The boundaries of the crime of unauthorized access to a computer system

by Isa Angaroni

With sentence no. 22017 filed on June 11, 2025, the Court of Supreme Justice returned to address a particularly controversial issue already brought to the attention of the Joint Sections, namely the boundaries of the crime of unauthorized access to computer systems governed by Article 615 ter of the Italian Criminal Code.

Specifically, the case concerned access to the computer systems of the Public Prosecutor’s Office of Terni by a Public Official of the Judicial Police Section for the purpose of monitoring a criminal proceeding against unknown persons involving a manager of the same office, which was recognized as unlawful in the lower courts.

The rulings of the appeal judges were based on the principle of law established by the ruling of the Joint Sections “Savarese” No. 41210 of May 2017.

The defense appealed to the Court of Supreme Justice, arguing that, at the time of the events (June 2016), the jurisprudential interpretation of the offense referred to in Article 615 ter of the Italian Criminal Code was very different from that established by the Joint Sections in 2017, which therefore reflects a change in jurisprudence that was unforeseeable at the time the offense was committed and whose application in the present case would constitute a retroactive application in malam partem that is entirely illegitimate.

That said, in order to ascertain the predictability at the time of the events of the change in case law brought about by the Savarese Joint Sections, the Court of Supreme Justice reviewed the state of the art of case law relating to the offense referred to in Article 615 ter of the Italian Criminal Code. 

Firstly, the Court highlighted the conflict in case law at the time of the events, which featured two main opposing approaches. 

According to an initial interpretation, the offense referred to in Article 615-ter of the Italian Criminal Code was committed not only when the perpetrator illegally accessed the computer system, but also in cases where the perpetrator, despite being authorized to access the system, remained within it against the express or tacit will of those who had the right to exclude him. 

In this sense, access was considered unauthorized when the perpetrator remained in the computer system for purposes unrelated to the rationale of the authorization.

On the contrary, a second approach limited the integration of the offense in question to unauthorized access deemed as such due to the lack of an authorization. According to this concept, therefore, the purposes for which a subject entered or remained in a computer system were completely irrelevant in determining whether the offense had been committed.

In view of this conflict in case law, the Joint Sections “Casani” intervened in 2011, according to which the offense referred to in Article 615 ter of the Italian Criminal Code must be considered to have been committed when the perpetrator, despite being authorized to access the system, accesses or remains within it in violation of the conditions and limits indicated by the owner of the system, the subjective reasons underlying such conduct being irrelevant.

However, the above-mentioned conflict in case law was not resolved after the ruling of the Joint Sections, so that several rulings followed which, while adhering to the above-mentioned principle of law, broadened its boundaries by providing interpretations that allowed conduct that was in itself unrelated to the offense referred to in Article 615 ter of the Italian Criminal Code to be considered criminally relevant as they did not fall within the interpretative scope indicated by the Joint Sections.

On this point, reference is made to the 2013 “Carnevale” ruling, according to which the purposes and reasons underlying access to or permanence in a computer system, although, as specified by the Joint Sections, irrelevant in the assessment of the offense, “represent a symptomatic value useful in clarifying whether the perpetrator has used the power within or outside the scope of the actions institutionally conferred upon him” and therefore has complied - as required by the Joint Sections - with the limits and conditions set by the owner of the computer system.

Taking note of the state of the art of case law, which is still divided in its interpretation of the law, the aforementioned Joint Sections intervened in 2017, adhering in fact to the first approach mentioned above.

According to the Joint Sections of 2017, in fact, the assessment of the purposes and reasons for which a subject accesses or remains within a computer system are relevant in determining whether the offense has been committed, to the extent that the offense is to be considered committed “where the perpetrator, despite being authorized and not violating the instructions given by the owner of the computer system, remains there for reasons that are ontologically unrelated to those for which the right of access is granted.

Now, in order to understand whether the defense’s complaints are valid, it is necessary to ascertain whether the principle of law affirmed by the Savarese Joint Sections – which formed the basis for the conviction in the case in question – was foreseeable in June 2016, i.e., at the time of the events.  

In this regard, the Court held that the sharing of the principle of law of the Savarese Joint Sections should not be qualified as a jurisprudential interpretation in malam partem, as it “represents a natural response to the need for specifications and clarifications of the principle affirmed by the Casani Joint Sections in 2011.

The relevance of the reasons for which the perpetrator accesses or remains within the computer system for which he or she is authorized – without prejudice, of course, to the criminal relevance of unauthorized access by a subject without authorization – is, according to the Court, nothing more than an elaboration of the approach already introduced by the Casani ruling, which had highlighted the criminal relevance and therefore the integration of the case in question in the event of exceeding the limits and requirements imposed by the authorization “in the case of performing operations that are ontologically different from those he or she was tasked with performing.”

On the basis of these considerations, qualifying in the case in question the reasons underlying the Public Official’s access in the terms specified above, the Court rejected the appeal, considering that the principle of law in the Savarese ruling was not “unpredictable” at the time of the events, when there was already heated disagreement in case law.