an element of judging accomplished crime and distinguishing other crimes (such as larceny). From the current development trend of cyber fraud, in most cases, the effect of the perpetrator's intention to fabricate false information is that the victim will transfer the control and domination of his property. And the psychological state of the victim is not a disposition in the sense of civil law, while it's just the temporary transfer of the money to a "safe" account. The act of disposition in the sense of civil law generally refers to powers of ownership, including de facto punishment and
legal punishment. The former refers to the damage, transformation, destruction or physical and chemical changes of the material; the latter refers to the alteration and elimination of rights of belongings [15]. In this regard, Professor Zhang Mingkai believes that the disposition of property is not limited to the disposition of property in the sense of civil law (that is, not limit to ownership rights), but means that the victim's property is transferred to the offender or a third party's possession, or the offender or third party obtains the victim's property [16]. For cyber fraud, the understanding of disciplinary behavior should be combined with the characteristics of online trading behavior. Specifically, during the process of online fraud, the disciplinary action should be defined as the abandonment of victim's property, including temporary giving up domination over their property and agree to dominate their property with others. The reason for this definition is that the type of property in cyber fraud is money, which is usually under the possession or domination of financial institution or the third-party network platform. The relationship between the victim and the financial institution is the contractual relationship, and the financial institution own domination of property based on the contractual relationship. Hence, the victim apparently did not transfer possession, but gave up its control over the money.
As for the case of cyber fraud, it is worthwhile to ask whether the victim has the meaning of disposition. There are some different views. In this regard, Professor Zhang Mingkai believes that the person deceived must have the meaning of disposition of the property, that is, he realizes that he has transferred some property to the offender or the third party, but does not require a complete understanding to the quantity and price of the property [10]. Professor Li Hong believes that the deceived should have the meaning of disposition, which is conducive to distinguish between larceny and fraud [9]. However, in the case of cyber fraud, requiring the victim to have the meaning of disposition, may improperly limit the scope of the crime of fraud. For example, the offender cheat the victim that their property is at a high risk, requiring the victim to transfer the money to another account, and let the victim set a new account password. In fact, the account is already controlled by the offender, and after the victim remitting the money into the account, the offender will obtain the money. In this case, the victim did not have the meaning
of disposition of his money. Therefore, it may be considered as larceny in the opinion of scholars who hold that the victim must have the meaning of disposition of the property, but this is a typical fraud from the general public's point of view. In a sense, over-considering the subjective meaning of the perpetrator does not conform to the general concept of justice, without considering the general public cognition.
The separation between the conviction of cyber fraud and the investigation of civil liability. Because fraud crimes also constitute infringements, when convicting an actor, they should also be investigated civil liability, that is, compensation for the victim's economic losses (Article 36 of the Criminal Law). But the question is whether the object of fraud should be the same as the civil victim or not.
As far as cyber fraud is concerned, there may be cases where the object of fraud is separated from the civil victim. For example, the offender secretly changes the merchant's WeChat payment QR code. And after the customer scans the QR code, the payment that should be paid to the merchant, remits the offender's account. But during the process, the merchant mistakenly believes that the customer has paid the payment to himself. In this case, the object of the fraud is actually the customer, and the money is also obtained from the customer. If the customer is considered to be the victim, then the merchant has the right to continue to ask for the payment from the customer, while if the merchant is considered to be the victim, the merchant has no right to continue to request the payment from the customer. From the perspective of trading habits, the customer pays the purchase price according to the merchant's prompts at the business place. There is no fault that customer has fulfilled his obligations after completing the payment, so it is obviously inappropriate for the customer to bear the risk. If the merchant is considered to be the victim, there is also a problem of conviction: if this illegal behavior is committed to crime of fraud, but the merchant is not deceived and does not pay the property; if this illegal behavior is committed to larceny, the merchant does not possess the money, while violation of other people's possession of property is the basic feature of larceny, and this behavior is obviously not in line with this basic characteristic. Comparatively speaking, from the perspective of generally public understanding, this situation is a kind of fraud. The offender falsely create a
payment path to induce customers to pay for the goods. The merchant is treated as a civil victim only for the sake of maintaining trading habits and no-fault consumer interests. In the process of criminal proceedings, although the object of fraud is the customer, the customer is just the witness, while the merchant acts as the victim and the plaintiff of criminal with civil lawsuits to participate in the lawsuit. Separating civil victims from the object of fraud also creates a separation between criminal conviction and civil liability. If tackling the criminal proceeding in this way, there will be some differences with the handling of offline fraud cases.
The proof needs to be adjusted in cyber fraud cases. Article 53 of the Criminal Procedure Law stipulates the general standard of criminal proof, that is, while insisting on the standard of sufficient proof, "excluding reasonable doubt" is one of the conditions for specific judgment. From the actual situation of judicial activities, it is difficult to determine a clear specific proportion of "excluding reasonable doubts" or "true and sufficient". There are two aspects considering in practical operation: firstly, for the question called by the defense and the evidence provided by the defense, it is whether the prosecution provide appropriate and persuasive rebuttal; secondly, whether the referee logically forms a "mental impression", and the conclusion of this "mental impression" is supported by sufficient evidence.
For handling traditional fraud cases, the approach of proof of "one-to-one correspondence" is often adopted in the judicial practice. Accordingly, in the evidence chain, the evidence on the fraud is one-to-one correspondence with the evidence on the deceived loss. However, for cyber fraud cases, this kind of proof is obviously "stretched" (difficult). Cyber fraud refers to the "unspecified majority" in the implementation. Because it is implemented through a non-faceted approach, the victim basically does not know who the fraudster is and does not know where the property goes. The fraudster will always destroy and delete the relevant information in time after the crime, especially remittance messages or payment information. So it is difficult to verify "one-to-one correspondence" after the crime.
The way of proof of "one-to-one correspondence" proves the causation between behavior and damage in such crimes. If it can be proved that there is a causation between all the frauds committed by the criminals and its comprehensive illegal profits, and there is no evi-
dence to prove that the possession or control of the property comes from legal or other illegal methods, it can prove the existence of causation. Specifically, for conviction and even sentencing, as long as it can prove that the criminal suspect and the defendant have committed cyber fraud, and also have acquired the property from fraud, they can be convicted and sentenced accordingly. It need not to prove that the fraudulent amount corresponds to which fraudulent act and which fraudulent act is targeted to which victim. As for the corresponding booty recovery issues, it should be distinguished from criminal conviction and sentencing. In this regard, the first item of Article 6 of "Opinions on Several Issues Concerning the Application of Laws in Handling Criminal Cases Such as Telecommunication Cyber Fraud" issued by the Supreme People's Court, the Supreme People's Procuratorate and the Ministry of Public Security, stipulates the rules of evidence for cyber fraud cases.
Cyber fraud governance should achieve multi-sectoral cooperation, public-private linkage, cross-jurisdictional cooperation. The reason why cyber fraud governance has become a tough problem, apart from the fact that cybercrime itself has a "common problem" that is difficult to find and hard to investigate. The more important reason is that the prevention and punishment of cyber fraud requires cooperation at multiple levels, that is, cooperation between administrative agency and the judiciary, the cooperation between different jurisdictions, and cooperation between the public security judiciary and financial institutions, cooperation between the private sectors. Whether from prevention or punishment of cyber fraud, the formation of the three aspects of composition of forces is the key to solve the problem of regulation and protection of personal information.
Cooperation between the administrative agency and the public security judiciary. Because cyber fraud is highly dependent on personal information, it is necessary to strengthen the regulation of the administrative agency on the collection and use of personal information during the process of establishing a network fraud prevention mechanism. Managing information is the most important. Like other crimes, public security agency also have the characteristics of "reactive" in dealing with cyber fraud, that is, only after occurring cyber fraud cases and receiving reported information, will they be involved in the investigation of the case. In comparison, admin-
istrative agencies, especially those that are able to track and obtain large amounts of information, have the ability to detect fraudulent clues. In this case, the prevention of cybercrime (and even other crimes) should establish an information channel between the administrative agency and the public security and judicial agency. When discovering the clue of cyber fraud, the administrative agency should promptly transfer and share relevant information sources.
Strengthening the linkage between state agencies and private enterprises and financial institutions. Private companies is mainly Internet companies or private companies that rely mainly on the Internet. In preventing and punishing cyber fraud cases. It is no exaggeration to say that private enterprises are now the "core force" of cyber fraud governance. On the one hand, these Internet companies have the technology to discover and master scam information. On the other hand, some Internet companies provide a platform for cyber fraud, so these companies are obliged to provide relevant criminal clues, cooperating with public security judicial agencies to seize criminals and recovering proceeds of crime. Therefore, it is undoubtedly very important to strengthen the cooperation between state agency, especially the public security judicial agencies and the private sector. From the current situation, the linkage mechanism between the public security judicial agencies and the private enterprises has been established and achieved certain positive results.
The cooperation between state agencies and private enterprises in preventing cyber fraud should be comprehensive, especially as Internet companies continue to grow and become more and more influential. This cooperation also extends to all main aspects of cyber fraud governance. For example, on April 10, 2016, in a case reported by the Beijing police, the offender of cyber fraud did not use bank transfer, but used a third-party transfer platform to transfer and then cash out the illicit money. It is not uncommon to transfer illicit money or make money laundering through a third-party payment platform. Because the third-party payment platform ultimately relies on the financial system for funds transfer, it can completely supervise the transfer of suspicious funds through big data management.
Of course, whether it is the cooperation between state agency and private enterprises, or the cooperation between public security judicial agency and financial institutions, there are still
many links that should be improved. Especially, in sharing information mechanism, there is still much room for improvement. However, the most important issue is still how to determine the obligations and responsibilities of private enterprises and financial institutions in their access to information (mainly personal information) at the legal level. Actually this involves the legal nature of personal information, as well as the legal nature and attribution of data obtained by business operations. The author preliminarily believes that: (1) For the private part of personal information, the state agency need explicit authorization to obtain it from the Internet enterprise; for other types of personal information, departments with administrative functions can obtain the information according to its authority, and the public security agency and the procura-torate can also obtain the information according to its authority during the investigation of criminal cases. (2) The data obtained in the operation of Internet enterprises, should be understood as the trade secret. So the administrative department should not directly obtain the information in principle; if illegal information is involved, it is only an obligation for the enterprise to describe and explain. The suspected criminal information shall be provided by the enterprise when the public security judicial agencies require it to provide, but the scope of using information shall be restricted. The solution to this problem is actually the balance and coordination between the value of security and order, and interests of person and enterprise. Similarly, the issue of cooperation between the public security judicial agencies and financial institutions should be treated similarly.
Improving Cross-jurisdictional Cooperation of Cyber Fraud Governance. Another difficulty of cyber fraud governance is the cross-regional and cross-jurisdictional implementation of criminal activities. Therefore, to prevent and combate cyber fraud activities, it is necessary to cooperate with overseas law enforcement agencies and financial institutions. In the past few years, China's public security agency has cooperated with other countries and have cracked a large number of transnational telecom fraud cases. Taking 2016 as an example, the public security agency of China cooperated with the police in Laos, Thailand, Kenya, Malaysia, Armenia, Cambodia, Spain and other countries, and arrested a large number of telecommunication network fraudsters [10]. It can be said that the international police cooperation mechanism between China and
some countries in jointly cracking down on cyber fraud crimes has been established. Of course, it should be noted that there are still some "flaw" in Chinese legal system. For example, China has not yet issue the "Criminal Judicial Assistance Law", and some substantive and procedural issues need to be clearly defined by law.
Compared with international cooperation against cyber fraud, cooperation between mainland China and Taiwan may be more complicated. Up to now, the losses caused by telecom fraud groups led by Taiwan criminal suspects, accounted for more than 50 % of all loss. Most of the major cases involving over 10 million yuan, were implemented by Taiwan Telecom Fraud Group [4].
In 2009, after the ARATS and the SEF signed the "Agreement on Combating Crimes and Mutual Legal Assistance between the Two Sides of the Taiwan Straits", Taiwanese offenders arrested by Chinese mainland police abroad, were required to repatriate to Taiwan according to the agreement during a long period. They were repatriated and handed over to the Taiwan police for treatment. Then, due to evidence and other reasons, only some of repatriated offenders were found guilty. Even if they were guilty, their sentencing was very slight. This indulgent behaviors has caused these criminals to commit crimes again. Based on this situation, in recent years, Chinese mainland police have changed this strategy of immediate repatriation and adopted a method of criminal prosecution on the mainland. This kind of practice has obvious effects on deterring Taiwanese fraudsters, but it has also caused controversy in Taiwan's political arena. For example, in April 2016, 45 Taiwanese suspects involved in telecom fraud were repatriated from Kenya to the Chinese mainland, which made a great disturbance in Taiwan. From the perspective of criminal jurisdiction, according to the relevant jurisdictional provisions of China (Mainland) Criminal Law, it is entirely legal to investigate for criminal responsibility of Taiwan criminals. It also conforms to the basic jurisprudence of criminal jurisdiction of different jurisdictions within a country [12].
In terms of fighting against cyber fraud, China's public security agencies should strengthen intelligence work, especially to grasp the transaction situation and flow of personal information at home and abroad, and then establish effective information monitoring channels with other countries' police departments. Police co-
operation between Taiwan and mainland in China should also adopt the same line of thinking, making a difference in the information exchange and joint monitoring of cyber fraud.
Conclusion. In the current situation of high incidence cyber fraud cases, to punish and prevent cyber fraud crimes, we must first understand the characteristics of cybercrime, and then have a full and clear understanding of the dependence on personal information of cyber fraud. The further development of network technology will further integrate physical space and cyberspace. And the continuous development of information technology makes this integration come true. To analyze the existence and evolution process of cyber fraud crimes, it needs the sufficient understanding of meaning of information. It can be said that the focus of prevention of cyber fraud crimes should start from the establishment and improvement of personal information protection mechanisms, and establish an effective mechanism to prevent cyber fraud through protecting personal information; the concept of punishing cyber fraud crimes, should also be understood through personal information that is used. To punish and prevent cyber fraud cases, we should fully understand the characteristics and rules of network activities, and fully understand the significance of personal information in such crimes, and then determine the corresponding policies, systems and mechanisms.
For the conviction of cyber fraud and the sentencing of offenders, on the one hand, we should uphold the principle of legally prescribed punishment and the basic doctrine of fraud, and
then properly apply the law. On the other hand, when collecting evidence and confirming facts, Relatively reasonable rules should be adopt on the basis of considering the characteristics of cybercrime. Besides, when interpreting the law, a doctrine that is more in line with the characteristics of cyber fraud should be chosen. In this way, it is not a change to the rules of applicable law, but a necessary adjustment and improvement of the rules applicable law, combining with the characteristics of cybercrime.
"Governance" has the meaning of co-governance. The focus of cyber fraud governance is the cooperation between different entities, as well as the enhancement of information exchange between different subjects. In prevention and punishment of cyber fraud, special attention should be paid to the work of Internet enterprises. Besides, the administrative and judicial agency should strengthen cooperation with Internet enterprises, fully exerting the enthusiasm of Internet enterprises and also respecting the commercial interests and corporate reputation of Internet enterprises. Cyber fraud governance is an important part of the entire governance of cybercrime. If we can form a good cooperation mechanism between different subjects in cyber fraud governance, we can also replicate this kind of governance to regulate other types of cybercrime, especially for the most complex cyber-crime-cyber attack. Like other social issues, in the era of the Internet, issues of crime governance must also uphold the concept of co-governance, but not just rely on the public power sector to "fight alone".
Список литературы _
1. Cai Changchun. MENG jianzhu proposed "big schemes" to prevent and fight against telecom and cyber fraud. URL: http://www.legaldaily.com.cn/index/content/2016-10/13/content_6836188.htm?node=20908 (дата обращения: 14.10.2019). Текст: электронный.
2. Chen Yizhuang. What is Information // Theory Monthly. 1985. No. 5.
3. Do you know how valuable your personal information is? // Tencent Network Security and Crime Research. 2017. No. 1.
4. Fang Yan. Resolutely curb the high incidence of telecom fraud // China Network Information Security. 2017. No. 2.
5. Gui Changni. The cost of cybercrime will reach $ 8 trillion over the next five years // China Information Security. 2017. No. 6. P. 10.
6. Guo Chunying. Domestic criminal police signals dropped by 20 % // Legal Daily. 2016.
7. He Liquan, Li Siwen. Extortion software virus wreaked havoc on universities and colleges in china: once computers were invaded, they could not recover, http://www.thepaper.cn/newsDetail_forward_1684721 (дата обращения: 13.09.2019). Текст: электронный.
8. Lang Sheng. Interpretation of the criminal law of the people's republic of China // Law Press. 2015. P. 423.
9. Li Hong. The theory of criminal law (2nd ed.) // Law Press. 2016. P. 331.
10. Major transnational telecommunications fraud cases in 2006 // China Network Information Security. 2017. No. 2.
11. Pi Lan, Liu Feng, Lin Dongdai. A preliminary study on the protection of privacy in the era of big data // China Information Security. 2015. No. 9.
12. Shi Yanan. The boundary of the behavior of violating economic regulations adjusted by criminal law // Journal of Renmin University of China. 2017. No. 1.
13. Shi Yanan. The interregional criminal jurisdiction conflict and its solution // China People's Public Security University Press. 2005.
14. Wang Feng. More than half of telecommunications network fraud involves information leakage, and committee members call for the formulation of personal information protection law: 21st Century business report. 2017.
15. Wang Liming. Civil law (2nd ed.) // Fudan University Press. 2015. P. 268.
16. Zhang Mingkai. Criminal law (5th ed.) // Law Press. 2016. P. 1003.
17. Zhang Xinbao. From privacy to personal information: theory and institutional arrangement of interests Re-measurement // China Law. 2015. No. 3.
References _
1. Cai Changchun. MENG yianzhu proposed "big schemes" to prevent and fight against telecom and cyber fraud (Cai Changchun. MENG jianzhu proposed "big schemes" to prevent and fight against telecom and cyber fraud). URL: http://www.legaldaily.com.cn/index/content/2016-10/13/content_6836188.htm?node=20908 (Date of access: 14.10.2019). Text: electronic.
2. Chen Yizhuang Theory Monthly (Theory Monthly), 1985, no. 5.
3. Tencent Network Security and Crime Research (Tencent Network Security and Crime Research), 2017, no. 1.
4. Fang Yan China Network Information Security (China Network Information Security), 2017, no. 2.
5. Gui Changni China Information Security (China Information Security), 2017, no. 6, pp. 10.
6. Guo Chunying Legal Daily (Legal Daily), 2016.
7. He Liquan, Li Siwen Extortion software virus wreaked havoc on universities and colleges in china: once computers were invaded, they could not recover (Extortion software virus wreaked havoc on universities and colleges in china: once computers were invaded, they could not recover). URL: http://www.thepaper.cn/news-Detail_forward_1684721 (Date of access: 13.09.2019). Text: electronic.
8. Lang Sheng. Law Press (Law Press), 2015, pp. 423.
9. Li Hong Law Press (Law Press), 2016, pp. 331.
10. China Network Information Security (China Network Information Security), 2017, no. 2.
11. Pi Lan, Liu Feng, Lin Dongdai China Information Security (China Information Security), 2015, no. 9.
12. Shi Yanan Journal of Renmin University of China (Journal of Renmin University of China), 2017, no. 1.
13. Shi Yanan China People's Public Security University Press (China People's Public Security University Press), 2005.
14. Wang Feng More than half of telecommunications network fraud involves information leakage, and committee members call for the formulation of personal information protection law: 21st Century business report (More than half of telecommunications network fraud involves information leakage, and committee members call for the formulation of personal information protection law: 21st Century business report), 2017.
15. Wang Liming Fudan University Press (Fudan University Press), 2015, pp. 268.
16. Zhang Mingkai Law Press (Law Press), 2016, pp. 1003.
17. Zhang Xinbao China Law (China Law), 2015, no. 3.
Briefly about the authors_
Shi Yanan, professor, professor of Law School, director, Research Center for Criminal Justice, Renmin University of China,
Beijing, China. Sphere of scientific interests: public policy in criminal matters
2018000236@ruc.edu.cn
ChenZhenwei, postgraduate, Renmin University of China, Beijing, China. Sphere of scientific interests: public policy in criminal matters
shiyanan@ruc.edu.cn
Коротко об авторах
Ши Яньань, д-р юрид. наук, профессор, директор исследовательского центра уголовного правосудия, Народный университет КНР, г. Пекин, КНР. Область научных интересов: государственная политика в уголовных делах
Чэнь Чжэньвэй, аспирант, Народный университет КНР, г. Пекин, КНР. Область научных интересов: государственная политика в уголовных делах
Образец цитирования_
Shi Yanan, Chen Zhenwei Protection of personal information in the era of risk society // Transbaikal State University Journal, 2019, vol. 25, no.10, pp. 99-111. DOI: 10.21209/2227-9245-2019-25-10-99-111.
Ши Янань, Чэнь Чжэньвэй Защита личной информации в эпоху общества риска // Вестник Забайкальского государственного университета. 2019. Т. 25. № 10. С. 99-111. DOI: 10.21209/2227-9245-2019-25-10-99-111.
Статья поступила в редакцию: 02.12.2019 г. Статья принята к публикации: 13.12.2019 г.
