[Author’s note: The author of this article is a technician, not a lawyer. Although several jurists have been consulted to corroborate that no legal barbarity has been said, it is strongly recommended to consult with a trusted legal professional if necessary].
[Author’s note 2: I would like to thank the ideas and comments offered by the Forensic Computing Telegram group: https://t.me/forense, whose activity has fostered and promoted this article].
Let’s imagine that Mary is a forensic analyst who is working on a case of corporate espionage. While analyzing some compressed files with strange names, she discovers with horror that they are full of images of child pornography.
Imagine that Pete is a pentester whose objective is to take control of a mail server, having to submit as evidence a half dozen high-level emails. Once he has achieved his objective, he extracts several mails at random from the mail accounts, but verifies with indignation that they contain information about a civil servant being bribed for the granting of an important public contract.
Both Mary and Pete have signed a strict confidentiality agreement with the company in which they work, which clearly states that “all the information they have knowledge of during their working activity must be kept in the strictest secrecy.”
Given this situation, the following possible scenarios are proposed:
- A complaint is filed with the relevant FCSE. No legal action is taken against the technician who presents it.
- A complaint is filed before the FCSE. The technician faces possible dismissal and/or legal actions from the affected party.
- No complaint is filed, and the crime never comes to light, nobody knows that the technician was aware of it.
- No complaint is filed and in the future the offense will come to light. It is discovered that the technician had knowledge of it.
Let’s see what the current legislation says about it. [Note: the author intends to make a “digestible” summary of the applicable laws. It is recommended to read the complete articles of each law in order to have a complete vision of all possible cases].
- The Law of Criminal Procedure (LeCr) specifies in its articles 259 to 269 that all citizens have the obligation to communicate to the pertinent authorities any crime they witness or have knowledge of, under penalty of a fine.
- The Criminal Code specifies in article 450 that if we do not prevent the commission of a serious crime (or communicate it to the relevant authorities) we incur a crime of omission of our duty to prevent crimes or promote their prosecution, punishable by up to two years of imprisonment.
An important nuance: there are three types of crimes: private, semi-public and public. Private crimes are those that are only prosecuted if the affected party makes a complaint (e.g., slander and insults). The semi-public are those that require a complaint by the aggrieved party (e.g., a sexual abuse or a crime against privacy). And the public ones are … all those that are neither private nor semi-public. The LeCr only obliges us to report public crimes.
As law-abiding citizens as we should be, options c) and d) should not even be taken into consideration. It is clear that in scenario c), although the technician is committing a crime, there are no legal consequences (the ethical and moral implications are particular, and we are not going to get into them in this article). And we must not forget that there is always the possibility that the crime will be discovered and the investigation will lead to a case d)…
Case a) is perhaps the most satisfactory case for the technician: he fulfills his duty and there are no consequences. However, case b) is something that all technicians worry about: what happens if the complaint brings us a problem?
Let’s see what legal actions could be brought against us by both our company and the affected third party:
- The confidentiality agreement signed by the technician includes a clause stating that any serious breach of the agreement may result in a dismissal.
- The Law of the Workers’ Statute specifies in article 54 the conditions for a proper dismissal. The company could argue a (I quote literally) “breach of contractual good faith, as well as abuse of confidence in the performance of work” as a cause of dismissal.
- The third party sues the technician for a crime of slander as specified in Article 205 of the Criminal Code (slander = imputation of a crime done with full knowledge of its falsehood or reckless disregard for the truth), with penalties of a fine.
- The third party sues the technician for a crime of discovering and disclosing secrets as indicated in articles 197 to 200 of the Criminal Code (crimes against honor, in the case of a person), or articles 278 to 280 of the Criminal Code (crimes against industrial property, in the case of a company), with fines and imprisonment of up to 5 years.
Let’s take a closer look at each of these legal actions. First of all, it is feasible to include a clause in a confidentiality agreement that lists a number of grounds for appropriate dismissal. However, all the clauses of this agreement must comply with current legislation, otherwise they are declared null and void.
In our case, the obligation of the technician to comply with his obligation to report a crime will always weigh over what is specified in the confidentiality agreement. We can easily refer to Article 24 of the Spanish Constitution, which describes effective judicial protection in the exercise of our legitimate rights and duties. If you go to trial, the judge will almost certainly declare the dismissal as null, forcing the reinstatement of the technician or the corresponding compensation.
In the second case, the argument of the “transgression of contractual good faith, as well as the abuse of trust in the performance of work” constitutes a rather broad and generous interpretation of the Law (although there is a certain division of opinions among jurists consulted, watch out). If we look in detail, in all the Workers Statute the only concrete reference to the duty of secrecy or secrecy of the employee is given by Article 65, applied to the members of the Works Committee and only with the information that has been provided to them.
There are other references in the legislation (applicable for example to health professionals or signatories of the Official Secrets Act), but none that appear to apply to technical staff in the field of computer security. At any rate, whatever the interpretation of Article 54, we can go back to the reasoning in the first paragraph: any dismissal caused by our compliance with a law will be declared almost null and void.
Let’s continue with the third case, also quite simple. The very article 207 of the Criminal Code states that a person accused of a slander offense is acquitted of the same if he proves the alleged criminal act. What may be highly recommended in this case is to collect and document carefully all the facts that have been found, so as not to have problems in this regard. Even in this case, a slander complaint has little to do with the fact that a sufficient appearance of criminal activity is enough to justify the complaint.
We come to the last case, perhaps the most complex, what happens when a complaint is made for revealing secrets? At this point the first thing would be to determine if the evidence obtained by the technician is within the scope defined by the project (what is known in some areas as “work order”).
In other words, the technician encountered the crime while performing the tasks entrusted to him without exceeding the limits of his duties. This point is critical for several reasons.
If the technician is acting outside the scope of the assignment (for example, reading emails when he had to look for images in a forensic analysis), he may actually be committing a crime of revealing secrets. Article 264 of the Law on Criminal Procedure states that “in no case shall the plaintiff incur any liability other than that corresponding to the crimes he or she committed by means of the complaint, or on the occasion thereof”.
Additionally, if we pay attention to the doctrine of the poisoned tree, any evidence obtained illegally cannot be used in a legal proceedings. That is, the technician will have committed a crime … and what he has obtained cannot be used in a trial.
However, if the technician is acting within the scope of the work to be performed, and meets the evidence in a natural way (for this the report made by the technician describing the process followed will be fundamental), it is understood that he is doing his duty denouncing the crime, applying the effective judicial protection mentioned above.
The article has tried to comment on and extend some of the assumptions that a cybersecurity technician may face at some point during their work activity. The recommendations in this situation are clear:
- Document the entire process followed as carefully as possible.
- Collect all available evidence securely.
- Seek legal assistance as soon as possible.
The author is of the opinion that the law should specifically protect whistleblowers from this type of crime. The final decision on whether or not to report lies with the technicians themselves.