Crime of Hacking into Information System (TCK Article 243)

Definition of Crime (TCK article 243/1)

A prison sentence is imposed on "anyone who unlawfully enters or remains in the whole or part of an information system". Typical elements of crime:

• Information system: Computer, server, network, mobile device, smartphone, IoT device, control panel system, corporate ERP/CRM system, etc.
• Unlawfulness: Lack of consent and permission of the system owner/authorized person.
• Entering or remaining:Initial access without authorization or failure to exit after authorization has expired

The crime may be committed intentionally; Negligently entering an information system does not constitute a crime.

Penalty Range Envisaged in the Legislation

According to TCK Article 243/1, the basic punishment is imprisonment up to 1 year or judicial fine. However, the punishment to be given in the concrete case; It may vary depending on the way the crime was committed, the damage caused, the history of the perpetrator, the reasons for discretionary reduction and the court's discretion. The penalty is increased in the following qualified cases.

Qualified Cases

Benefit Systems in Return for Paid (TCK Article 243/2)

In case this act is committed regarding the systems that can be used for a fee, the penalty is reduced by half. For example, infiltrating a subscription-requiring VOD platform.

Obtaining Data or Disrupting the System (TCK Article 243/3)

If the data contained in the system is destroyed or changed due to this act, a prison sentence of 6 months to 2 years is imposed. This paragraph applies to perpetrators who go beyond mere infiltration and destroy data.

Preventing the Functioning of the System (TCK Article 243/4)

Those who prevent or disrupt the functioning of an information system are sentenced to imprisonment from 1 to 5 years. This includes DDoS attacks and rendering the server inoperable.

Scenarios Encountered in Practice

• Former employee maintaining access to company system after leaving position
• Spouse/partner accessing someone else's e-mail or social media account by learning their password
• Unauthorized access by tenant, partner or roommate to devices on the public network
• People claiming to be "ethical hackers" or security researchers conducting penetration tests without authorization
• Exceeding authority limits in the collaborative project (e.g. authorized user accessing other users' data)
• Entering the Wi-Fi network by cracking the password
• Continuing the session on another device by logging in to "Web" in instant messaging applications

Complaint and Investigation Process

TCK Article 243 is a crime that is not dependent on a complaint but is prosecuted ex officio. The owner of the system or the authorized person may file a criminal complaint by contacting the prosecutor's office or law enforcement. Within the scope of the investigation:

• IP address detection (via logs)
• Forensics examination (device, hard disk, memory image)
• Analysis of system log records
• Witness statements

The collection of evidence is done. The forensic report is the decisive evidence in most cases.

Timeout

The statute of limitations for a lawsuit is 8 years, depending on the amount of the penalty (TCK article 66/1-e). This period begins to run from the date the act was committed.

Jurisdictional and Competent Court

• Court in charge: Criminal Court of First Instance (since the upper limit of the sentence does not exceed 5 years).
• Competent court: The court of the place where the crime was committed (CMK article 12); In cyber crimes, the place where the crime is committed is often considered as the place where the system is located or the place where the damage occurs.

Supreme Court Approach

The 8th Criminal Chamber of the Supreme Court of Appeals and the relevant chambers that subsequently took over the task have established jurisprudence stating that entering the information system is tied to the moment of "actual access" and that only password guessing can remain at the attempted stage. Additionally, exceeding the limits of authority (e.g., the employee goes beyond the modules for which he is authorized) may also constitute this crime.

Frequently Encountered Legal Questions

Will I be committing a crime if I go into my wife's phone and look at her messages?

Unauthorized access to someone else's personal device/password, even if they are a spouse or lover, may be considered within the scope of TCK Article 243; Additionally, the crime of TCK art.135-136 unlawful recording/dissemination of personal data may also come to the fore. The outcome depends on the circumstances of the case and the court's evaluation.

Can I log into my old workplace's server and retrieve my own files?

After the employment relationship ends, the authority to access company systems also ends. Even if there are files that you consider personal, accessing the system without written permission carries legal risks. For such issues, it is safer to send a written request to the employer and take legal action if no response is received.

Is it enough if I say that I am an "ethical hacker" / penetration tester?

Penetration tests performed without authorization may constitute a crime. For ethical hacker activities, it is of great importance to make a detailed written agreement (scope, permission, confidentiality) with the system owner and not to exceed the limits.

Important Points in the Legal Process

• The right to object to forensic reports and log records should be exercised.
• It should be carefully examined who the user of the relevant IP is and whether a shared IP/VPN is used.
• Requesting an impartial expert report should not be neglected.
• If you are a victim, it is critical to initiate a digital forensic investigation before the chain of custody is broken.