10 Key Details in Cybercrime

10 Key Details in Cybercrime. The central positioning of information technologies in global social, economic, and individual activities has necessitated the adaptation of criminal law to this new reality. The Turkish Penal Code (TPC) has established a comprehensive shield for the protection of digital assets under the heading of “Crimes in the Field of Informatics.” Cornerstone of this protection is the crime of “Entering an Information System” regulated in Article 243 of TPC No. 5237. This act, commonly referred to as “infiltration” or “hacking,” is the most fundamental form of attack against the security of information systems, the privacy of data, and the right of disposal of the stakeholders over the system. The crime of infiltrating an information system is not merely a technical breach of access, but also the digital reflection of the right to privacy, freedom of communication, and property rights.

1. Technical and Legal Boundaries of the Concept of “Information System”

Before analyzing the elements of the crime of infiltration, the concept of “information system,” which constitutes the subject of the crime, must be clarified. According to the settled precedents of the Court of Cassation, an information system is defined as magnetic systems that allow data to be subjected to automatic processing after collecting and placing them. This definition offers a broad perspective covering both the hardware and software elements of the system. The field of informatics, on the other hand, refers to the digital ecosystem formed by these systems coming together, where information is stored and processed.

In today’s technology, a device does not necessarily have to be a desktop computer to be considered an information system. Smartphones, tablets, network servers, routers, smart televisions, and smart home appliances within the scope of the Internet of Things (IoT) are accepted as “information systems” within the meaning of TPC 243 as long as they possess data processing capacity. Legally, what is important is that the system is closed to external access and protected by a certain security threshold (password, biometric data, network restriction, etc.). Accessing web pages that are open to everyone and do not contain any barriers does not constitute this crime.

Component of Information System	Legal Definition and Scope	Status as Subject of Crime
Hardware	Physical tools such as processors, memory, and storage units.	It is the subject of the crime if the system is entered through physical intervention.
Software	Operating systems, applications, and databases.	It is the subject of the crime if entered using password cracking or backdoors.
Magnetic Data	All kinds of information stored in digital format within the system.	Accessing data is the primary motivation for the crime of entering the system.
Network Structure	Connections providing data communication between systems.	Unauthorized access over a network is the most common form of infiltration.

In the crime of infiltration, it is not mandatory to enter the entire system; unauthorized access to only a part of the system, such as a user account, a specific folder, or a database, is sufficient for the occurrence of the crime. The legislator aims to protect the integrity of digital property by subjecting even the smallest violation of the system’s privacy to criminal sanctions.

2. Alternative Acts: Entering and Staying in the System

The first paragraph of TPC Article 243 defines the crime with two alternative acts: “unlawfully entering” an information system or “continuing to stay there.” With the amendment made by Law No. 6698, which entered into force on March 24, 2016, the phrase “and” in the article text was changed to “or.” This change eliminated the old view that made both entering and staying in the system mandatory for the occurrence of the crime; it finalized that merely entering the system is sufficient for the completion of the crime.

The act of entering the system occurs when an unauthorized person becomes included in the magnetic field suitable for data processing by bypassing the protection measures of the system. This act is an “instantaneous crime”; that is, the crime is completed the moment the system is entered. Techniques such as password theft, social engineering, brute-force attacks, or exploiting system vulnerabilities can be used as methods of entry. What is important is that the perpetrator opens a session in the system or becomes included in the data flow.

The act of continuing to stay in the system is a “continuing (permanent) crime.” This act occurs when a person, who initially entered a system with consent or as a result of a technical error, does not leave after the consent is withdrawn or the error is noticed. For example, a person who looks at a social media account that remained logged in on a friend’s computer and continues to read messages instead of logging out commits the crime of “staying in the system.” The fact that this crime is permanent is of great importance in terms of the application of provisions on participation and the commencement of the statute of limitations.

3. Unlawfulness and the Limits of the Concept of Consent

One of the most critical elements of the crime of infiltration is that the action is “unlawful.” If the perpetrator has a legal basis or a valid consent received from the right holder to enter the system, the crime does not occur. Among the grounds of justification, the “consent of the relevant party” is the most common. However, in criminal law doctrine, certain conditions are sought for the consent to be valid.

Consent must be given by the person who has the power of disposal over the information system. Furthermore, this consent must be an “informed” consent and must cover the perpetrator’s purpose of entering the system. For example, the consent of a person who gives their password to an informatics expert only to solve a technical problem in their computer does not cover the expert’s reading of personal correspondence. If the expert accesses private data by going beyond the purpose of repair, the action will become unlawful as the limits of consent are exceeded. Consent must be declared before or at the latest during the action; approval given after the crime is committed does not make the act lawful with retroactive effect.

Ground of Justification	Basis and Example	Application Conditions
Consent of the Relevant Party	The account holder giving the password voluntarily.	Consent must be given freely and its limits must not be exceeded.
Execution of a Provision of Law	Judicial authorities searching a computer pursuant to CMK 134.	A judge’s decision or a prosecutor’s order in cases where delay is prejudicial is required.
Exercise of a Right	A company having security tests (penetration tests) performed on its own network.	It must remain within the boundaries of the duty.
Legitimate Defense	Performing a counter-attack against the attacker’s system to stop a cyberattack.	There must be proportionality between the attack and the defense.

The area where consent discussions are most intense is the relationship between spouses. The Court of Cassation argues that the marital union does not give the parties the right to interfere limitlessly in each other’s private lives. A spouse secretly entering the other’s social media account or e-mail address constitutes a crime within the meaning of TPC 243. The fact that the password is used jointly or left written on a piece of paper does not mean that it can be entered at any time for any purpose.

4. Aggravated Form by its Result: Data Loss and Change

The third paragraph of TPC Article 243 stipulates an increase in the penalty if the act of infiltration leads to a loss. The legislator has regulated the aggravated form of the crime by its result with the phrase “if, due to this act, the data contained in the system is destroyed or changed.” For this paragraph to be applied, the perpetrator’s primary intent must be only to enter or stay in the system; they do not need to have the purpose of destroying or changing data.

If data loss or change has emerged as a “side result” of the perpetrator’s act of entering the system, the perpetrator is punished according to TPC 243/3. For example, a hacker who enters a database out of mere curiosity and causes some data to be deleted as a result of running a wrong command falls within this scope. However, if the direct purpose of the perpetrator is to delete or corrupt data, then the crime of “Destroying or Changing Data” regulated in TPC Article 244/2 will occur. This distinction is made by determining which direction the perpetrator’s subjective element (intent) is focused on.

Crime Type	Perpetrator’s Intent	Result Occurred	Penalty Range
Basic Crime (243/1)	Only entering/staying in the system.	No harm.	Up to 1 year of imprisonment or a judicial fine.
Aggravated Form (243/3)	Entering/staying in the system.	Data was unintentionally deleted/changed.	Imprisonment from 6 months to 2 years.
Data Interference (244/2)	Deleting/corrupting data.	Data was deleted/changed.	Imprisonment from 6 months to 3 years.

Within the scope of this paragraph, the term “data” covers all kinds of abstract elements, digital information, and formatted content within the system. No distinction has been made in terms of penalty between the irreversible deletion of data (destruction) and the alteration of the content of the data (change). In practice, even the deletion of data by some security software triggered automatically with the perpetrator’s entry into the system can be evaluated within the scope of this article on the grounds that there is a causal link between the entry and the result.

5. Systems Benefited for a Fee and Penalty Reduction

The second paragraph of TPC Article 243 stipulates a unique reason for reduction in informatics law: “In case the defined acts are committed regarding systems that can be benefited from in return for a fee, the penalty to be imposed shall be reduced by up to half.” Rationale of this regulation is the assumption that systems providing services for a fee are included in the “commercial field” in a sense, and unauthorized entries into these systems contain less wrongfulness compared to personal systems that are kept completely private.

The concept of “fee” is not limited to money only, but refers to any economic consideration offered to benefit from the system. Film and series platforms requiring a monthly subscription, paid game servers, professional database subscriptions, or cloud computing services with a certain usage fee are within the scope of this paragraph. When a perpetrator bypasses technical measures to enter a system, if that system is a public but paid platform, they will receive a reduction over the basic penalty.

However, there are some fine details for this reduction to be applied. If the perpetrator enters a paid system and then deletes or changes the data there, the provisions of TPC 243/3 and 243/2 are combined. In this case, a determination must be made based on the paragraph providing for a heavier penalty. Additionally, if the perpetrator realizes that the system is paid the moment they enter and leaves the system immediately, it may be accepted that the subjective element of the crime has not occurred and no penalty may be given. This paragraph aims to ensure criminal justice according to the nature of the access violation while protecting the economic value of information systems.

6. Interception of Data Transfers: Bypassing and MITM Attacks

One of the most insidious attack methods in the informatics world is to secretly follow the data flow between systems instead of directly infiltrating the system. This act, known as a “Man-in-the-Middle” (MITM) attack in cybersecurity terminology, was regulated as an independent crime type with the fourth paragraph added to TPC Article 243 in 2016.

Pursuant to this paragraph; any person who unlawfully monitors data transfers occurring within an information system or between information systems with technical means without entering the system shall be punished with imprisonment from one year to three years. For this crime to occur, the perpetrator does not need to “log in” to the target computer or server, i.e., enter the system. The perpetrator captures and monitors the packets in the air using devices that listen to network traffic (sniffing tools), fake access points (evil twins), or protocol analyzers.

Monitoring Method	Technical Explanation	Legal Consequence
Sniffing	Copying and reading data packets on a network.	1-3 years of imprisonment under TPC 243/4.
Wi-Fi Eavesdropping	Following traffic on unencrypted or cracked wireless networks.	Constitutes a crime under TPC 243/4.
Port Mirroring	Redirecting a copy of data traffic to another port for monitoring.	Within the scope of TPC 243/4 when unauthorized.

With this regulation, not only the “static” security of the systems but also the “dynamic” flow security of the data is protected. If the perpetrator not only monitors the data by intervening but also changes or stops it, the action no longer falls under TPC 243/4 and falls under TPC 244 (blocking the system and changing data). This paragraph is a critical legal barrier against cyber intelligence and corporate espionage activities.

7. The Delicate Boundary Between TPC 243 and TPC 244: Access vs. Sabotage

The most frequent subject of discussion in informatics crime trials is whether the act falls within the scope of TPC 243 (Entering an information system) or TPC 244 (Blocking, damaging the system, destroying or changing data). In doctrine, the relationship between these two articles is explained by the concept of “compound crime” or “progressive crime.” A person who wants to damage an information system or delete data usually needs to enter that system first. In this case, TPC Article 244, which requires a heavier penalty, is applied alone as it also encompasses the act of entry.

The fundamental difference between the two articles is where the perpetrator’s intent is concentrated. TPC 243 is an “access violation” crime; it punishes the bypassing of the system’s privacy wall. TPC 244, on the other hand, is a “functional interference” crime; it aims to stop the operation of the system or falsify its content.

Comparison Criterion	Entering an Info System (TPC 243)	Damaging System & Data Interference (TPC 244)
Legal Subject	Integrity and privacy of the system.	Functionality of the system and data accuracy.
Direction of Intent	Seeing the content or being present in the system.	Stopping, blocking the system or deleting data.
Example Case	Entering someone else’s e-mail and looking at mails.	Changing the e-mail password and blocking the owner.
Upper Limit of Penalty	1 year imprisonment or judicial fine.	Up to 5 years imprisonment (if the system is blocked).

According to the established decisions of the 8th Penal Chamber of the Court of Cassation, while entering someone’s social media account and only examining their profile is TPC 243/1; changing the password and blocking the original user from entering is evaluated within the scope of TPC 244/2 due to the act of “rendering inaccessible.” Since this distinction dramatically changes the lower and upper limits of the criminal sanction, it is of vital importance for the defense and prosecution.

8. Digital Evidence and the Proof Process: Is an IP Address Sufficient for Conviction?

Proving informatics crimes requires the collection of digital traces through technical methods. The most fundamental evidence in this process is the IP (Internet Protocol) address. The fact that every device connecting to the internet has an identification number constitutes a “starting point” for the identification of the perpetrator. However, the Court of Cassation and cybersecurity experts emphasize that an IP address alone cannot be considered sufficient evidence for a conviction.

IP addresses can be static (fixed) or dynamic (variable). Especially in homes and workplaces using dynamic IP, the same IP address can be assigned to different users at different times. Furthermore, the fact that wireless network passwords can be easily cracked or technical vulnerabilities like “open relay” allow the perpetrator to commit crimes using someone else’s internet line. Therefore, it is mandatory to collect the following additional evidence for a healthy trial:

MAC Address Identification: The physical network card address of the computer or phone where the crime was committed.
Port Information: Determining the person using the correct port among thousands of users sharing the same IP, especially in Carrier Grade NAT (CGNAT) structures.
Log Records: Overlap of target system login-logout times with the connection records of the internet service provider (ISP).
Device Examination (CMK 134): Confiscating digital materials in the suspect’s home/workplace and searching for traces related to the subject system in their contents (cookies, browsing history, saved passwords, etc.).

Digital Evidence Type	Proving Power	Technical Limitations
IP Address	Entry-level evidence.	Can be manipulated, can be used by someone else.
Log File	Medium-level supporting evidence.	Can be changed or the timestamp may be incorrect.
Forensic Copy (Image)	High-level conclusive evidence.	Must be taken according to CMK 134 procedure.
Witness Statement	Supporting evidence.	May be insufficient in technical details.

Unless a lawful identification of evidence is made, the fact that only an IP address points to the suspect leads to an acquittal decision in accordance with the principle of “the suspect benefits from the doubt.”

9. Procedural Law Details: Investigation, Statute of Limitations, and Conciliation

Informatics system infiltration crimes are not in the category of crimes subject to complaint because they threaten public order and the general functioning of digital security. All acts within the scope of TPC 243 are investigated “ex officio” (automatically) by the prosecutor’s office. The victim’s withdrawal of the complaint does not end the filed public case, and the trial continues.

The “conciliation” procedure is also not applied in this type of crime. Informatics crimes are not among the crimes within the scope of conciliation specified in Article 253 of the Criminal Procedure Code No. 5271. This means that even if an agreement is reached between the perpetrator and the victim, the state’s power to punish continues.

The statute of limitations for the case is 8 years, considering the amount of penalty in Article TPC 243/1. If a final verdict cannot be established within 8 years from the date the crime was committed, the case is dropped. The competent court is the “Criminal Court of First Instance.” The authorized court is generally the court in the place where the crime was committed, i.e., where the perpetrator entered the system. However, due to the cross-border nature of informatics crimes, the place where the victim is located or the center of the system can also be authorized.

10. Relationship with Other Crime Types: Theft, Fraud, and Private Life

Infiltration of information systems is often the first link in a larger chain of crimes. In this case, the question arises whether the action will remain as TPC 243 alone, or whether it will be an “element” or an “aggravating reason” for another crime.

Theft through Information Systems (TPC 142/2-e): If the perpetrator’s purpose is not to enter the system but to provide an unfair advantage by making a money transfer through the system, this situation is no longer an informatics crime but a qualified theft crime. The Court of Cassation evaluates unauthorized money transfers from bank accounts within the scope of this article.
Fraud through Information Systems (TPC 158/1-f): If the perpetrator uses the information system as a tool for “deception” and provides an advantage by deceiving the victim, the crime of qualified fraud occurs.
Violation of the Privacy of Private Life (TPC 134) and Personal Data (TPC 135-136): In case private photographs or correspondence are seized after entering the system, both the crime of entering the system and crimes committed against private life come to the fore. Since the perpetrator committed more than one crime with a single act, they are held responsible for the crime requiring the heaviest penalty in accordance with the provisions of the plurality of crimes.

In addition, the crime of “Misuse of Bank or Credit Cards” regulated in TPC Article 245 also frequently intertwines with the infiltration of information systems. However, while the legislator has stipulated “effective repentance” provisions for this crime, no such special regulation has been made for TPC 243.

Future Projection

The crime of infiltrating information systems is constantly gaining new forms with the development of technology. This act, which was seen as a simple password cracking action in the past, has reached a much more dangerous dimension today with AI-supported attacks, quantum decryption attempts, and complex social engineering methods. Article 243 of the Turkish Penal Code was updated in 2016 to respond to these changes and has also included modern attack types such as “interception.”

In legal practice, lack of technical knowledge or erroneous collection of digital evidence can lead to judicial errors. Therefore, expert examination, meticulous identification of side evidence other than the IP address (MAC, Log, HASH), and correct analysis of the perpetrator’s subjective element are of vital importance in informatics crime trials. The inviolability of information systems is not only a matter of data security but also a matter of protecting human dignity and privacy in a digitalizing world. The sanctions provided by the law and the precedents developed by the Court of Cassation reflect a determined will to establish the rule of law in the cyber world.

« Previous Post