How Japanese Police Turned Cyber Prank into Arresting Cases

By Shuji Sado


Counter Cyber Crime Unit of the Hyogo Prefectural Police searched the house of a thirteen -year-old, junior-high-school student on a charge of posting on an Internet forum a URL of a page that displays a Java Script alert message in infinite loops.  She was then taken into custody by the police.  You may have heard about this incident in Japan.
 JavaScript infinite alert prank lands 13-year-old Japanese girl in hot water
 Japanese police charge 13-year-old for sharing 'unclosable popup' prank online
Perhaps there are some of you who thought this is some kind of a prank or fake news.  However, sadly,  this is something that really happened in Japan, and let me remind you that this is not a mistake caused by some simple misunderstanding by the officers or exaggerated report by the media.  I would like reveal how grave Japan's cyber space is becoming.

According to the news reports released by NHK, on March 4th the Hyogo Prefectural Police searched the houses of three individuals separately:  a thirteen-year-old junior-high-shcool female student who lives in Kariya, Aichi prefecture, a man of 39 years of age who lives in Yamaguchi prefecture, and a man of 47 years who lives in Kagoshima prefecture.  All three were charged with the same offense which was that they wrote on an internet forum the URL of a very small page that activates the following Java script .
window.alert(" ∧_∧ ババババ\n( ・ω・)=つ≡つ\n(っ ≡つ=つ\n`/  )\n(ノΠU\n何回閉じても無駄ですよ~ww\nm9(^Д^)プギャー!!\n byソル (@0_Infinity_)")
The page that had this Script has already been deleted, but there’s a URL of the archive site in the ZDnet and arstechinica articles, so if you are intrigued, try following the links.  (I will refrain from posing the link to the Java Script page in this article, fearing that I could get arrested.)  On the pop-up dialogue, there’s a message that says "No matter how many times you try to close the dialogue, it's no use" and this alert continue to appear in infinite loops.  However, by simply closing the tab on any commonly used browsers, you can get away from the loop, and this can be shut down as some silly joke.
This page seemed to have been around since a few years ago, and it appears that there were a quite a number of people who posted each other this URL on some particular internet forums.  It is still not clear why only these three were arrested by the Hyogo Prefectural Police under such circumstance.  They may not have any specific reasons for that.
In addition, Hyogo Prefectural Police abruptly searched the houses of individuals in Aichi and Kagoshima prefectures which are outside of their jurisdiction, and it gives you a feeling that doesn’t sit right with you.  Just imagine the Los Angeles Police arresting a Texas resident or an Oregon resident.  That said, in Japan there are many cases that are operated outside the jurisdictions, so this incident isn't limited to a problem only in Hyogo, and maybe it needs to be addressed as a problem of Japan as a whole.
This article is a new law that was appended to Penal Code in 2011, and in Japan, it is generally known as the "Offense of Creating Virus".  Although the law calls it virus, the wider definition of this law was set with an  intension to crack down on developing and distributing malware.  Unfortunately, the official English translation is still yet to be made, so I will post the translation of the article finished by a volunteer.
---
Chapter XIX-2 Crimes Related to Electromagnetic Records of Unauthorized Commands
(Unauthorized Creation of Electromagnetic Records of Unauthorized Commands)
A person who, without justifiable grounds, makes or provides following electromagnetic records or other records for the purpose of executing on other persons' computer shall be punished by imprisonment with work for not more than 3 years or a fine of not more than 500,000 yen.
1. Electromagnetic records that do not operate in accordance with other persons' intention, or gives unauthorized commands which act against their intention, when another person uses a computer.
2. In addition to preceding issue, electromagnetic records or other records that unauthorized commands in the preceding issue is written.
(2) The same shall apply to a person who, without justifiable grounds, execute electromagnetic records which of item 1. of the preceding paragraph on other persons' computer.
(3) An attempt of the crime prescribed under the preceding paragraph shall be punished.
(Acquisition of Electromagnetic Records of Unauthorized Commands)
A person who, for the purpose prescribed for in paragraph (1) of the preceding Article, Acquisition or preservation of electromagnetic records prescribed for in item 1. or 2. of the same Article shall be punished by imprisonment with work for not more than 2 years or a fine of not more than 300,000 yen.

Although this translation appears to have been done scrupulously, yet you might have a hard time understanding it due to the fact that the original Japanese law was written with extremely abstruse and vague expressions. Simply put, this law states that any person who develops, obtains, distributes, or offers "software that gives unauthorized commands" without any specific reasons will be imprisoned with work or fined, and that includes making one's computer behave in a way that goes against one's will, or making the computer act in a way that doesn't reflect the intention of the one using it.
There were presumably no justifiable reasons for the arrested three individuals to make other people open the infinite loop alert page.  Also, at a glance, this problematic page seems that it doesn't operate in accordance with the intention of the reader.  Legally speaking, you can be accused even for attempting it, so even if there were no victims, the moment they posted the URL, it could be a crime.  Supposedly, this is how the police accounts.
Be that as it may, is the infinite loop alert really a program that gives unauthorized commands?  If they are  going to call this page, on which there's only a simple trick that can be ended by closing the browser's tab, illegal, then  what about the ads that are way more malicious than this infinite loop page?  And there are lot of those ads.  If the infinite loop alert is targeted, then these ads should be equally targeted as well.  To me, an ad that pops up bunch of windows or covers the entire screen seem more malicious.  However, according to the police, ads are publicly accepted, and therefore they are legal.  I honestly don’t get how they came up with their standards.
Moreover, these three arrested individuals just wrote on a forum a URL of a page which was created by someone else, and this case is being treated as an attempted crime.  We can't ignore the question whether it is adequate to treat this circumstance, in which nothing happens unless you follow the link, as an attempted crime.
In response to this infinite loop incident, Japan's cyber community is greatly disturbed.  There are three things that are happening simultaneously to arouse the cyber community: anyone involved in the realm of internet, even in the slightest degree, feels that the police are too relentless,  the trial for an incident known as the Coinhive case is still ongoing, and the Diet is aggressively discussing to illegalize downloading.
Putting aside the state in which the Diet is trying to make more and more areas illegal for downloading, the Coinhive case is an incident that the Article 168-2 and 3 are applied, just like they are applied to the infinite loop alert case.
It was an incident that came to light for the first time in June 2018, and in which 16 individuals from all over Japan were arrested, in charge of posting Coinhive(https://coinhive.com/) on their web sites.
Most of them seemed to have caved in to the police's pressure and paid the fine, and just when all the details seemed to be thrown away in the abyss, Mr. Moro, a web designer and one of the 16 individuals who were prosecuted, filed an objection to the summary indictment to pay a fine.  Now it has moved on to a formal trial and the court will reach a decision by the end of the month.
What happened to Mr. Moro is detailed on his blog, but to summarize it, he introduced Coinhive to his own web site for about a month starting in September 2017.  The reason why he did that was to simply run a test to enhance UX.  Perhaps he wanted to wipe out ads.  After introducing Coinhive to his web site, he was pointed out by one of the users to notify the users of the Coinhive introduction, and so after a while, he stopped using Coinhive.  Then after a few months, the police searched his home for the charge of having introduced Coinhive in the past, and he had to go through many hours of investigation.   
It's not made public what the other 15 individuals had to go through, but I suppose their situations were quite similar to Mr. Moro's.  I came across to read about it more than a few times that when he introduced Coinhive in 2017 as a trial, it didn't yield much profit, and there were many who deemed it annoying.  It lacks persuasiveness to treat this site, which most of the readers were able to use without experiencing any inconvenience, as "a site that gives unauthorized commands".  Additionally, by the time the police searched his home, it was already a few months after he had stopped the Coinhive.
The infinite loop alert case and Coinhive case are both incidents that are said to have infringed the same law.  And the police claims that both of them are "software that gives unauthorized commands".  The definition of the word,"unauthorized" that is used here, is it something that is publicly not accepted. In other words, according to how the police accounts, in the cases of ad scrips, that include malicious ones, are publicly accepted, so therefore they are not illegal, the rest are.  On many web sites, there are great deal of Java Scripts, that are not recognized by the users.  According to the police, then all of these must be illegal in Japan.
Speaking of which, until a few days ago, the Hyogo Prefectural Police, who prosecuted the infinite loop alert case, had Google Analytics on their web site.  When many people pointed this out, they just deleted Google Analytics from the page.  They must have realized that they themselves were infringing the Article 168-2,3, and therefore quickly swept it under the rug.
Up till here, I have talked about the two weirdly related cases.  The Article 168-2,3, which are the legal grounds for these cases, were originally devised with an aim to prevent malicious malware.  When these laws were being discussed, the Minister of Justice offered his reply saying that in a case that a person continues to leave a malware bug untreated will also be prosecuted, and that stirred controversy.  That led the Ministry of Justice to make a statement that it only targets those with criminal intent and the bugs that were mistakenly generated will not count.  By these statements, the laws were supposed to incriminate those who were involved in spreading malware that are generally considered as malicious.
It's been a few years since this law had been passed, and now this law has become something that could prosecute anyone without any criminal intent for using a harmless tool at any time. If writing infinite loops or introducing an unknown Java Script tool can be called out as "an unauthorized command" by the police at any time, then you have to be aware of the possibility that the police could barge into your home for simply using the internet.
Generally speaking, in Japan, people who had their homes searched or got arrested by the police tend to get convicted.  Moreover, those records will follow the those people for the rest of their lives to affect not only their lives but also their family members' lives as well.  It gets in their way when they try to get higher education or find a job.  It's been reported that the junior-high-school student and the man of 39, who left the URL to the infinite loop alert, have been coerced to confess "I did the crime," after the oppressive interrogation by the police.  Now these two are in a situation where they have to defend themselves from people who are not tech savvy and likely to put a stigma on them as if these two are felons who committed serious crimes.
At least anyone outside of Japan should be careful with the followings when entering Japan.

  • Do not create HTML links.
  • Do not get yourself involved in any programming including creating a web site.
Especially if you are a programmer who has written loops in the past, the Hyogo Prefectural Police can prosecute you anytime, so you'd better not visit Japan.
Mr. Brenan Eich, the creator of Java Script, has posted on Twitter that he will be the witness to prove the Java Script safety when he comes to Japan, but  he will get arrested the moment he enters Japan as the root of all evil who created "the software that gives (numerous) illegal commands!"  (With levity at heart, please understand that this is half in joke.)


Back to being serious…. The reason why I'm writing what's happening here in Japan in English is because we need your help.  Under normal circumstances, Japanese should be the ones to notice this problem and aim to revise the penal laws.  However, in order to modify penal laws that already went into effect could take a very long time like decades, and I'm afraid that the Prefectural Police all over Japan could be detaining innocent people based on their original interpretation.  Knowing that somehow Japanese public institutions loathe to attract condemnation from abroad, I am hoping that that if the people around the world decry the inadequate behaviors of the Japanese police, they will refrain from running aggressive and relentless investigations like they did in the two cases.
The Japanese Police organizations do not have the mechanism to get a feedback from outside, so even if you visit the web sites of the Hyogo Prefectural Police, who caused the infinite loop alert case, and the Kanagawa Prefectural Police, who caused the Coinhive case, you won't be able to gain any useful information.  Both of these sites are releasing information on Twitter and Facebook, but they never write back.  So, I think the best way is to write your honest view on this matter on SNS.  
When you Tweet about it on Twitter, you might like to use #KobeBeefPolice and #FoolLoop .  Kobe is the center city of Hyogo.  My guess is that you are more familiar with KobeBeef than Hyogo, am I right?
By the way, to anyone with a Github account, I recommend that you take a look at Lets get arrested project (https://github.com/hamukazu/lets-get-arrested).  This is like half in joke, and I don’t think it can directly pressure the police.  But the more the people talk about this project, I see the possibility that the bigger influence and impact it can give the Japanese police.  Please jump on the wagon to increase this project's stars and forks. 
Kanagawa Prefectural Police