Cybercrime

The legislator, with the development and widespread adoption of technology, has regulated these new types of offenses that have entered our lives under the heading of "Crimes in the Field of Informatics" in the Turkish Penal Code. Under this heading, offense types are addressed in Articles 243-245, and separate sanctions and penalties are prescribed for each. Unauthorized access to an information system, obstructing, disrupting, destroying, or altering a system, misuse of bank and credit cards, and manufacturing, selling, or acquiring prohibited devices are regulated as cybercrimes in the Turkish Penal Code.

An IP address helps in identifying which device was used to commit a cybercrime. Every information technology tool on the internet has its own unique IP address. IP addresses can be defined as the virtual identities of computers. There are two types of IP addresses. The commonly used type is called dynamic IP. A dynamic IP address means that a different IP is assigned to your IT tool every time you connect to the internet. The other type is a static IP address. In this case, a permanent IP address is assigned to you and your device, allowing you to connect to the internet consistently from that IP address.

The offense of unauthorized access to an information system can be committed by a perpetrator who gains unauthorized access to an information system to access another person's data or by continuing to remain in the system without authorization. The simplest example is unauthorized access to social media accounts. You can find more information about crimes committed via social media in the article "Crimes Committed on Social Media." The cybercrime is deemed to have been committed the moment unauthorized access to an information system occurs or unauthorized presence continues. It is not required for the perpetrator to also copy or destroy the data in the system. The second paragraph of Article 243 of the Turkish Penal Code regulates the aggravated form of the offense, which requires a lesser penalty. Accordingly, if the system accessed by the perpetrator is an information system for which a fee is paid for use, the penalty may be reduced by half. For example, a person accessing an application like Netflix without a subscription constitutes a cybercrime, but the penalty is applied with a fifty percent reduction.

Another aggravated form of this cybercrime is regulated in the third paragraph of the same article. According to this, if the data in the information system is destroyed or altered as a result of the perpetrator's action, a prison sentence of six months to two years may be imposed. The fourth paragraph of the same article stipulates that a person who monitors data flows by technical means without accessing the information system shall be sentenced to imprisonment for one to three years.

The penalty for the basic form is imprisonment for up to one year or a judicial fine. As can be seen, if the act meets the conditions in the third and fourth paragraphs, it is not possible to impose a judicial fine. The cybercrime in question can be committed with intent. That is, accidentally accessing another person's system without permission does not constitute this offense.

Disrupting and Obstructing a System in the Commission of a Cybercrime

A cybercrime can also be committed through acts of disrupting, obstructing a system, destroying, or altering data. This is regulated in Article 244 of the Turkish Penal Code. The core of this article is the situation where the perpetrator of a cybercrime causes damage to an information system. It can be committed through alternative acts. For example, someone accessing your Instagram account and deleting all your photos or rendering documents on your computer unusable can be given as examples of the commission of this offense. Slowing down the operational speed of an existing information system or restricting its functionalities can be given as examples of the offense being committed through obstruction.

In the first paragraph of the article, the cybercrime involves acts of obstructing or disrupting the operation of the system, and the penalty is set as imprisonment for one to five years. The second paragraph of the article regulates the situation where the cybercrime is committed through acts of disrupting, destroying, altering, or rendering inaccessible. In this case, the penalty to be imposed is less severe compared to the first paragraph. If a cybercrime is committed through these acts, a prison sentence of six months to three years shall be imposed.

The third paragraph of the article includes an important regulation. If the cybercrime in question is committed against credit institutions, public institutions or organizations, or banks through the acts listed in this article, the penalty to be imposed shall be increased by half. In the event of the commission of the cybercrime under this article, the owner of the information system is the victim. If the act is committed against a structure, such as a website, that is dedicated to the use of other persons besides the owner, and as a result of this act, customers or visitors also experience difficulty in benefiting from the site, these persons will also become victims of the crime. For the commission of this cybercrime under this article, the perpetrator must act with intent.

Commission of Cybercrime with Bank and Credit Cards

Cybercrime can also be committed through the misuse of bank and credit cards, which have become indispensable parts of our daily lives. For this offense to be committed, a person must use another person's bank or credit card without the owner's consent or have another person use it on their behalf, thereby gaining a benefit for themselves or another. How the bank or credit card came into the person's possession is not important here. That is, even if these acts are carried out with a bank or credit card found by chance on the ground, the cybercrime in question will be constituted. However, the legislator has introduced an exception to this situation. According to this exception, no penalty shall be imposed if these acts are committed by spouses, ascendants, descendants, persons in an adoption relationship, or siblings living together against each other.

The second paragraph of the article regulates the causing of damage to banks or credit institutions by using fictitious accounts. For this paragraph, unlike the first paragraph, the victim of the crime is the relevant bank or credit institution. This is because, since the cybercrime is committed using non-existent accounts, it is not possible to speak of a cardholder. If a cybercrime is committed as a result of the acts mentioned in this paragraph, the perpetrator shall be punished with imprisonment from three to seven years and a judicial fine of up to ten thousand days.

Furthermore, the legislator has stipulated that persons who benefit from the use of counterfeit or forged bank or credit cards shall also be punished with imprisonment from four to eight years and a judicial fine of up to five thousand days.

Use of Prohibited Devices and Programs

This is regulated in Article 245/A of the Turkish Penal Code's cybercrimes section. The legislator has tried to keep pace with the rapidly developing electronic life by encompassing a wide range of situations within this article. The article refers to two situations. The first is the situation where a device, password, security code, or program is specifically made for the purpose of committing a cybercrime. For example, password cracking programs fall into this category. The other situation is where the device, password, security code, or program facilitates the commission of other crimes committed by using information systems as a tool.

In both situations, persons who manufacture, import, transport, accept, store, sell, purchase, transfer to another, or possess the device, password, program, or security code are subject to imprisonment from one to three years and a judicial fine of up to five thousand days.

Reporting, Complaint, and Conciliation in Cybercrime

Cybercrime is not among the offenses subject to complaint. Therefore, it must be investigated ex officio by the public prosecutor's office. Applications made by individuals to the public prosecutor's office regarding the commission of a cybercrime cannot be qualified as a complaint. In offenses investigated ex officio, applications made by individuals to the public prosecutor's office serve as a report. Since it is not an offense subject to complaint, the victim cannot withdraw from the case.

The statute of limitations for prosecution for cybercrime is eight years. If the eight-year period is exceeded, the investigation of the crime is not possible.

The legislator has expanded the scope of the conciliation institution in recent years to reduce the burden on courts. However, cybercrime is not regulated within the scope of conciliation.

Relevant Supreme Court Decisions

Decision 1:

"According to the facts and the entire case file, the complainant ... contacted the convicted person by phone to purchase a phone from the website www.enzarworld.com, ordered a mobile phone, and provided the credit card details of his wife, the complainant ..., for payment. Upon being informed that the money could not be withdrawn from the credit card, the complainant ... transferred the minimum fee determined by the Minimum Attorneyship Wage Tariff (AAÜT) to the account of the convicted person. Subsequently, 2,055.89 and the minimum fee determined by the Minimum Attorneyship Wage Tariff (AAÜT) were withdrawn from the credit card subject to the crime, and the mobile phone was not sent. In this concrete case; the court's finding and application that the convicted person's action, where the victim was ..., constituted fraud by using information systems ... or credit institutions as a tool, by first obtaining the credit card details of the complainant ..., then stating that they could not collect the payment and continuing their action by having the complainant ... send the minimum fee determined by the Minimum Attorneyship Wage Tariff (AAÜT) via ... transfer, and then not sending the phone; and the actions of additionally withdrawing money from the credit card account subject to the crime, where the victim was ..., constituted the offenses of gaining benefit by unauthorized use of another's ... or credit card, were found to be without error."

Supreme Court 8th Criminal Chamber 2018/12747 E. , 2019/9639 K.

Decision 2:

"The unlawful acquisition of data and the deriving of benefit therefrom, even if it has economic value, does not render the data movable property. Therefore, the action of the defendant unlawfully acquiring the complainant's character in the Knight Online game should have been considered to constitute only the cybercrime under Article 244/2-4 of the Turkish Penal Code No. 5237, without falling into error regarding the qualification of the offense and additionally convicting for the offense of theft under Article 142/2-e of the Turkish Penal Code, This necessitated reversal, and the defendant's counsel's appeal objections were found to be well-founded in this respect, therefore, the judgment is hereby OVERTURNED for this reason, contrary to the request, by unanimous decision on 29.05.2019."

Supreme Court 2nd Criminal Chamber 2018/7295 E. , 2019/9896 K.

Av. Mehmet Yücesoy

İzmir Attorney & Legal Consultancy