Organize | Yu Xuan
Exhibiting | CSDN(ID:CSDNnews)
In the wave of digitalization, the management of enterprises and employees is also developing in the direction of intelligence and cloudification. For office workers, the first day of employment is basically shuttled through the application and opening of various permissions.
Due to the different divisions of labor in various departments, each position will be equipped with the corresponding level of system permissions, and the system permissions of different employees are also different. For matters that do not fall within the scope of their job responsibilities, employees usually do not have the right to participate and know, which requires enterprises to strictly manage the system permissions of employees.
In February 2022, a criminal verdict published by the China Ruling Documents Network was related to this: Yi Mou, who worked at Huawei, had not cleared the relevant system permissions he had before after seven years of transfer. Not only that, he also used his permissions to view system data many times during this period, and even used the vulnerabilities found to bypass permission controls and repeatedly provided system data to third-party companies to make a profit.
So what is the specific case? The author flipped through the ruling on this case and took everyone to see the case together.
Send data to bidding customers multiple times through the company's mailbox
According to the ruling, Yi worked at Huawei Technologies Co., Ltd. (hereinafter referred to as Huawei) from December 2006 to March 2018. Due to the needs of work, Yi has the permission to log in to Huawei's ERP system and can view relevant data and information within the scope of work.
Image source: Screenshot from China Judgment Documents Network
Huawei prohibits employees from viewing and downloading electronic data information outside the scope of work in the ERP system.
In December 2010, after Yi was transferred from huawei's cable material control department, he did not clean up the inquiry authority of the erp account cable code material price according to Huawei's requirements, and by the end of 2017, Yi violated the regulations and repeatedly obtained the price information of cable materials in the ERP system by ultra vires inquiry and borrowing colleague account login.
After 2017, Yi found that there was a vulnerability in the POL procurement mini program in the ERP system, and he could bypass the permission control to view the system data through specific operations, so he obtained the price information of the cable material in this way.
According to the normal software use process, employees should have given upward feedback after finding system vulnerabilities, but Yi Mou moved his mind.
Yi informed Shenzhen Jinxinnuo High-tech Co., Ltd. (the supplier of Huawei Technologies Co., Ltd., hereinafter referred to as Jinxinnuo) by texting, calling, and emailing the illegally obtained price data, so as to help Jinxinnuo improve the winning rate of Huawei's bidding project.
After investigation, from December 27, 2016 to February 28, 2018, Yi repeatedly sent the purchase price of 1183 cable coded materials from multiple suppliers of Huawei (excluding 918 duplicate parts) to Jinxinnuo through the mailbox "[email protected]".
During the period from 2012 to June 30, 2017, Yi received a total of RMB7,000 shopping cards and 5 pairs of basketball shoes (valued at RMB16,437.6) from Jinxinnuo.
It was also ascertained that after the incident, Huawei issued a letter of understanding, indicating that it would forgive the defendant Yi Mou's behavior of infringing on Huawei.
Yi's conduct constitutes the crime of illegally obtaining computer information system data
With regard to Yi's conduct, the court of first instance held that he violated state regulations by invading computer information systems outside the fields of state affairs, national defense construction, and cutting-edge science and technology, or using other technical means to obtain data stored, processed, or transmitted in computer information systems, and the circumstances were serious, and his conduct constituted the crime of illegally obtaining computer information system data. The charges charged by the public prosecution were convicted. After Yi was returned to the case, he truthfully confessed, admitted guilt and accepted punishment in court, and obtained the forgiveness of the victim's unit, which was a first-time offender, and the original trial was given a lenient punishment.
In accordance with the provisions of the second paragraph of article 285, article 52, the first paragraph of article 53, the third paragraph of article 64, and the third paragraph of article 67 of the Criminal Law of the People's Republic of China, the judgment is:
1. Yi X commits the crime of illegally obtaining computer information system data and is sentenced to one year's imprisonment and fined RMB 20,000;
2. Continue to recover the total amount of illegal gains from Yi Mou of 23,437.6 yuan, confiscate them in accordance with law, and hand them over to the state treasury.
Dissatisfied with the first-instance judgment, Yi filed an appeal
For the first-instance judgment, Yi filed an appeal, requesting that the original judgment be revoked and that the judgment be changed to be exempt from criminal punishment in accordance with law.
The main reasons are:
1. Whether his conduct constitutes the crime of illegally obtaining a computer information system is controversial, and he shall be exempted from criminal punishment if he is suspected of having committed the crime. First of all, it has no subjective intent to commit a crime; secondly, what it obtains in violation of the law is only electronic information on the historical price of equipment and materials stored in the computer system, not the system data provided for in the law of this crime.
2. It did not use technical means to illegally invade Huawei's information system, its essence was to use work convenience, authority, and vulnerabilities in the company's Mini Program to obtain relevant information, and did not cause actual losses to Huawei.
3. They are first-time offenders or occasional offenders, the circumstances of the crime are relatively minor, and they have not caused a bad social impact or major losses.
4. Huawei issued a letter of understanding that it should be treated leniently according to law, but the original trial did not consider this important circumstance.
The opinion of his defender was:
1. The appellant's conduct in this case is actually more in line with the composition of the crime of infringement of trade secrets, but based on the fact that his conduct is minor, it is not enough to constitute the crime of infringing trade secrets, and the suspected crime has never been suspected, and it is more appropriate to be sentenced to exemption from criminal punishment.
2. The appellant did not use technical means to illegally invade Huawei's information system, and did not cause actual losses to Huawei.
3. The appellant is a first-time offender or an occasional offender, the circumstances of his conduct are relatively minor, and he has conducted a deep reflection on his wrongdoing.
4. Huawei's chaotic and extensive management system and the defects of the POL procurement mini program in the ERP system made the appellant make mistakes and bear certain responsibilities.
5. Huawei has issued a letter of understanding with the appellant.
Corporate forgiveness does not equal innocence
For Yi's appeal, the court of second instance made a final ruling.
On the question of whether Yi's conduct constituted the crime of illegally obtaining computer information system data, Yi himself believed that there was a dispute, and his defender believed that Yi's conduct was more in line with the composition of the crime of infringing trade secrets.
After investigation, according to the ninth batch of Guiding Cases published by the Supreme People's Procuratorate (Procuratorate Case No. 36 - Wei Menglong, Gong Xu, and Xue Dongdong Illegally Obtaining Computer Information System Data), "intrusion" in the crime of illegally obtaining computer information system data refers to the act of illegally entering a computer information system against the victim's will, and its manifestations include both the use of technical means to undermine system protection and enter the computer information system without the authorization of the victim. It also includes access to computer information systems beyond the scope of the victim's authorization.
After Yi was transferred from Huawei's Cable Material Control Department, according to the company's regulations, he no longer has the right to view relevant electronic data information in the ERP system, and he logs on to the system beyond the scope of authorization, and uses the loopholes in the POL procurement mini program in the system to obtain cable material price information, which is an act of intrusion into the computer information system. Yi's illegal acquisition of computer information system data, and the illegal gains exceed rmb 5,000 yuan, are serious circumstances and have constituted the crime of illegally obtaining computer information system data. The relevant opinions of himself and his defender were not established, and the court of second instance did not accept them.
The court of second instance held that Yi mou admitted guilt and accepted punishment at the first instance trial stage, and Huawei issued a letter of understanding, and the first-instance judgment had given him a lighter punishment, and his appeal request for another lighter punishment lacked factual and legal basis, and the court did not accept it.
In summary, the facts found in the original judgment were clear, the evidence was credible and sufficient, the conviction was accurate, the sentence was appropriate, and the trial procedures were lawful. In accordance with the provisions of subparagraph (1) of the first paragraph of article 236 of the Criminal Procedure Law of the People's Republic of China, the ruling is as follows:
The appeal was dismissed and the original judgment was upheld.
Crimes of taking advantage of one's position are not uncommon
The original intention of the company to give employees permissions is to facilitate the office, but many people use the convenience of their positions to "seek benefits" for themselves. In the past year, cases such as these have occurred from time to time:
- In February last year, a R&D engineer at Baidu took advantage of his position to exceed his authority and illegally passed the application of 735 media website accounts to join the "Baidu Alliance" by tampering with data and writing scripts, and accepted a total of more than 230,000 yuan from others, resulting in damage to the company's 3.74 million yuan advertising share. In the end, Chen was sentenced to one year and nine months in prison for the crime of damaging computer information systems, and all illegal gains were confiscated.
- In March, Former Apple employee Dhierendra Prasad was accused of taking advantage of his position to deceive several procurement programs, such as collecting kickbacks, stealing devices and laundering money, costing Apple more than $10 million. Under U.S. law, Dhirendra Prasad faces a maximum sentence of 20 years.
In these cases where the authority and position of the company are used to satisfy their own self-interest, the parties will not be able to avoid imprisonment in the end. This is also a wake-up call for the company and employees: enterprises should also strengthen supervision when giving employees authority, so as to avoid situations such as crossing the line and not taking back in time; employees should also self-discipline when they have relevant authority, and ruining their lives for the sake of immediate interests is really not worth the loss!
Reference Links:
- https://wenshu.court.gov.cn/website/wenshu/181107ANFZ0BXSK4/index.html
END
"New Programmer 001-004" is fully listed, talking to world-class masters and reporting on innovations and creations in China's IT industry
Achieve 100 million technical people