The case concerned the Danish tabloid magazine, “Se & Hør”, who in 2008 hired a system operator at IBM to provide them with information about Danish celebrities and royalty. The system operator used his administrator privileges to extract the information from the PBS and Nets databases operated by IBM (databases storing information about the vast majority of Danes’ credit card activity).
The system operator, publicly known as the “hush-hush-source” (HHS), was paid approximately €1,340 per month by Se & Hør to provide the details of certain public figures’ credit card activities.
The information made it possible for Se & Hør’s journalists to constantly monitor the movement, activities and private matters of their targets. For example, in 2008 the magazine was able to figure out where the Danish prince Joachim and his newly-wed wife Marie were spending their honeymoon, information which the royal family kept closely to themselves.
The defendants consisted of HHS, and three former editor-in-chiefs and two former journalists of Se & Hør.
The prosecution relied on the “hacking-provision” of the Danish Criminal Code by which it’s illegal to “gain unauthorized access to other people’s information meant to be used in an information system“.
To hack or not to hack
One of the main points of contention during the trial was the question of whether HHS’ conduct was actually considered hacking in the legal sense.
One could reasonably argue that HHS did not “gain unauthorized access“, because he already had access to the information as a result of his job as a system operator at IBM. It was well within his rights to access the data – it was the consequent use of the information which raised an issue. In addition, the Court’s decision might have been affected by the fact that HHS also gained access to some of his co-workers’ accounts and reset their passwords.
The Court did eventually find all, bar one, of the defendants guilty. HHS was charged with the primary violation, and the remaining defendants were charged with contributory violation, of the hacking-provision under aggravated circumstances.
HHS was sentenced to one and a half years in prison, and Se & Hør’s editor-in-chief in charge at the time the connection with HHS was established to one year and three months in prison, with three months to be served unconditionally.
Se & Hør’s editor-in-chief who continued the relationship with HHS from 2009 to 2012 was sentenced to one year in prison on the condition of 200 hours of community service. The two former journalists were each sentenced to four months in prison on the condition of 100 hours of community service.
The remaining editor-in-chief of Se & Hør was found not guilty as he was only involved for a brief period of time in 2009 and the prosecution did not succeed in proving his knowledge of the illegality of the arrangement with HHS.
The verdict is remarkable, not only because of the long sentences and the systematic and aggravated character of the offence, but also because of the doubt cast on whether HHS’ actions were actually considered illegal.
Other parties previously involved in the case had pleaded guilty and struck a deal with the prosecution. What if it turned out that actually nothing illegal had taken place? There was some speculation that this might have affected the judgment of the Court.
Additionally, Danish criminal law works with an intensified authority in law tradition, meaning (1) there must be no doubt as to whether a provision has been violated according to its wording and (2) criminal provisions must always be interpreted in favour of the defendant. This therefore contradicts expanding the scope of the hacking-provision, although it does make some sense to interpret “unauthorized access” as also including the use of the acquired information.
The Eastern High Court might shed some additional light on the matter as HHS has appealed the decision. The primarily responsible editor-in-chief has decided not to appeal and the rest of the convicted defendants have yet to decide on appeal.