Editor's note In recent years, the rapid development of communication and information network technology has brought great convenience to people's lives, but the number of telecommunications network fraud, especially cross-border fraud cases, has also shown an upward trend, and the criminal means are constantly updated, which has brought many new challenges and difficulties to judicial practice. This issue of "Viewpoints and Cases" focuses on the "Telecommunications Network Fraud Case of Zhang Kaimin and 52 Others (Procuratorate Case No. 67)" in the 18th batch of Guiding Cases of the Supreme People's Procuratorate, and invites legal experts and procurators handling cases to discuss issues such as the focus of the review of electronic evidence and the construction of an evidence system.
The 18th Batch of Guiding Cases of the Supreme People's Procuratorate
Zhang Kaimin and 52 others in the telecommunications network fraud case (Procuratorate Case No. 67)
【Essentials】 Cross-border telecommunications network fraud crimes often involve a large amount of foreign evidence and a huge amount of electronic data. Evidence obtained abroad should focus on examining legality, and electronic data should focus on objectivity. Telecommunications network fraud criminal organizations whose main members are fixed and whose other personnel have a certain degree of mobility may be identified as criminal groups.
【Basic Facts】Between June 2015 and April 2016, defendant Zhang Kaimin and 52 others successively participated in a criminal group that defrauded Chinese mainland residents of telecommunications networks abroad. In the process of committing the fraud, the defendants divided their labor and cooperated, and some of the defendants were responsible for using telecommunications network technology to make voice group calls to residents' telephones, the content of which was "there is a courier that has not been signed, and after inquiry, passports and visas are about to expire, exit control will be restricted, and identity information may be leaked". When the victim follows the content, the phone will automatically connect to the front-line operator posing as the courier company. On the pretext of helping victims report the case, front-line operators transfer the phone to second-line operators posing as public security bureau case-handling personnel when the victims do not hang up. The second-line operator falsely claimed to the victim that "because the personal information leaked was used for criminal activities, it is necessary to investigate the flow of the victim's funds", and deceived the victim into transferring money and remittance to the designated account. If the victim still has doubts about the second-line operator's claim, he or she will transfer the phone to the third-line operator posing as a prosecutor to continue the fraud. By the time of the incident, Zhang Kaimin and others had defrauded the victims of more than 23 million yuan through the above-mentioned fraudulent means. On April 1, 2017, the Second Branch of the Beijing Municipal Procuratorate indicted Zhang Kaimin and others for fraud, and on December 21, 2017, the Beijing Municipal Second Intermediate People's Court issued a guilty verdict against Zhang Kaimin and others for the crime of fraud.
How to establish the correspondence between "machine → people"?
The reinforcement evidence rule can be used to address:
● Under the premise of stabilizing confessions, use documentary evidence such as "entry and exit records", electronic data such as "return booking records", and confessions of co-defendants to strengthen the confessions of the person being prosecuted, and build an evidence bridge of "case → machine → person".
How is the main offender and an accessory to be distinguished?
● With the identification of "behavior trajectories" as the main line, comprehensively use electronic data such as call records and chat records, and assist in corroborating evidence such as criminal suspects' confessions and witness testimonies, to ascertain the status and role of persons involved in the case in criminal groups.
How to accurately determine the facts of the case?
Around the phone card and bank card to support the facts of the case:
● Use a telephone card to prove "people flow" and "information flow"
● Prove the "flow of funds" with a bank card
● The combination of two cards is supplemented by evidence such as bank account transaction details to prove the correlation between the criminal organization → the victim → the facts of the crime
Review of the legality of evidence obtained abroad
● Examine whether the form of evidence complies with the provisions of the Criminal Procedure Law
● Review of evidentiary materials such as mutual legal assistance agreements
● Review the transfer process to ensure the integrity of the chain of custody of evidence
Electronic data has no fouling identification issues
●Revolve around the originality and integrity of electronic data
●The starting benchmark time for the identification of no fouling, that is, the time of acquisition of the equipment
● During the investigation and evidence collection stage, consult the appraisal experts in a timely manner to achieve complete evidence collection
Electronic data authenticity (objectivity) review:
Step by step, at different levels
The authenticity of the storage media
● Authenticity of data carrier sources
● The authenticity of the storage medium in litigation
Authenticity of the data ontology
● Originality and identity of data sources
● Whether the data has been changed in all aspects of the litigation
Authenticity of the data content
●Whether the data content and the case content are true
●Whether the content can be corroborated with other evidence
Establish the focus of the review around "legality" and "objectivity"
Wang Zhigang
"It provides a systematic solution from the three dimensions of constructing the evidence system, establishing the focus of review and leading the identification needs, which has universal guiding significance."
With the intensification of the mainland's crackdown on the overseas dens of telecommunications network fraud crimes (hereinafter referred to as "telecommunications fraud crimes"), some people involved in the case have successively entered criminal proceedings, and the increase in such cases has brought new challenges to judicial practice.
Judging from the composition and structure of evidentiary materials, in addition to physical evidence, documentary evidence and verbal evidence, electronic data is the core form of evidence in the handling of telecommunications fraud cases. There are two main types of such electronic data: one is content data, such as non-public files stored in the computer of the person involved in the case, mobile phone, e-mail and social software chat records, etc., such data is generally obtained from the perpetrator's equipment; The other type is path data, that is, by identifying the transmission path of the information data involved in the case to determine the "metadata" that can identify the user, this kind of data is generally obtained from the data pool and data pipeline through which the information involved in the case passes. Due to the special source, scattered distribution and large volume, how to review and identify these evidentiary materials, especially electronic data, has become a difficult problem in judicial practice by scientifically constructing an evidence system. In the 18th batch of Guiding Cases of the Supreme People's Procuratorate, the handling of the "Telecommunications Network Fraud Case of Zhang Kaimin and 52 Others (Procuratorate Case No. 67)" (hereinafter referred to as "Procuratorate Case No. 67") provides a systematic solution from the three dimensions of building an evidence system, establishing the focus of review, and leading the appraisal needs, which is of universal guiding significance.
Establish a topological association around the two main axes of "people" and "things"
In "Procuratorate Case No. 67", the case-handling personnel closely establish the main axis around the two elements of the person being prosecuted and the facts of the case, and establish a topological association around the two main axes to build a whole case evidence system.
First, the human element. Different from the traditional handling of cases, telecommunications fraud crimes span both virtual and physical spaces, and the investigation and collection of evidence often follow the logic of "case (case facts) → machine (crime computer or mobile phone) → person (user of the crime computer or mobile phone)". In this process, it is easier to build a evidence bridge for the "case → machine", but there is great uncertainty in the evidence bridge of the "machine → person". For example, although the man-machine was seized at the scene, the possibility that the computer (mobile phone) would be used by other personnel before the seized person took over. So, how to establish the correspondence between "machine → people"? How do you determine the identity of a virtual identity and a real identity? This is a problem that must be solved at the level of evidence application, if only rely on the confession of the prosecuted population to prove it, then once there is a situation of "zero confession" or the retraction of the prosecution, the evidence bridge will be broken. "Procuratorate Case No. 67" better adopted the rules of reinforcement evidence to solve this problem: under the premise of the defendant's stable confession, the procurator handling the case comprehensively used documentary evidence such as "entry and exit records", electronic data such as "return booking record sheet" and Skype account login information, and witness testimony such as the confession of the co-defendants, and very solidly reinforced the confession of the prosecuted person, effectively solving the problem of evidence determination of the "machine → person", thus firmly building an evidence bridge of "case → machine → person".
Second, the elements of things. In cases of telecommunications fraud crimes, due to the scattered distribution and large number of victims, coupled with the fact that the amount of crime is mostly a small amount of a single case, this brings great difficulties to accurately determine the facts of the case, especially the amount of the crime. In "Prosecution Case No. 67", the case-handling personnel closely focus on the telephone card and bank card to support the facts of the case: the telephone card is used to prove the "flow of personnel" and "information flow"; Proof of "flow of funds" with a bank card; The two cards are combined with evidence materials such as bank account transaction details and bank customer notices to prove the correlation between the criminal organization of electronic fraud → the victim → the facts (consequences) of the crime, thus forming a strict chain of evidence.
At the same time, since the crime of wire fraud is a typical chain crime, and each person involved in the case is in different links and roles in the case, how to use evidence to prove issues such as the time of participation of the prosecuted person, the mode of conduct, and whether there is a criminal intention to contact in the determination of the facts of the case plays an important role in accurately ascertaining the facts of the case. In "Procuratorate Case No. 67", the case-handling personnel took the identification of the "trajectory of behavior" as the main line, comprehensively used electronic data such as internet telephone call records and Skype chat records, and supplemented it with evidence such as the confessions of criminal suspects and witness testimony, accurately ascertaining the status and role of the persons involved in the case in the criminal group, thus distinguishing between the principal and accessories, and making a fair handling of the case.
Establish the focus of the review around the two attributes of "legitimacy" and "objectivity"
In "Procuratorate Case No. 67", the procurator promptly discovered the problems after a comprehensive and meticulous review of the legality and objectivity of the evidentiary materials, and solved the relevant problems by guiding supplementary investigations, thus building a solid evidence foundation for the whole case.
First, legitimacy. Generally speaking, when it comes to the legality of criminal evidence, it is often from the three angles of the subject of evidence collection, the collection procedure and the form of evidence, while for the evidence materials obtained abroad, the legality review is more complicated. In "Procuratorate Case No. 67", the case-handling personnel's review of the legality of relevant evidentiary materials progresses from several levels: First, examine whether the evidentiary materials conform in form to the provisions of the Mainland Criminal Procedure Law, and solve the problem of the legality of the materials; Second, through the review of relevant treaties, judicial assistance agreements and other evidentiary materials to solve the problem of "legality" of foreign law enforcement personnel's evidence collection in the mainland; Third, the handover process is reviewed to address the integrity of the chain of custody of evidence. In addition, the evidentiary materials provided by the parties, their defenders and agents ad litem from abroad were also examined whether they had undergone legal procedures such as fairness and certification in accordance with the regulations. This meticulous and comprehensive review ensures the admissibility of foreign evidence in the context of criminal proceedings on the mainland.
Second, objectivity. In terms of its properties, electronic data is a kind of physical evidence, so from the perspective of the formal elements of evidence objectivity, it exists objectively. However, electronic data is a special kind of physical evidence, it has the possibility of forgery or destruction in the generation, extraction, circulation, application and other links, this characteristic makes it necessary to judge the objectivity of electronic data in addition to the electronic data itself, but also need to judge the objectivity of electronic data in many aspects according to its relationship with the criminal facts, the connection with the relevant evidence and the relationship with all the criminal facts. Judging from the relevant legislative provisions outside the territory and the mainland, the current objective review of electronic data is mainly carried out from the two levels of form and content. In terms of form, the following aspects are mainly reviewed: First, whether the hardware and software systems for generating, transmitting and storing electronic data are reliable, whether the system is operating normally, and whether there are encryption and other security measures for transmission and storage; Second, whether the production subject, production method and production method of electronic data are reliable; The third is whether the content of electronic data is complete, and whether it has been artificially added, deleted or tampered with. In terms of content, the objectivity of electronic data content is generally reviewed through mutual corroboration between evidences. In the "Procuratorate Case No. 67", in the formal objectivity review, the procurator reviews the storage medium on the one hand, and on the other hand, examines the process of extraction, storage, circulation and other processes of electronic data with the technical standard of "no fouling identification". In terms of content objectivity review, on the one hand, procurators examine whether verbal evidence in the case can corroborate each other with electronic data, and whether different electronic data can corroborate each other, on the other hand, present the correlation between electronic data and case facts through verbal evidence, documentary evidence, physical evidence, and other evidence, and establish the relevance of electronic data with victims and criminal suspects through telephone cards, bank cards, verbal evidence, and so forth. This systematic solution is very instructive.
Identify the requirements around the criteria of "originality" and "completeness"
Originality and integrity are the prerequisites for ensuring the objectivity of electronic data, and the "no-fouling identification" in "Inspection Case No. 67" actually revolves around the originality and integrity of electronic data. It can be said that it is precisely the importance that the procurator handling the case attaches to the appraisal work, so that the evidentiary ability and probative power of the electronic data involved in the case in this case have been enhanced, thus ensuring the smooth progress of the litigation.
First, primitiveness. Electronic data has the characteristics of easy to tamper, easy to annihilate, strong concealment, etc., resulting in its originality is easily damaged, therefore, in the use of electronic data as evidence to prove a certain fact to be proved in the process, how to prove its originality has become the key to solving the problem. During the review and prosecution stage of this case, the procurator handling the case keenly found that the starting benchmark time of the "no defacement appraisal opinion" for electronic data was 11 hours later than the time of the criminal suspect's return to the case, and the possibility of the electronic data being defaced during this period could not be ruled out, so the consistency of the starting benchmark time of the appraisal and the time of arresting the criminal suspect and obtaining the equipment involved in the case was achieved through supplementary investigation, thus ensuring the originality of the electronic data.
Second, integrity. The integrity of electronic data not only refers to the extraction of the electronic data involved in the case without omission or damage, but also includes the "comprehensive extraction" of the electronic data. As we all know, the software and hardware environment of computers will affect and change the form of electronic data. There is a detail in the "Procuratorate Case No. 67", that is, the procuratorial personnel and the investigators go to the appraisal institution to consult with technical experts, so as to know the specific requirements of the "non-fouling appraisal" of electronic data, and clarify the solution ideas for the scope and procedure of extracting and fixing electronic data, thus providing qualified inspection materials for the appraisal work and ensuring the smooth progress of the appraisal work. This practice is of great enlightenment significance: the complete extraction of electronic data as a kind of forensic behavior with high technical requirements, in the absence of technical expert guidance, it is difficult for general investigators to achieve complete evidence collection of complex electronic data, if you can consult with experts in a timely manner at the stage of investigation and forensics, understand the identification standards and material requirements of electronic data, you can more targeted to formulate a forensic plan, so as to achieve complete forensics more accurately and efficiently.
In addition, the inquest and appraisal of electronic data are two different litigation acts: the inquest is the evidence collection work carried out by the investigators in accordance with the law, and the appraisal is the inspection and analysis work carried out by the appraiser using special tools and expertise. In "Procuratorate Case No. 67", the procurator promptly corrected the practice of replacing the "Forensic Appraisal" with the "Inquest Record", thus avoiding the doubt of "using appraisal instead of inquest", and thus ensuring the legality of the evidence collection procedure and appraisal procedure, which is commendable.
(The author is a professor at the School of Cyberspace Security and Information Law of Chongqing University of Posts and Telecommunications and the director of the Forensic Identification Center)
Based on the "dual carrier" feature, the data authenticity review path is clarified
Shelley
"The authenticity of electronic data is reviewed step by step and at different levels from the three aspects of storage medium, electronic data ontology, and electronic data content, which is highly operable and has certain reference value for judicial case handling."
In telecommunications network fraud cases, electronic data dominates the type of evidence involved in the crime, and electronic data plays an important role in the determination of fraud facts, the identification of criminal suspects, and the calculation of the amount of crime. Due to the lack of stability of electronic data and the extreme susceptibility to tampering or damage, the most prominent problem faced by case-handling personnel in judicial practice when reviewing and judging electronic data is the authenticity of evidence. The "Zhang Kaimin and 52 other telecommunications network fraud cases (Procuratorate Case No. 67)" (hereinafter referred to as "Procuratorial Case No. 67") proposed that "the authenticity of electronic data should be reviewed in a focused manner", and the authenticity of electronic data should be reviewed step by step and at different levels from three aspects: storage medium, electronic data ontology, and electronic data content, which is highly operable and has certain reference value for judicial case handling.
Dual carrier of electronic data
Compared with the traditional physical evidence in the Criminal Procedure Law, the forms of electronic data are diverse, essentially "coded data" represented in binary, cannot exist alone, cannot be directly perceived by people, and must be stored or recorded in computers, mobile phones and other devices, but electronic data cannot prove the facts of the case through storage media, but will express the evidentiary facts after the data stored in electronic form is transformed. Therefore, the "evidentiary facts" contained in electronic data are separated from their external manifestations, showing the characteristics of dual carriers. Its external carrier is mainly a storage medium carrying electronic data, and in telecommunications network fraud cases, it mainly includes computers, mobile phones and other equipment used by fraudulent criminal organizations in the process of committing criminal activities; The intrinsic carrier is to express the evidentiary facts of electronic data and enable electronic data to be perceived in various forms, including words, pictures, etc., such as the list of Records of Internet telephone calls used by fraudulent criminal organizations, the communication tools between criminals and between victims, or records of committing fraud.
Electronic Data Authenticity Review Path for Telecommunications Network Fraud Cases
When handling the case of "Procuratorate Case No. 67", the procuratorial organs paid attention to the problem of "double authenticity" of electronic data, and around the characteristics of the dual carrier of electronic data, they examined the external carrier, internal carrier and specific content of electronic data in steps and at different levels, ensuring the authenticity of electronic data extracted and restored from the equipment obtained from overseas, and laying a foundation for the determination of the facts of the case.
First, the authenticity of electronic data storage media is reviewed. The authenticity of electronic data storage media refers to the fact that the carriers and equipment storing electronic data maintain their originality, identity, and integrity throughout the entire criminal proceedings, and there are no problems such as being replaced or destroyed. The authenticity of electronic data storage media mainly includes two requirements: First, the authenticity of the source of electronic data carriers. The "Provisions on Several Issues Concerning the Collection, Extraction, Review and Judgment of Electronic Data in Handling Criminal Cases" and the "Rules for the Collection of Evidence for Electronic Data in Public Security Organs Handling Criminal Cases" both stipulate the rules for collecting evidence based on the principle of seizing the original medium of electronic data, so it should first be examined whether the electronic data transferred by the investigating organ includes the original storage medium, whether the collection of the storage medium complies with the relevant provisions, and through the review of the electronic data appraisal opinion or the information on the equipment involved in the case recorded in the inspection report, Compare it with the information recorded in the procedures for the seizure of the equipment involved in the case by the investigating authorities to determine that the electronic data extracted and recovered comes from the equipment used by the fraudulent criminal organization. The second is the authenticity of electronic data storage media throughout the criminal proceedings. In all aspects of criminal proceedings, evidence will circulate between multiple subjects, and it is necessary to review whether the original storage medium maintains identity in the transfer and circulation, and it is possible to verify whether the electronic data storage medium maintains the sameness and originality in various links such as storage, identification, and inspection by reviewing the legal procedures and lists of the seizure and transfer of computer hard disks, mobile phones and other carriers where electronic data is stored, and whether the relevant procedures include serial numbers and serial codes, which are different from other storage media. The storage medium of electronic data in "Procuratorate Case No. 67" is seized by foreign police in the den of fraud and crime, and the procuratorial organs have focused on reviewing the procedures such as the transfer list of foreign police and the inspection report of the investigation organs when extracting electronic data, verifying whether the information of the equipment involved in the above procedures is consistent, and comparing it with the physical object, ensuring the originality and identity of the electronic data storage medium.
Second, the authenticity of the electronic data ontology is reviewed. After verifying the authenticity of the storage media, the authenticity of the electronic data ontology needs to be further examined. In the same way as the method of reviewing the authenticity of electronic data storage media, the authenticity review of electronic data ontology is mainly in two aspects: one is the originality and identity of the source of electronic data, and the other is that electronic data has not been changed or deleted in all aspects of criminal proceedings. Verify whether the electronic data is extracted from the original storage medium by examining the source and collection process of the electronic data recorded in the electronic data inspection report or appraisal opinion, and whether the procedures and methods collected comply with laws and relevant technical specifications, such as if the original storage medium cannot be seized due to inconvenient sealing, etc., when the investigating organ adopts the method of "online extraction" to fix the electronic data, whether the electronic data collection process is synchronously recorded, and whether other means are used to ensure the authenticity of the electronic data, to ensure the originality and identity of electronic data sources. Ensure that electronic data remains homogeneous and complete throughout the criminal proceedings by reviewing the list of transferred electronic data and calculating the integrity check value.
Third, the authenticity of the content of electronic data is reviewed. The authenticity of the content of electronic data is the core issue of the authenticity of electronic data, and the main examination is whether the information contained in the electronic data and the facts of the case is true, and whether it can be corroborated with the information contained in other evidence in the case, so as to accurately prove the facts of the case. Verify whether the case information contained in the electronic data can be corroborated with other evidence in the case by reviewing whether the verbal evidence in the case can be corroborated with the electronic data, whether the electronic data can be corroborated with physical evidence, and whether the different electronic data can corroborate each other, so as to confirm the authenticity of the content of the electronic data. In handling telecommunications network fraud cases, the specific acts of fraud are mainly reflected in communication and liaison, and the criminal results of fraud are mainly reflected in the exchange of funds, thus forming two types of electronic data of communication and funds, respectively, and the determination of the facts of fraud crimes is mainly carried out around these two types of evidence. After the procuratorial organs confirmed the authenticity of the above-mentioned electronic data through the rules of corroboration and proof, on the basis of establishing the relationship between the victim and the fraud criminal group through the electronic data, the strict corroboration relationship between the electronic data of communications, the electronic data of funds, and other evidence such as the statements of the victims and the confessions of the criminal suspects was established, thus accurately determining the facts of the crime and the specific amount of fraud , also recognized by the court judgment.
With the continuous development of network technology and the intensification of the mainland's crackdown on telecommunications network fraud crimes, cross-border telecommunications network fraud crimes are increasing, and the current investigation organs mainly crack down on such crimes through entrusted investigations and joint investigations. Through judicial assistance and other ways to obtain overseas storage media, the requested country in accordance with the treaty and the requested matters in accordance with the domestic law to obtain the equipment involved in the case, need to go through the relevant approval and then transfer to the mainland, before the equipment is captured by the foreign party and handed over to the mainland, whether the electronic data stored in it has been added, deleted, modified, etc., directly affecting the authenticity of the electronic data, therefore, for the electronic data in it first need to be defaced without defacement identification, after confirming that the data has not been added, deleted, modified and other circumstances can be used as evidence. For the starting benchmark time for the non-fouling appraisal, "Inspection Case No. 67" has been clarified, that is, the time of the acquisition of the equipment, if the requested country does not record this time in the relevant description, it is necessary to issue a note from the mainland embassy or consulate in that country or the investigating organ to correct it.
(Author Affilications:The Second Branch of Beijing Municipal People's Procuratorate)
Source: Justice Network
![480 million involved! Multiple people installing loan apps are scammed[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)