ON THE IMPROVEMENT OF THE STIPULATION OF THE CRIME OF REFUSING TO FULFILL THE OBLIGATION OF INFORMATION NETWORK SECURITY MANAGEMENT
Chong Zheng & Liu Yucheng
TABLE OF CONTENTS
I. INTRODUCTION
II. DISPUTES OVER THE CRIME OF REFUSING TO FULFILL THE INFORMATION NETWORK SECURITY MANAGEMENT OBLIGATION
A. Practical Issues
B. Academic Criticism on the Set of the Crime
III. ANALYSIS OF THE PRACTICAL ISSUES OF THE CRIME
A. Analysis of Necessity of Establishment of the Crime
B. Analysis of the Content of the Stipulation of the Crime
IV. APPROACHES OF THE IMPROVEMENT OF THE STIPULATION OF THE CRIME
A. Efforts Made by the Interpretation on the Application of Law in Criminal Cases of Illegal Use of Information Networks and Assisting Criminal Activities of Information Networks
B. The Suggestion of Modification of the Stipulation of the Crime
V. CONCLUSION
This paper focuses on the improvement of the stipulation of the crime of refusing to perform the obligation of information network security management. The topic is based on the practical issues of the crime, which has caused the disputes over the necessity of the establishment and rationality of the constitutive requirements of the crime. Through the analysis of reality, politics, norms and value, the reasons why many practical issues emerge are found in improper setting of content of the crime. The Interpretation on the Application of Law in Criminal Cases of Illegal Use of Information Network and Assisting Criminal Activities of Information Network cannot break the line to solve the essential problems existing in the crime. The only solution is to improve the content of the crime through modifying the law: to delete the order element, restricting the subjective aspect to negligence, and to amplify the scope of the harmful results.In the background of the new trend of cybercrime in China and the proposal of a holistic view of national security, the crime of refusing to fulfill the information network security management obligation was added in the Amendment IX to the Criminal Law of 2015. Article 286-1 of the Criminal Law provides that if the network service provider fails to fulfill the information network security management obligations stipulated by laws and administrative regulations, and refuses to correct after being ordered by the regulatory authorities to take corrective measures, he shall be sentenced to fixed-term imprisonment of not more than three years, criminal detention or public surveillance and shall also, or shall only, be fined: (i) causing a large amount of illegal information to spread; (ii) causing the leakage of user information and causing serious consequences; (iii) causing the loss of evidence in criminal cases, with serious circumstances; (iv) having caused other serious circumstances. Where a unit commits the crime mentioned in the preceding paragraph, it shall be fined, and the persons who are directly in charge and the other persons who are directly responsible for the crime shall be punished in accordance with the provisions of the preceding paragraph. If an act mentioned in the preceding two paragraphs constitutes another crime at the same time, the offender shall be convicted and punished in accordance with the provisions on heavier punishment. According to the stipulation, the network service provider who was once thought to be in the neutral position is now imposed the obligation of Criminal Law, and becomes the potential subject of independent crime, which aroused a discussion in the academic field. Compared with the discussion in the theoretical field, there are few applications of this crime in practice of justice. Is the establishment of this article futile for the protection of network security and national security? Is the legislation a bad example of the excessive expansion of penalty power, which leads to the imbalance of value between safety and freedom in the Criminal Law? Does the crime need further modification and improvement? How can we solve this issue? The purpose of this paper is to answer these questions.II. DISPUTES OVER THE CRIME OF REFUSING TO FULFILL THE INFORMATION NETWORK SECURITY MANAGEMENT OBLIGATIONUsing ‘the crime of refusing to fulfill the information network security management obligation’ and ‘the obligation of information network security management’ as the key words, we searched relevant papers on the official website of CNKI in the last four years which is the time the Amendment IX to the Criminal Law has gone into effect for. Hundreds of criminal law papers can be retrieved on the database, which shows the enthusiasm of the academic circles for the research of the crime. However, when we searched for the judgments and cases of the crime of refusing to fulfill the information network security management obligation on the official website of Chinese Judicial Documents and the online law database of Peking University, only one judgment can be retrieved, the First Instance Criminal Judgment of Hu Refusing to Fulfill the Obligation of Information Network Security Management. As a comparison, the number of judgments of the crime of illegal use of information network, the crime of assisting information network criminal activities and the crime of fabricating and disseminating false information which were added in the Amendment IX to the Criminal Law at the same time as the crime of refusing to fulfill the information network security management obligation, are 136, 64 and 29. Public data shows that, from the time of the implementation of Amendment IX to the Criminal Law to September 2019, the people’s courts all over the country have tried 159 criminal cases involving illegal use of information network, and 98 criminal cases involving assistance to information network criminal activities. But there is no mention of the crime of refusing to fulfill the obligation of information network security management in that report. It can be seen that, compared with the discussion in the academic circle and the practical application of other new network crimes added in the Criminal Law, the crime of refusing to fulfill the obligation of information network security management has been ignored in judicial practice. The crime of refusing to fulfill the obligation of information network security management, which was entrusted with the task of ‘preserving the security of information network and improving the legal stipulation of punishing of cybercrimes’, is rarely applied in practice, and therefore its value and role in protecting information network security are widely questioned.B. Academic Criticism on the Set of the CrimeThe set of the crime of refusing to fulfill the obligation of information network security management has been criticized in the field of theory.1. Doubts on the Necessity of Establishment of the Crime. — Since the beginning of the establishment of the crime of refusing to fulfill the obligation of information network security management, the criticisms on its necessity have never stopped. Some scholar argues that the new crimes added in the Amendment IX to Criminal Law which include the crime of refusing to fulfill the obligation of information network security management are typical emotional criminal legislations, and its legislative driving motivation is ‘public opinion that easily leads to irrational results’. The establishment of the crime is believed to be based on the public’s indignation that Internet service providers were immune from punishment in cases of cybercrime in recent years. This kind of emotional public opinion has complex causes of formation, with the characteristics of random and susceptibleness, which cannot be used as the legislative basis of the strict Criminal Law. The criminal legislation pushed by the temporary emotional public opinion would cause excessive expansion of the penalty power and violate the principle of modesty of the Criminal Law. The corresponding laws would also be ignored after appeasing the people’s indignation. Some scholar also believes that the crime of refusing to fulfill the obligation of information network security management is symbolic legislation. ‘This kind of legislation does not pursue the actual effect of penalty, but more to express some attitude and emotion, attitude and stand of legislators’. Symbolic legislation is rarely applied in practice, and cannot really solve the social problems such as protecting legal interests, since its significance of appeasement is far greater than practical significance. The predicament of the crime of refusing to fulfill the obligation of information network security management in practice mentioned above seems to verify these claims.Although some scholars said that symbolic legislation also has independent significance. ‘Criminal legislation represents the values of the country, which is the due meaning of legislative activities. In order to pacify the public’s uneasiness, symbolic legislation is not always improper’. However, the crime of refusing to fulfill the obligation of information network security management is set up in the context of increasing cybercrime and terrorism crime, its establishment has utilitarian purpose. Legislators hope that it can play the effective role in fighting and preventing the current new-type crime, and effectively protecting citizens’ network rights and interests and national network security. If it ultimately falls on symbolic legislation, it can only show that the establishment of this crime is unnecessary and failed.2. Doubts on Balance of Values. — From the perspective of value balance, there are some voices pointing out that the value imbalance between security and freedom in criminal legislation lies behind the establishment of the crime of refusing to fulfill the obligation of information network security management. In the process of legislation of cybercrime and terrorism crime in those years, security is always the highest guiding value. In a series of new crimes, the Criminal Law increases the obligation of the neutral service provider, advances the time when the network illegal act can constitute the crime, and establishes accessory as independent subject of some crimes, all of which are criminal preventive responses to the risk of network security. In this process, the power of penalty continues to expand, and the function of human rights protection of Criminal Law continues to be compressed. While the Criminal Law sacrifices its function of protecting freedom in some extent, its function of protecting security does not necessarily become more effective. When facing new things, the government always expects to control and manage them well. Under the idea of omnipotence of Criminal Law, the Criminal Law is imposed on too many expectations, that is, to curb the deviant behavior in new things with the severe penalty power. ‘However, the rapid development of the Internet and rapid renewal of technology are remarkable characteristics of the new age, and the speed of government legislation and regulation can never catch up with the pace of technological progress.’ Risks are infinite, and it is hard to judge whether they can be eliminated or not, and whether the elimination can be realized through penalty.3. Doubts on Jurisprudential Basis. — There are different opinions on the jurisprudential basis of the establishment of the crime. Some scholars believe that the theoretical basis for the establishment of the crime is the theory of supervisory negligence. The reason why the neutral network service provider can be punished for failing to fulfill the security management obligation is that the network service provider, as the supervisor, does not fully perform the supervision obligation, which caused that the behavior of users under its supervision or control directly leads to the occurrence of harmful results, so it should bear criminal responsibility. Some scholars hold the view that this crime is essentially the same as the crime of assisting information network criminal activities in terms of behavior, and they are provided as different ways of technical support and help for criminal activities. The behavior mode of the crime of refusing to fulfill the information network security management obligation is negative omission, while the mode of the crime of assisting information network criminal activities is positive action. Some scholars hold the theory of platform responsibility, and think that the crime of refusing to fulfill the obligation of information network security management is the first legislative example of platform responsibility which makes the crime different from the crime of assisting information network criminal activities in which the accomplice is provided as the principal offender. The network service providers are the main subjects specialized in Internet services, and gathers a large number of network users in the network services provided. Their services are part of public service. As the founder and manager of the Internet platform, the network service provider has an important impact on the security and order of the network space within its management scope. One-to-many is the characteristics of the assistance behavior of the network service provider. Therefore, it is the assistance to users’ criminal activities that should be distinguished from the general assistance to crime. Some scholars think that the establishment of this crime uses the legislative technology of providing accessary as principal offender. The network service provider is not the executor of the improper dissemination of network information, but it provides assistance by failing to fulfill the obligation of network security management. This indirect behavior of assistance is provided as principal offender of independent crime for the consideration of security.Different basis has its influence on the rationality and necessity of the establishment of the crime. Based on the theory of supervisory negligence, we can explain the punishment of the neutral network service provider. However, the theory of supervisory negligence is only applicable to negligent crime, and the theory of supervisory negligence cannot be used to interpret the intentional crime which many scholars believe the crime of refusing to fulfill the information network security management obligation is. There is contradiction in the theory of accessory of omission. According to the provisions of the Criminal Law, omission cannot be excluded from the constitution of the crime of assisting information network criminal activities. There is no proper reason to restrict the behavior of assisting information network criminal activities to conduct. So if the crime of refusing to fulfill the obligation of information network security management is interpreted as the accessory of omission to information network criminal activities, this crime cannot be distinguished from the crime of helping information network crime, which makes the stipulation of the two crimes overlap each other. That would lead to doubts on the necessity of independent establishment of the crime of refusing to fulfill the information network security management obligation. The theory of platform responsibility does not go beyond the traditional theory of accessory. One-to-many type is more common among network service providers, but it does not mean that it does not exist in other criminal activities. This feature is not enough to make the so-called platform responsibility become an independent form of responsibility. In essence, the theory of platform responsibility regards the behavior of failing to fulfill the obligation of information network security as intentional assistance, which still leads to the indistinguishability between this crime and the crime of assisting information network criminal activities.4. Doubts on Rationality of Content of the Crime. — The setting of the constitutive elements of the crime of refusing to fulfill the obligation of information network security management has also been questioned. For example, the scope of the subject of the crime and the standard of constitute the crime are vague; there are disputes over whether the warning order elements should exist; the subjective requirement of the crime is not clear. How these issues would affect the application of this crime will be detailed in this paper later.
III. REASON ANALYSIS OF THE NOMINAL STATE OF THE CRIME
Based on the questions mentioned earlier, it is necessary to make a concrete analysis: is the establishment of this crime lack of necessity, or is the content setting unreasonable?A. Analysis of Necessity of Establishment of the Crime1. Severe Danger in Reality. — According to the Overview of China’s Internet Network Security Situation of 2018 released by National Internet Emergency Center, cloud platforms have become a major area for network attacks; the tendency of targeted attacks on industrial control system are obvious; false and counterfeit mobile applications have increased and become a new channel for network fraud, for example, a large number of false loans apps have no real loan business and are only used to swindle users’ privacy information and money; several data security issues have attracted unprecedented attention. In 2018, there were more than one billion express companies’ user information, 240 million chain hotels’ check-in information, and 9 million user information of some famous websites have been leaked in several severe leakage events. These data leakage events involved a large number of personal privacy information, such as name, address, bank card number, ID card number, phone number, family members, etc., which bring security risks to the personal safety and property safety of Chinese Internet users. It can be seen that in the process of preventing cybercrimes, cloud platform service providers, service providers of networked industrial equipment, systems or platform, online application stores, and various network service providers storing and collecting user information all need to play their role. If they do not actively fulfill their own information network security management obligations, it is likely to lead to network security accident. The occurrence of the accidents caused great losses to the country and its citizens.We also looked up the last four years’ judgments of the crime of assisting information network crimes on the law database of Peking University, and found that some cases included the behavior mode that the network service provider fails to fulfill the obligation of information network security management, resulting in the occurrence of harmful results, but finally were convicted of the crime of assisting information network criminal activities.For example, the defendant Ji is the actual person in charge of Fujian Baoying Information Technology Co., Ltd. (hereinafter referred to as Baoying company), and the defendant Chen is the finance staff of Baoying company. During the operation of the company, the defendant Ji used the corporate account of the company in Xiamen Branch of China Merchants Bank and Chen’s personal account in China Merchants Bank to provide the registered customers with collection and withdrawal services. At the same time, according to the different speed of withdrawal to the account, the channel fees of about 1 percent and 3 percent of the withdrawal funds, as well as the manual payment fee of 20 yuan per transaction, are charged to the customers respectively. During this period, a person surnamed Ou who provides the company with the website of Shenmou investment and financial management network and personal account number of China Construction Bank. That made Ou became the registered customer of the company’s operation website, Yihai payment network, but the company did not check the situation of the website provided by Ou. From February to March 2016, Jiang, Wang and Xiao, the victims, respectively conducted investment and financial management in Jinhua City of Zhejiang Province and Chengdu City of Sichuan Province through Shenmou investment and financial management website. The payment link provided by Shenmou investment and financing management network to the three victims corresponds to the corporate account of Baoying company in Xiamen Branch of China Merchants Bank. During the investment and financing period, the victim transferred 301,857 yuan to the payment link on Shenmou investment and financing management network, including 132,767 yuan from Jiang, 124,962 yuan from Wang and 44,128 yuan from Xiao. After receiving the ordinary or urgent cash withdrawal request from the registered customer Ou, Baoying company transferred the money invested by the three victims to the account of Construction Bank of Ou through Chen’s China Merchants Bank card. It is found that the information of the holders of Shenmou investment and financial management network and the website domain name is false. The victim’s total investment is 301,857 yuan.In this case, Ji, the person in charge of Baoying Information Technology Co., Ltd. failed to conduct basic audit on the registered customers, which eventually led to the victim’s property being defrauded by one of its customers. Defendant Ji did not show the intention to assist the criminal’s illegal activities, but the negligence to fulfilling the obligation of security management. According to the principle of consistency of subjective and objective aspects, this case was more in line with failing to fulfill obligations, rather than a kind of intentional assistance to the crime from the beginning to the end. However, due to the lack of a prior warning order from the regulatory authorities, this case cannot be convicted of the crime of refusing to fulfill the obligation of information network security management and was finally convicted of the crime of assisting information network criminal activities.This case indicates that there may be some situations in the judicial practice. The network service provider fails to fulfill the obligations of information network security management and is not found by the regulatory authorities, which eventually leads to the occurrence of harmful consequences. However, because the constitution of the crime of refusing to fulfill the obligation of information network security management is based on the premise of order elements, the above-mentioned situation cannot be convicted of this crime. The courts are not willing to indulge service provider’s dereliction of duty, so they are likely to be convicted of other crimes.Since there are serious real threats and potential criminal acts, it is possible to break through the boundaries and infringe upon the legal interests of citizens and the state. The establishment of the crime of refusing to fulfill the obligation of information security management cannot be regarded as symbolic legislation or emotional legislation. There is great necessity to establish the crime.2. Value of Security. — Security and freedom are a pair of values that the Criminal Law needs to coordinate. The legislation that pursues security tends to modify the traditional norms of conduct to strengthen the penalty power, expand the crime circle, and focus on the risk prevention. This tendency is very obvious in the legislation of terrorism crime and cybercrime in the country. For example, in the crime of preparation of terrorism activities, the act used to constitute preparatory crime is established as perpetrating act of independent crime; in the crime of assisting network crime activities, the act used to constitute accessory is established as principal. Some scholars call for the return of Criminal Law to the traditional protection of freedom. They think that the security-tendency legislation violates the principle of actual harm, the principle of modesty, and the principle of protection of legal interests, which is the damage to the basic functions of Criminal Law. However, how to coordinate security and freedom should be based on the background of the society. At present, China is in the great change that has not happened in a hundred years. In order to develop, security must be ensured first. China’s national security faces many challenges, including overseas threats such as color revolution, espionage, and various kinds of illegal and criminal activities. These threats are real and urgent, and they can penetrate into all aspects of our people’s daily life through the network. Then the network can dramatically enlarge the impact of various dangers, causing huge losses in the real world. In 2013, the official twitter account of Associated Press was stolen by the Syrian electronic army which released false information of a serious disaster. This event resulted in significant fluctuations in the US stock market and serious losses. From this example, it can be seen that the network has amplification effect. By means of network, terrorists can enlarge the harm of their activities to the extreme, and cause double disasters in the cyberspace and the real world. Considering this situation, if freedom is valued more than security, the bottom line of national security is likely to be broken, and national rights and interests will be damaged. If security is focused more than freedom, and the bottom line of national security is maintained. Then national rights and interests will be enhanced. What is more, safety is the most important thing at risk in society, which does not mean that we should completely abandon the bottom line of traditional Criminal Law. Some scholars have proposed that the risk of violation of freedom and human rights brought by a Criminal Law that concerns the prevention of social risk and intervention in advance can be eliminated through the innovation of dual criminal model and limiting the interpretation of collective legal interest.It should be noted that under the value of security, it is reasonable and legitimate for the Criminal Law to impose appropriate supervision obligations on network service providers. Rights are accompanied by obligations, which is the basic principle of law. While providing network services, network service providers have gained profits and developed related technologies. They have the obligation to fulfill the corresponding obligations within their ability. In order to maintain national security, network service providers should fulfill their obligations of network security management. It does not mean the law imposes the major obligation that should be fulfilled by the government on the network service provider, and its obligation is only the cooperative obligation.In the field of information network and finance, the key to balance the protection of freedom is to judge whether it will improve the innovation. Because the development of the field depends on innovation, and the Criminal Law must find a balance between crime prevention and innovation encouragement. If the law focuses on security too much, it may suppress the innovation enthusiasm of the subjects in those fields, and then affect the development. However, in the crime of refusing to fulfill the information network security management obligation, the emphasis on security will not suppress innovation, but encourage innovation. Because the security management obligations imposed on network service providers will force them to actively improve the level of supervision technology and supervision management, which are also innovative direction. The establishment of the crime of refusing to fulfill the obligation of information network security management also created the mode of cooperative governance in the field of fighting cybercrime. This is consistent with General Secretary Xi Jinping’s idea of network security governance. General Secretary Xi Jinping pointed out that sharing both profits and responsibilities is the proper meaning of the community of shared future for human. It also makes sense in a community of shared future for cyberspace. With the development of Internet, social governance mode is changing from one-way management to two-way interaction, from offline to the integration of online and offline, and from government supervision to social coordination. The cooperative governance in the field of cybercrime is exactly a kind of social coordination governance. The establishment of crime of refusing to fulfill the obligation of information network security management imposes criminal responsibility on the network service providers, forcing the Internet enterprises to implement compliance management and realize the cooperative governance between the state and enterprises.3. Jurisprudential Basis: Theory of Supervisory Negligence. — As mentioned earlier, the ideas of jurisprudential basis of the establishment of the crime of refusing to fulfill the information network security management obligation mainly includes the theory of supervisory negligence, the theory of accessory of omission, the theory of platform responsibility and the idea of providing accessory as principal offender. The deficiency of each point of view has been pointed out above. This paper holds that the theory of supervisory negligence is the appropriate legal basis for the crime, for two reasons:First, the background of the establishment of the crime is the same as that of the theory of supervisory negligence which is created to solve such problems. Since the second half of the 20th Century, the rapid development of industry in Japan has brought huge benefits. At the same time, public accidents such as factories, mines, civil engineering, medicine, environment accidents and so on have occurred frequently. Unfair situation often occurred in the handling of such accidents: the direct operators were punished for their own negligence, while the persons who were in the position of leadership and supervision were not punished because they were far away from the scene of the accident and had not directly implemented the behavior. In fact, the negligent conducts of direct operators were often closely related to the neglect of supervision and poor management of the leaders and supervisors. Those situations were also not conducive to the prevention of accidents without punishing the leaders and supervisors. In order to correct this kind of situations, not only the direct practitioners in the public accidents, but also the corresponding supervisors or leaders are investigated and punished in the criminal cases of public accident. This tendency is concluded as the theory of supervisory negligence by Japanese scholars. At present, the rapid development of information network industry makes China become the world’s network giants and bring a lot of benefit for people. Behind the prosperity of information network, network security accidents happen frequently. Network service provider is the creator and manager of network service, whose management and supervision have a great impact on network security. Network security accidents are often not caused directly by network service providers, but by the illegal conduct of people who use their services. For example, users may spread illegal information on the platform. However, the dissemination of such illegal information is also the result of poor supervision by network service providers. Only punishing the direct executor of the accidents is not enough for preventing the accidents from happening again. It is necessary to use the theory of supervisory negligence to involve the omission of information network service providers in the scope of penalty, and force them to earnestly perform their security management obligations.Second, taking the theory of supervisory negligence as the legal basis of the crime of refusing to fulfill the obligation of information network security management, we can effectively distinguish the crime of refusing to fulfill the obligation of information network security management from the crime of assisting information network criminal activities, so the crime of refusing to fulfill the obligation of information network security management has independent significance of existence. If considering theories mentioned above such as the accessory of omission as the basis of this crime, the stipulations of this crime and the crime of assisting information network criminal activities would overlap each other, and the constitutive elements of this crime are completely contained in the scope of the constitution of the crime of assisting information network criminal activities, which means there is no necessity to establish the crime of refusing to fulfill the information network security management obligation independently. If the theory of supervisory negligence is the basis behind the establishment of this crime, the difference between this crime and the crime of helping information network crime is very clear, that is, this crime is a negligent crime, and the crime of assisting information network crime is an intentional crime. In the crime of refusing to fulfill the obligation of information network security management, the network service provider is opposed to the harmful result, while in the crime of helping information network criminal activity, the criminal subject knowingly provides the help for other people who use information network to commit a crime, and is tolerant of harmful results caused by the crime.B. Analysis of the Content of the Stipulation of the Crime1. The Content of Constitutive Elements of the Crime Is Not Proper. — As mentioned earlier, the establishment of the crime of refusing to fulfill the obligation of information network security management is necessary. It matches the value requirements of security under risk society, and is in line with the holistic view of national security.Therefore, the issue of refusing to fulfill the obligation of information network security management is not due to the unnecessary legislation, but to the improper setup of the constitutive elements of the crime by the legislators, which makes the crime fail to play its due role. Improper constitution weakens the function of security protection, and leads to a large number of acts that should be involved in the crime escaping being punished by the Criminal Law, or being punished by other unmatched charges. The specific analysis is as follows:First, the standards of conviction and sentence stipulated for the crime is too vague for judiciaries to apply. Specifically speaking, the exact scope of network service provider, the subject of the crime, is not clear. As a reference, paragraph 3 of article 76 in the Cybersecurity Law of the People’s Republic of China provides: ‘network operator refers to the owner, manager and network service provider of the network’. The specific scope of network service provider is not mentioned. In terms of warning order element, the specific way and the standard of time limit of warning order are not clear. In the constitutive results element, the scope of illegal information, the standard of mass dissemination, the scope of leaked user information, the standard of serious consequences, and the standard of serious loss of criminal evidence are all not clear. So it is difficult for judiciaries to make decisions. However, the Interpretation on the Application of Law in Criminal Cases of Illegal Use of Information Networks and Assisting Criminal Activities of Information Networks (hereinafter referred to as the Interpretation) implemented on November 1, 2019 has solved this problem, which will be discussed in detail later.Second, the warning order element weakens the function of security protection of this crime. The warning order element in this crime leads to the failure of convicting some dereliction of duty causing serious consequences. For example, the regulator authority failed to discover the omission of the network service provider to the network security management obligation in time, and then serious consequences happened. According to the Criminal Law, it is hard to convict the network service provider of the crime of refusing to fulfill the obligation of information network security management, or if the people’s court did not want to indulge the negligence of network service provider, it can only be convicted of the crime of assisting information network criminal activities even though the service provider may not know its users’ illegal activities and intent to assist them. That would be a violation of the principle, that no penalty without a law. In addition, statutory sanctions of the two crimes are different. The statutory sanctions of the crime of refusing to fulfill the obligation of information network security management is a little lighter than that of the crime of assisting network criminal activities. As mentioned earlier, because of the warning order element, the service provider who refused to correct its dereliction of duty after receiving a warning order from the regulator, which indicated more subjective viciousness because the service provider knew its negligence may cause harmful consequences, would be convicted of the crime of lighter statutory sanctions than the service provider who did not receive any warning order beforehand. That is totally unfair.The warning order element also brings about a contradiction: the stipulation imposes a higher supervision obligation on the supervision department than the network service provider, which leads to over protection of the network service provider, so that it can wait for work with ease, and lacks the motivation to actively improve the security management level. Only when the supervision departments find out the omission of the network service provider in advance, and then put forward an order for rectification, can the crime have the possibility to be constituted. One of the keys to the constitution of this crime is whether the supervision departments find the omission of network service providers in time. The emphasis of the condemnation of this crime seems to be that the network server violates the administrative order, rather than the network security accident caused by the omission of the network server, which puts the cart before the horse and departs from the original intention of the establishment of this crime. The level of supervision and the strength of law enforcement of the supervision departments have become the premise of the crime. For the same omission of network security management, only when the supervision department has a high level of supervision and strong enforcement, and can timely put forward the order for rectification, can the network service provider have the premise of establishing this crime. If the supervision department has a low level of supervision and weak enforcement, and cannot find the omission of the network service provider in time, the supervision omission of the network service provider will be difficult to be accused as a crime. It can be seen that the constitution of this crime depends on the supervision ability of the supervision department. Compared with the network service provider, the supervision department is far away from the front line of network security management, unable to grasp relevant information in time like the network service provider, and even the supervision technology may not be as good as some network service providers. It is not fair that more advanced and higher supervision obligations are imposed on the supervision department.This stipulation setting has already exceeded the principle of twice illegality of administrative crime. The network service provider not only violates both administrative regulations and the Criminal Law, but also refuses to fulfill the administrative orders. This over protection of network service providers is confusing. If this protection is to protect the innovation freedom of network service providers and promote technological innovation, then this protection is reasonable. However, the results may be opposite. As for the network service provider, the administrative order does not have enough deterrent power. The network service provider can passively wait for the regulatory department to find out the problem, and to ask for rectification to it, and then carry out the rectification, without the fear of being directly punished by the Criminal Law. This is not conducive to the progress and innovation of network service providers in terms of supervision.As a comparison, in the constitutive elements of the crime of negligently causing serious accidents and the crime of major labor security accident provided in the Criminal Law, people in charge disobey relevant regulation of security management, causing serious accidents. Essentially, they share similar constitutive construction, that the management does not fulfill the obligation of security management, and cause harmful consequence. However, the constitutive elements of those crimes do not contain the premise of receiving a warning order from regulators. From the perspective of the legislator, maybe it is because in the construction project and activities, the manager or the person in charge has a higher degree of control over the project, and the project accidents are often caused directly by the manager’s violation of regulations, where lies stronger direct causality and more serious consequences. So they are imposed stricter obligation of attention. However, as mentioned earlier, the network can enlarge the consequences of criminal hazards and cause double hazards in cyberspace and real world, and the influence may be more far-reaching than construction accidents. The network service provider’s degree of control over the harmful consequence caused by users should be judged specifically in practice. It is unreasonable to reduce the criminal liability of network service provider generally by adding the premise of receiving a warning order. Moreover, the Criminal Law has set lighter statutory sanctions for the crime of refusing to fulfill the obligation of information network security management than the crime of negligently causing serious accident and the crime of major labor security accident. It is improper to limit the network service provider’s obligation of care through warning order elements. In a word, the warning order element is unnecessary.Third, the subjective aspect of the crime is not clear. The special warning order elements of this crime make the subjective aspect ambiguous. Only when the network service provider is ordered by the regulatory authorities to take corrective measures and refuses to correct, resulting in the corresponding harmful consequences, can it constitute crime. The word ‘refuse’ makes many scholars think that the subjective aspect of this crime is intention. Some scholars think that the subjective aspect of this crime is a compound of negligence and intention, because in terms of cognitive factors, network service providers know that the failure to fulfill their obligations may cause harmful consequences, and in terms of willpower factors, network service providers may indulge harmful consequences, or recklessly believe harmful consequence can hardly happen. Some scholars think that the subjective aspect of this crime is only negligence. In practice, those confusions must cause difficulties in judgement.If the subjective aspect of the crime includes intention, it will bring about contradictions. First of all, the cognitive object of intention and negligence is harmful result. Even if the stipulation crime contains the word ‘refuse’, it can only be explained as that the network service provider has the intention to fail to fulfill the obligation of information network security management, not that the network service provider has the intention to cause the harmful results. The latter is the intention in the sense of Criminal Law. So the word ‘refuse’ cannot naturally lead to the conclusion that the subjective aspect of the crime of refusing to fulfill the information network security management obligation is intention. Secondly, if the crime is considered to be intentional crime, the network service provider in this crime knows that others are engaged in criminal activities, and still provides technical support and other help for others in the way of failing to perform the security management obligation, which makes this crime and the crime of helping information network criminal activities overlap each other. There would be no necessity for the crime of refusing to fulfill the information network security management obligation to exist as an independent stipulation. Some scholars have proposed that the crime of assisting information network criminal activities is the crime of conduct, while the crime of refusing to fulfill the obligation of information network security management is the crime of omission. However, there is no basis to exclude omission from the crime of assisting information network criminal activities.Fourth, the scope of the result elements is too narrow. The result elements of this crime provided by the Criminal Law are limited to several situations, that causing a large amount of illegal information to be disseminated, causing the leakage of user information with harmful consequences and causing severe loss of evidence in criminal cases. Those statutory results are all around the protection and regulation of special information data dissemination. Using system interpretation, the fourth statutory harmful result, other serious circumstances, can only be interpreted as the same type of behavior as the first three situations, which makes the scope of regulation of this crime very narrow and inconsistent with the purpose and function of the establishment of the crime. In the specific provisions of Criminal Law, only this crime regulates the network service provider’s breach of network security management obligations, and there is no other charge to supplement it. The narrow scope of harmful results is not conducive to the realization of regulation of network service provider’s dereliction of duty of security management. As one of the legal sources of security management obligation in this crime, the Cybersecurity Law provides that: ‘in order to build, operate or provide services through the network, technical measures and other necessary measures shall be taken in accordance with the provisions of laws, administrative regulations and the mandatory requirements of national standards to ensure the safe and stable operation of the network, effectively respond to network security incidents and prevent network violation criminal activities, to maintain the integrity, confidentiality and availability of network data.’ It can be seen that the security management obligations of network service providers should not be limited to the dissemination and management of information and data. No matter from which point of view, the security management responsibility of the network service provider in this crime should cover all behaviors endangering the network security within its ability and management scope.2. Confusion of Legal Interests behind the Stipulation of the Crime. — There are many irrationalities in the constitutive elements of the crime of refusing to fulfill the obligation of information network security management, which reflects some deep conflicts behind the setting of this crime.First, the legal interest of this crime is not clear. Based on the semantic interpretation, the purpose of the establishment of the crime is to protect the legal interest of network security. The legal interest of network security is a large collective concept, including the network security of the country and the network rights and interests of citizens. It can be divided into the network sovereignty, political stability, economic and cultural security of the country and the privacy, property and reputation of citizens. The network service provider has the obligation to supervise and manage the user’s behaviors that may harm the legal interests of network security in the services provided, which corresponds to the increasing ability and benefit earned by the network service provider. The legal interest of network security should not be limited to several situations. However, result elements in this crime are all around information disclosure, dissemination and loss, which is very narrow and limited. It is no wonder that some scholars attribute the legal interest of this crime to the exclusive right to specific information involved with public value, and interpret network security management stipulated in this crime as the governance of information dissemination. Relevant provisions of the Cybersecurity Law, one of the legal sources of security management obligations of network service providers, shows a large scope of the service provider’s security management obligations. Article 6 of the Interpretation provides extensive scope of constitutive elements of harmful consequence of the crime. It is not limited to the dissemination of information, but includes ‘causing information network services to be mainly used for illegal crimes’, ‘causing information network services and network facilities to be used to carry out network attacks, seriously affecting production and life’, ‘causing information network services to be used to carry out national security crime, terrorist activity crime, underworld organization crime, corruption and bribery crime or other major crimes’, ‘causing damage to the state organs or the information network providing public services in the fields of communication, energy, transportation, water conservancy, finance, education, medical treatment, etc., seriously affecting production and life’, etc. Those harmful consequences provided by the Interpretation indicate that the official orientation of the legal interests of this crime is a broader network security interests. Therefore, the network service provider not only has the security management obligation for the behavior of infringing the exclusive right to specific information, but also has the management obligation for other illegal and criminal behaviors such as disturbing the stable operation of the network, the integrity of network data, and the availability of confidentiality and so on. For example, when the network gangs planned the secret crimes on a certain network communication platform, they neither caused a large amount of illegal information to spread, nor caused the information leakage of users, nor caused the loss of criminal evidence (but left criminal evidence), nor violated exclusive rights to specific information. The network service providers still had the obligation to involve and report to the authorities.Second, this crime is very contradictory between security and freedom. On the one hand, the background of the establishment of this crime is the external risk and internal troubles of the network security faced by our country in the risk society. The political background is the proposal of a holistic view of national security. The realistic background is the rampancy of the network crime and the increasing income and ability of the network service provider. The legal background is the enhancement of the risk prevention and security function of the Criminal Law. The major purpose of this crime is to enhance the security management obligation of the network service providers, pushing them to cooperate with the government departments to prevent and fight against cybercrimes, among which security is the highest value. However, this crime sets the order element as the premise, resulting in some supervisory negligent behaviors that harmful result may not be punished as crimes; it also sets limited situations that violate the information right as the result element, so that the behaviors that endanger other rights and interests of citizens and national security are excluded from the scope of this crime. These settings seem to keep some freedom. However, they conflict with the original purpose of the establishment of this crime and show contradictions in the choice of value. IV. APPROACHES OF THE IMPROVEMENT OF THE STIPULATION OF THE CRIMEA. Efforts Made by the Interpretation on the Application of Law in Criminal Cases of Illegal Use of Information Networks and Assisting Criminal Activities of Information NetworksFor the standard of conviction and sentencing of the crime is lack of practicality, the Interpretation, which came into effect on November 1, 2019, has provided more detailed provisions.First of all, the Interpretation specifically provides the scope of network service provider in this crime, that is, the individual and unit providing the following services: information network access, computing, storage and transmission services such as network access, domain name registration and resolution and so on; information network application services such as information publishing, search engine, instant messaging, network payment, network reservation, online shopping, online games, online live broadcast, website construction and security protection, advertisement promotion, application store and so on; public services provided by the information network such as e-government, communication, energy, transportation, water conservancy, finance, education, and medical treatment.Second, the Interpretation provides the way of the warning order, that in accordance with the provisions of laws and administrative regulations, the departments responsible for the supervision of information and network security, such as public security bureau, order the network service provider to take corrective measures in the form of notice of order for rectification or other documents, taking into consideration whether the time limit is clear and reasonable, and whether the network service provider has the ability of rectification.At last, the standards of conviction are provided in the Interpretation. The specific quantity standards of the three statutory harmful results of the crime are provided, and the ‘other serious situations’ are also specified.To a large extent, the Interpretation solves the problem of vague standard of conviction and sentencing for the crime of refusing to fulfill the obligation of information network security management, which makes the practicability rise in a straight line. However, problems of the constitutive requirement of the crime still exist, and the Interpretation is not statutory law. It cannot break the limited scope of this crime provided by the Criminal Law, which means the practical issues of the crime probably would still exist. In order to fix problems in the constitutive requirement of the crime and eliminate the practical issues, some modifications must be carried out in the law.B. The Suggestion of Modification of the Stipulation of the CrimeIn order to solve the problem, some modifications must be carried out in the Criminal Law. The proposed legislative modifications are as follows:First, the order element should be deleted. According to the analysis above, the order element is one of the important reasons for refusing to fulfill the obligation of information network security management. Because of the existence of the order elements, some network service providers’ dereliction of obligation which caused harmful results may hardly be convicted of crime. Therefore, the order elements should be deleted and more illegal dereliction of duty can be included in the scope of this crime. As long as the network service provider intentionally or negligently fails to fulfill the information network security management obligation within its capacity, resulting in corresponding serious consequences, it should be convicted in the regulation of this crime.Second, negligence and intention should be included in the subjective aspects of this crime. These situations should all be the subjective aspects of this crime: the network service provider knows that his dereliction of duty may cause serious consequences, but still refuse to fulfill the security management obligations, hoping or allowing the harmful consequences to occur; the network service provider knows that his dereliction of duty may cause serious consequences, but is confident that it can be avoided; the network service provider should notice his dereliction of duty of security management but he did not. As mentioned above, after deleting the order elements, the idea that this crime is purely intentional crime can be terminated, and both negligence and intentional crime can be properly included in this crime.Then, the subjective aspect of the crime should be restricted to negligence, and this crime is negligent crime. After deleting the requirement of ordering, it is natural to define this crime as a negligent crime. In this crime, the network service provider must be opposed to the occurrence of harmful results. Network service providers know that they have not fulfilled their information network security management obligations, but recklessly believe they can avoid the occurrence of network security accidents. Or they should find that they have not fulfilled their security management obligations but they do not. Based on the new theory of negligence and theory of supervision negligence, we can also limit the expansion of conviction of crime through four aspects: the foreseeing obligation, the result avoiding obligation, the foreseeing possibility and the result avoiding possibility.Finally, the scope of situations of harmful consequences should be extended. The limited scope of the result of this crime around information control should be broken. The Criminal Law should provide some other harmful results such as causing large property loss to the country or citizens, causing damage to the operation and stability of network system, causing criminal activities and so on, so as to provide a broader basis for the interpretation of other serious circumstances. This modification can urge network service providers to fulfill their obligations to protect the network safety.After these modifications, it is more appropriate to call this crime the crime of network security management accident. The proposed law is as follows: If a network service provider fails to perform the information network security management obligations prescribed by laws and administrative regulations, resulting in any of the following circumstances, it shall be sentenced to fixed-term imprisonment of not more than three years, criminal detention or public surveillance, and shall also, or shall only, be fined: (i) causing the massive dissemination of illegal information; (ii) causing the disclosure of user information, resulting in serious consequences; (iii) causing the loss of evidence in criminal cases, if the circumstances are serious; (iv) causing serious property losses to the state, the collective or the citizens; (v) causing the damage to the information network system, if the circumstances are serious; (vi) if there are other serious circumstances. Where a unit commits the crime mentioned in the preceding paragraph, it shall be fined, and the persons who are directly in charge and the other persons who are directly responsible for the crime shall be punished in accordance with the provisions of the preceding paragraph. If an act mentioned in the preceding two paragraphs constitutes another crime at the same time, the offender shall be convicted and punished in accordance with the provisions on heavier punishment.At present, the problem of cybersecurity is serious, and the security management obligation of network service providers is extremely important. So the crime has the necessity of establishment. The problem derives from the improper setting of constitutive requirements, specifically, the unclear standard of conviction and sentencing; the existence of order elements; unclear content of subjective aspects; the narrow scope of the harmful consequences. All those improper setting reflects the deep problems of unclear legal interest and value conflict behind the establishment of this crime. The Interpretation implemented in November 2019 provides details of the constitutive requirements of this crime, but it is not helpful to expand the scope of regulation. The only solution is to modify the law: deleting the order elements; adding subjective aspect of negligence; extending the scope of the harmful results of this crime.
