|
|
[Home]
[Databases]
[WorldLII]
[Search]
[Feedback]
South African Law Commission |
[Database Search] [Name Search] [Previous] [Next] [Download] [Help]
3.1.1 There are many countries where unauthorised access to computers and unauthorised modification of computer data or software applications have been criminalised. In this chapter we will consider the provisions of a few such countries which will reflect the diverging approaches to the actual definition of these offences.
3.2.1.1 Part VIA of the Australian Crimes Act 1914 (the “Australian Crimes Act”) provides for offences relating to computers. Two of the sections in this Part contain offences concerning access to computer data. The first of these is unlawful access to data in Commonwealth and other computers:
- SECT 76B
Unlawful access to data in Commonwealth and other computers
(1)
A person who intentionally and without authority obtains access to:
(a)
data stored in a Commonwealth computer; or
(b)
data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer;
is guilty of an offence.
Penalty: Imprisonment for 6 months.
(2)
A person who:
(a)
with intent to defraud any person and without authority obtains access to data stored in a Commonwealth computer, or to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; or
(b)
intentionally and without authority obtains access to data stored in a Commonwealth computer, or to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer, being data that the person knows or ought reasonably to know relates to:
(i)
the security, defence or international relations of Australia;
(ii)
the existence or identity of a confidential source of information relating to the enforcement of a criminal law of the Commonwealth or of a State or Territory;
(iii)
the enforcement of a law of the Commonwealth or of a State or Territory;
(iv)
the protection of public safety;
(v)
the personal affairs of any person;
(vi)
trade secrets;
(vii)
records of a financial institution; or
(viii)
commercial information the disclosure of which could cause advantage or disadvantage to any person;
is guilty of an offence.
Penalty: Imprisonment for 2 years.
(3)
A person who:
(a)
has intentionally and without authority obtained access to data stored in a Commonwealth computer, or to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer;
(b)
after examining part of that data, knows or ought reasonably to know that the part of the data which the person examined relates wholly or partly to any of the matters referred to in paragraph (2)(b); and
(c)
continues to examine that data;
is guilty of an offence.
Penalty for a contravention of this subsection: Imprisonment for 2 years.
3.2.1.2 The second is that of unlawful access to data in Commonwealth and other computers by means of Commonwealth facility:
- SECT 76D
Unlawful access to data in Commonwealth and other computers by means of Commonwealth facility
(1)
A person who, by means of a facility operated or provided by the Commonwealth or by a carrier, intentionally and without authority obtains access to data stored in a computer, is guilty of an offence.
Penalty: Imprisonment for 6 months.
(2)
A person who:
(a)
by means of a facility operated or provided by the Commonwealth or by a carrier, with intent to defraud any person and without authority obtains access to data stored in a computer; or
(b)
by means of such a facility, intentionally and without authority obtains access to data stored in a computer, being data that the person knows or ought reasonably to know relates to:
(i)
the security, defence or international relations of Australia;
(ii)
the existence or identity of a confidential source of information relating to the enforcement of a criminal law of the Commonwealth or of a State or Territory;
(iii)
the enforcement of a law of the Commonwealth or of a State or Territory;
(iv)
the protection of public safety;
(v)
the personal affairs of any person;
(vi)
trade secrets;
(vii)
records of a financial institution; or
(viii)
commercial information the disclosure of which could cause advantage or disadvantage to any person;
is guilty of an offence.
Penalty: Imprisonment for 2 years.
(3)
A person who:
(a)
by means of a facility operated or provided by the Commonwealth or by a carrier, has intentionally and without authority obtained access to data stored in a computer;
(b)
after examining part of that data, knows or ought reasonably to know that the part of the data which the person examined relates wholly or partly to any of the matters referred to in paragraph (2)(b); and
(c)
continues to examine that data;
is guilty of an offence.
Penalty for a contravention of this subsection: Imprisonment for 2 years.
3.2.1.3 The two provisions referred to above create essentially similar offences, namely the unauthorised access to computer data which is under government control. The only additional element contained in section 76D is that a facility operated by the government or a telecommunications service provider is used in order to obtain the unauthorised access. This element seems to be superfluous since section 76B does not specify the equipment or the method by means of which the access referred to there is to be obtained. It could therefore include the methods referred to in section 76D. The two sections also contain the same penalties for the corresponding offences. For these reasons we turn our attention to the provisions of section 76B.
3.2.1.4 The focus of the offences of the Australian Crimes Act is the protection of data stored on computers over which the federal government exercises control. This is as opposed to unauthorised access to the relevant computer equipment itself. This recognises the fact that access to computer data can be unauthorised even though the access to the computer by means of which the data in question is accessed, is obtained lawfully.
3.2.1.5 The first offence created in section 76B is that of mere unauthorised access to data stored on a specified computer. For this offence the purpose for which access is obtained or the nature of the specific data is irrelevant.[41]
3.2.1.6 The second offence in section 76B is essentially the same as the first with the additional element that the unauthorised access is obtained with the intent to defraud a person. For the purpose of this offence the nature of the data which is accessed is irrelevant.[42]
3.2.1.7 The third offence in section 76B also comprises the same elements as the first but in this instance the nature of the data to be accessed is qualified. In the case of this offence the purpose for which the unauthorised access is obtained is irrelevant.[43] The types of information that are relevant for this offence can be classified in four categories:
3.2.1.8 The additional elements of the second and third offences discussed above add to the seriousness with which they are regarded. These offences are therefore subject to somewhat more severe penalties.[45]
3.2.1.9 Section 76B also contains a fourth offence which is aimed at the situation where a person obtains unauthorised access to data of the nature referred to in paragraph 3.1.5.7 above without initially being aware of the nature of the data concerned. The offence is committed if the person subsequently becomes aware of the nature of the data and then continues to examine it.[46] This offence is aimed at solving problems of proof as to the time when the accused acquired the requisite knowledge of the nature of the data in question.
3.2.2.1 In the United Kingdom the Computer Misuse Act 1990 provides for two offences relating to unauthorised access to computers. The first offence is "unauthorised access to computer material":
1 Unauthorised access to computer material
(1) A person is guilty of an offence if–
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
3.2.2.2 This offence is committed when a person causes a computer to perform any function with the intent to secure unauthorised access to a computer program or data held in any computer.[47] The required form of culpability for this offence is intent and the accused must have known the intended access is unauthorised. This is seen as a relatively minor offence and carries a penalty of a fine or imprisonment for a maximum of six months.[48]
3.2.2.3 An important aspect to note about this offence is that the program or data to be accessed need not be located on the computer which performs the function referred to earlier.[49]
3.2.2.4 The purpose for which access is secured is not qualified. As a consequence the offence can be committed even when the purpose for the access is well-meaning.
3.2.2.5 In practice this offence can be committed in a number of ways such as unauthorised use of a person’s password, trying to guess a password or installing a program that will obtain a person’s password without his or her knowledge. It can even be committed by just switching on a computer which a person is not authorised to use.
3.2.2.6 The second offence is "Unauthorised access with the intent to commit a further offence":
2 Unauthorised access with intent to commit or facilitate commission of further offences
(1) A person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorised access offence") with intent–
(a) to commit an offence to which this section applies; or
(b) to facilitate the commission of such an offence (whether by himself or by any other person);
and the offence he intends to commit or facilitate is referred to below in this section as the further offence.
3.2.2.7 This offence is committed when a person causes a computer to perform any function to secure unauthorised access to computer material with the intent to commit or to facilitate the commission of an offence for which the sentence is fixed by law or for which a term of imprisonment for five years can be imposed.[50] This is seen as a more serious offence and carries a penalty of a fine or imprisonment for a maximum of five years.[51]
3.2.2.8 A factor pointed out in relation to the offences created in the Computer Misuse Act 1990 is that these provisions may not be fully appreciated by the judges, juries and magistrates who have to decide cases relating thereto.[52] If the underlying danger relating to a particular action is not understood it may lead to the questions such as why it is wrong and why is it sufficiently serious to be an offence. If the scope of an offence is perceived to be too wide there will be a reluctance to apply the law with the result that it will become unworkable.
3.2.2.9 A concern which is raised with the offences of the Computer Misuse Act 1990 generally, but which applies especially to the offence of unauthorised access to computer material, is that the Act does not contain categories of offences which distinguish the more serious cases form the less serious ones.[53] This adds to the complexity of the law which may obscure the underlying reasons why computer misuse is criminalised. This may also make it difficult for judicial officers and juries to appreciate the seriousness of computer misuse.
3.2.2.10 It is argued that these factors influenced the jury’s decision in the case of R v Bedworth.[54] In this case the accused was charged, among other offences, with conspiracy to secure unauthorised access and to cause unauthorised modifications. He did not dispute the evidence against him but raised a defence that he was addicted to computer use, or more specifically computer hacking, and that this had prevented him from forming the necessary intent. In spite of the directions of the presiding judge the jury accepted this defence and acquitted the accused.
3.2.2.11 This adds weight to the view that computer-related offences are not perceived as serious even though the consequences suffered by the victims of those offences are serious.[55] Hackers are perceived as individuals "bucking the system" through some form of eccentric flawed genius.[56]
3.2.3.1 In Singapore the Computer Misuse Act (Chapter 50A) (below "the Singapore Act") came into being in 1993. This Act corresponds to a large extent with the Computer Misuse Act 1990 of the United Kingdom.
3.2.3.2 The Singapore Act contains an offence of unauthorised access to computer material which is similar to the offence contained in the Computer Misuse Act 1990:[57]
3. Unauthorised access to computer material.
(1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 2 years or to both.
3.2.3.3 The Singapore Act also contains an offence of unauthorised access to commit or facilitate a further offence:[58]
4. Unauthorised access with intent to commit or facilitate commission of further offences.
(1) Any person who causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer with intent to commit an offence to which this section applies shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.
3.2.3.4 This offence applies where the further offence which is intended involves property, fraud, dishonesty or can cause bodily harm.[59]
3.2.3.5 Apart from these offences the Singapore Act contains an offence of unauthorised use or interception of a computer service:[60]
6. Unauthorised use or interception of computer service.
(1) Subject to subsection
(2), any person who knowingly –
(a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;
(b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electromagnetic, acoustic, mechanical or other device; or
(c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b),
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 2 years or to both.
3.2.4.1 In Canada an offence of unauthorised use of a computer was first introduced in the Canadian Criminal Code in 1985.[61]
Unauthorized use of computer
342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)
is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.
3.2.4.2 This section criminalises certain actions relating to the obtaining of a computer service or the interception of a computer function. A “computer service” includes data processing and the storage or retrieval of data.[62] A “function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system.[63]
3.2.4.3 In the case of the offences referred to in paragraphs (a) or (b) of section 342.1(1) the purpose for which the computer service was obtained or the computer function intercepted is irrelevant, as long as it was done fraudulently and without colour of right. The use of a computer to commit either of the offences referred to in paragraphs (a) or (b) constitutes a separate offence in terms of paragraph (c).
3.2.4.4 The Canadian approach seems to be focussed on the function or service which a computer renders as opposed to the actual access to the computer or the data or software applications stored on a computer. The offences of section 342.1(1) of the Canadian Criminal Code, especially that of paragraph (c), can therefore be committed by using a computer to which a person has legitimate access.
3.2.4.5 An interesting offence provided for in the Canadian Criminal Code is that of section 342.1(1)(d): using, possessing, or trafficking in computer passwords that would facilitate the commission of one of the other offences of this section. In comments on the options for reform discussed in Issue Paper 14 the introduction of a similar offence in South Africa was also recommended.
3.2.4.6 A further offence relating to computer misuse was introduced in the Canadian Criminal Code in 1997:[64]
Possession of device to obtain computer service
342.2 (1) Every person who, without lawful justification or excuse, makes, possesses, sells, offers for sale or distributes any instrument or device or any component thereof, the design of which renders it primarily useful for committing an offence under section 342.1, under circumstances that give rise to a reasonable inference that the instrument, device or component has been used or is or was intended to be used to commit an offence contrary to that section,
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years; or
(b) is guilty of an offence punishable on summary conviction.
3.2.4.7 At first glance this provision seems to have a very wide scope. However, the element that the relevant actions must be committed “without lawful justification or excuse” provides a built-in defence in the form of a ground for justification of the accused’s actions.
3.2.4.8 This type of offence can be effectively applied to certain software applications which are purposely designed to circumvent security systems or to obtain passwords if such applications can be included in the interpretation of “any instrument or device or any component thereof”.[65]
3.2.5.1 The German Criminal Code contains an offence of "data spying":
Sec. 202a - Data spying
(1) Anybody who without authority procures himself or another data which are not meant for him and which are specially secured against unauthorised access shall be sentenced to imprisonment not exceeding 3 years or to a fine.
(2) Data within the meaning of Subsection (1) shall be deemed to be only those which are stored or transmitted electronically, magnetically, or in any other not directly perceptible way.[66]
3.2.5.2 This offence is committed if a person procures data for himself or herself or for another to which he or she or such other person is not entitled and which is specially secured against unauthorised access.[67] The data concerned must be capable of being stored or transmitted electronically or magnetically or in any other manner that is not directly perceptible.[68] This offence carries a penalty of a fine or imprisonment for a maximum period of three years.
3.2.5.3 The approach in the German Criminal Code reflects a focus on electronic data instead of the functions of a computer. This facilitates the application of the offence to any method by means of which the data was procured, including the use of a computer to which a person had lawful access. The description of “data” in subarticle (2) is wide enough to refer to data stored on a computer but can, in fact, include much more.
3.2.5.4 It is not clear how the element of procurement of the data concerned is interpreted. In South African terms this element may be interpreted as meaning that the data must be removed from its storage location, or at least that a copy thereof must be made. To merely take account of the data will probably not amount to procurement.
3.2.5.5 The fact that the data concerned was “specially secured against unauthorised access” will in South African circumstances probably be used to indicate that the access of the data was unauthorised. In this sense it would be treated as a fact to prove one of the elements of the offence, rather than one of the substantive elements of the offence.
3.2.5.6 The German Criminal Code also contains a number of offences which protect confidential information against unauthorised disclosure:
Sec. 203 - Violation of private secrets
(1) Anybody who without authority discloses another's secret, especially one relating to the personal sphere of life or an industrial or business secret that has been entrusted to him or has otherwise become known to him in his capacity as
1. physician, dentist, veterinarian, dispensing chemist or member of another healing profession requiring state regulated training for the exercise of the profession or for the bearing of the professional title,
2. professional psychologist with a state recognised scientific final examination,
3. lawyer, patent agent, notary public, defence counsel in proceedings regulated by law, certified public accountant, sworn auditor, tax adviser, authorised tax agent, or an organ, or member of an organ, of a society of certified public accountants, auditors, or tax advisers,
4. marriage, family, educational, or youth counsellor as well as addiction counsellor at a counselling agency that is recognised by public authority or by a corporation, institution, or foundation of public law,
4a. member or agent of a recognised counselling agency under Sec. 218b (2) (No. 1),
5. state recognised social worker or state recognised social educationalist or
6. member of an enterprise of private health, accident, or life, insurance or of an accounting office for private physicians,
shall be sentenced to imprisonment not exceeding one year or to a fine.
(2) Likewise shall be punished anybody who without authority discloses another's secret, especially one relating to the personal sphere of life or an industrial or business secret, that has been entrusted to him or has otherwise become known to him in his capacity as
1. holder of a public office,
2. a person with special obligations with regard to the civil service,
3. a person carrying out tasks or responsibilities under the Personnel Representation Law,
4. member of an investigation committee acting for a Federal, or State, legislative body or of any other committee or council who is not himself a member of the legislative body, or as an assistant of such committee or council, or
5. an officially appointed expert who has been formally obligated for the conscientious compliance with his duties on the basis of legal provisions.
Equivalent to a secret within the meaning of Sentence 1 shall be individual information concerning personal or factual circumstances of another that have been recorded for purposes of public administration; Sentence 1 shall not apply, however, where such individual information is disclosed to other public authorities or other agencies for purposes of public administration and this is not prohibited by law.
(3) Equivalent to the parties mentioned in Subsec. (1) shall be their professionally active assistants as well as persons who are working with them while learning the profession. In addition, after the person charged with the duty of protecting the secret has died, anyone who has obtained knowledge of the secret from the deceased or from his estate shall be deemed equivalent to the parties mentioned in Subsec. (1) and those mentioned in Sentence 1.
(4) Subsections (1 - 3) shall also apply where the offender without authority disclose another's secret after the latter's death.
(5) If the offender discloses the secret for a consideration, or with the intention of enriching himself or another or to injure another, punishment shall be imprisonment not exceeding two years or a fine.[69]
3.2.5.7 These offences prohibit the disclosure and exploitation of confidential industrial or business information or personal information which has become known to a person as a result of a specified relationship.[70] These provisions are wide enough to include information stored on a computer.
3.2.6.1 The United States has a myriad statutory provisions at federal and state level dealing with various forms of unauthorised access to computer data. At this juncture we will focus our attention of the federal Criminal Code, being a statute of general application.
3.2.6.2 The Computer Fraud and Abuse Act 1986 inserted certain offences relating to misuse of computers in Title 18 of the United States Code, the Criminal Code of the United States:
§1030 Fraud and related activity in connection with computers
(a) Whoever--
(1) knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph r. of section 11 of the Atomic Energy Act of 1954, with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(3) intentionally, without authorization to access any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government's operation of such computer;
(4) knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer;
(5) ...
(6) ...
shall be punished as provided in subsection (c) of this section.
3.2.6.3 This provision creates four offences dealing with unauthorised access to a computer. The main element of the offences created in this provision is the obtaining of unauthorised access to a computer as opposed to the data stored on a computer. This would mean that no offence is committed if a person lawfully obtains access to a computer and then uses that computer to access data which he or she is not authorised to access. Section 1030 of 18 USC addresses this problem by adding the phrase “or exceeds authorized access”.[71]
3.2.6.4 The mere unauthorised accessing of a computer will not be an offence under this provision. In each instance this basic element is coupled with additional elements. These additional elements can be divided into three categories. In the first instance the unauthorised access must lead to the obtaining of certain types of information.[72] In the second instance the nature of the computer to which unauthorised access is obtained is qualified as computers operated by the government.[73] In the last instance the unauthorised access must be coupled firstly with an intent to defraud, and secondly the fact that the intended fraud is in fact furthered by the unauthorised access. In this last instance the nature of the computer to which unauthorised access is obtained is also qualified as a “Federal interest computer”.[74]
3.2.6.5 Apart from these offences section 1030 of 18 USC also contains an offence of trafficking in passwords:
(a) Whoever -
(1) - (5) ...
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if--
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
shall be punished as provided in subsection (c) of this section.
3.2.7.1 The Council of Europe is currently involved in a project to develop a convention on so-called cyber-crime. A draft of this convention was released on 27 April 2000 for discussion and consultation. It is important to take note of the provisions of the Draft Convention on Cyber-Crime (the “draft Convention”) as South Africa will have to adopt an approach against the unauthorised access of computers that is compatible with international developments.
3.2.7.2 The draft Convention will place members of the Council of Europe under an obligation to criminalise certain activities. As is normally the case with international instruments of this nature, the draft Convention does not contain exact detail as to the definitions of the offences to be created. This is left to the Parties to the Convention to be done in accordance with the basic legal principles of their respective legal systems.
3.2.7.3 The first offence which the draft Convention will require Parties to create is named “Illegal Access”.[75] This refers to the intentional access of a computer system without right. A computer system is defined as “any device or a group of inter-connected devices, which pursuant to a program performs automatic processing of data [or any other function]”.[76] This is clearly aimed at the computer itself, as opposed to the data stored on the computer. Parties will be allowed to include two additional elements in their definitions of this offence, namely an infringement of security measures and the intent to obtain computer data.
3.2.7.4 The draft Convention will also contain an obligation to create an offence named “Illegal Interception”.[77] This entails the intentional interception of transmissions of computer data without right. Computer data is defined widely enough to include both computer data and software applications stored on a computer.[78]
3.2.7.5 A third offence which will have to be created in terms of the draft Convention relates to “Illegal Devices”.[79] This includes the production, sale, procurement, import, distribution, making available or possession of a “device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences” relating to unauthorised access to computers and unauthorised modification of computer data or software applications. The offence to be created under this provision should also cover a “computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed”.
3.3.1.1 Part VIA of the Australian Crimes Act contains two offences concerning damaging computer data. The first of these is damaging data in Commonwealth and other computers:
- SECT 76C
Damaging data in Commonwealth and other computers
A person who intentionally and without authority or lawful excuse:
(a)
destroys, erases or alters data stored in, or inserts data into, a Commonwealth computer;
(b)
interferes with, or interrupts or obstructs the lawful use of, a Commonwealth computer;
(c)
destroys, erases, alters or adds to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; or
(d)
impedes or prevents access to, or impairs the usefulness or effectiveness of, data stored in a Commonwealth computer or data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer;
is guilty of an offence.
Penalty: Imprisonment for 10 years.
3.3.1.2 The second is Damaging data in Commonwealth and other computers by means of Commonwealth facility:
- SECT 76E
Damaging data in Commonwealth and other computers by means of Commonwealth facility
A person who, by means of a facility operated or provided by the Commonwealth or by a carrier, intentionally and without authority or lawful excuse:
(a)
destroys, erases or alters data stored in, or inserts data into, a computer;
(b)
interferes with, or interrupts or obstructs the lawful use of, a computer; or
(c)
impedes or prevents access to, or impairs the usefulness or effectiveness of, data stored in a computer;
is guilty of an offence.
Penalty: Imprisonment for 10 years.
3.3.1.3 The two sections referred to above create almost identical offences, namely the damaging of data stored on a computer which is under government control. The only additional element contained in section 76E is that a facility operated by the government or a telecommunications service provider is used in order to obtain the unauthorised access. The two sections also contain the same penalties for the corresponding offences. For these reasons our attention will be focussed on section 76C of the Australian Crimes Act.
3.3.1.4 Apart from the elements of destroying, erasing or altering data, found in other the other examples of this type of offence, the Australian Crimes Act also covers the insertion of data in a computer.[80] The same offence of the Australian Crimes Act also covers the interfering with the use of a computer and the impeding of access to data stored on a computer. The descriptions of these offences do not require the actions in question to be associated with the destruction or alteration of data, although this is included under the heading of damaging data in computers.
3.3.1.5 The maximum penalty prescribed for these offences is imprisonment for a period of 10 years, which indicates the seriousness with which these offences are regarded.
3.3.2.1 The Computer Misuse Act 1990 provides for an offence of unauthorised modification of computer material:[81]
3 Unauthorised modification of computer material
(1) A person is guilty of an offence if–
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing–
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.
(3) The intent need not be directed at-
(a) any particular computer;
(b) any particular program or data or a program or data of any particular kind; or
(c) any particular modification or a modification of any particular kind.
(4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.
3.3.2.2 The required form of culpability is intent. The intent must be aimed at causing the modification and thereby to impair the operation of the computer, to prevent access to any program or data or to impair the operation of a program or the reliability of data.[82] There are therefore two elements to the perpetrator’s intent, namely to cause the unauthorised modification and for that modification to have certain consequences.
3.3.2.3 The intent described in subsection (3) is a typical example of dolus indirectus. It need not be directed at any particular computer, any particular data or software application or any particular type of modification. Consequently this formulation can be applied, for example, to a case where a person develops a virus program which is distributed indiscriminately via e-mail or the Internet.
3.3.2.4 In a commentary on the Computer Misuse Act 1990 it is pointed out that since intent is expressly required as an element of the offence, it does not cover reckless damage or modification.[83] This is as opposed to the corresponding offence of criminal damage of property in English law, which includes reckless acts causing damage.
3.3.2.5 It is also pointed out that the description of the offence in section 3 of the Computer Misuse Act 1990 only refers to “the contents of a computer”, in other words data on a computer.[84] This raises a question as to the modification of data on removable storage media such as diskettes. While the data on a storage medium is being accessed by a computer, an argument can be made out that the data is technically “on that computer” even though it is not stored on the computer. However, once the storage medium is removed from the computer the data it contains can no longer be said to be “the contents of a computer”.
3.3.3.1 The Singapore Act provides for an offence of unauthorised modification of computer material:[85]
5. Unauthorised modification of computer material.
(1) Subject to subsection (2), any person who does any act which he knows will cause an unauthorised modification of the contents of any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 2 years or to both.
(2) If any damage caused by an offence under this section exceeds $10,000, a person convicted of the offence shall be liable to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.
(3) For the purposes of this section, it is immaterial that the act in question is not directed at --
(a) any particular program or data;
(b) a program or data of any kind; or
(c) a program or data held in any particular computer.
(4) For the purposes of this section, it is immaterial whether an unauthorised modification is, or is intended to be, permanent or merely temporary.
3.3.3.2 The Singapore Act contains a similar provision to the UK Computer Misuse Act 1990, making it clear that the required intent need not be directed at any particular data or computer.[86] The Singapore Act is therefore also wide enough to apply to a case where a virus program is distributed indiscriminately via e-mail or the Internet.
3.3.3.3 Unlike the corresponding offence of the UK Computer Misuse Act 1990, this offence in the Singapore Act does not expressly require the accused’s intent to be aimed at causing any impairment of a computer or any program or data contained on a computer, nor to be aimed at causing any hindrance of access to any program or data. As far as the perpetrator’s state of mind is concerned section 5(1) of the Singapore Act only requires that he or she has knowledge that his or her actions will cause an unauthorised modification of the contents of a computer. The consequences of the unauthorised modification are irrelevant to this offence.
3.3.4.1 The Canadian Criminal Code equates the modification of computer data or software applications with damage to property. Damage to property and alteration of computer data or software applications all form part of the offence of “mischief”, which is a much wider concept than mere damage to physical property:[87]
PART XI WILFUL AND FORBIDDEN ACTS IN RESPECT OF CERTAIN PROPERTY
430(1) Mischief
430. (1) Every one commits mischief who wilfully
(a) destroys or damages property;
(b) renders property dangerous, useless, inoperative or ineffective;
(c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or
(d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of property.
430(1.1) Mischief in relation to data
(1.1) Every one commits mischief who wilfully
(a) destroys or alters data;
(b) renders data meaningless, useless or ineffective;
(c) obstructs, interrupts or interferes with the lawful use of data; or
(d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.
3.3.4.2 The description of the offence in the Canadian Criminal Code does not make reference to the method used to modify or destroy the data in question. Two interesting elements included in this offence are the obstruction of the lawful use of data and the denial of access to data. This may be accomplished without in fact modifying the data in question.[88]
3.3.4.3 Although the offence is headed “mischief” the penalties prescribed indicate that it is regarded as a serious offence. Mischief in relation to data carries a maximum penalty of imprisonment for a period of 10 years.[89] “Data” is defined as “representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system”.[90]
3.3.5.1 The German Criminal Code contains an offence of alteration of data:
Sec. 303a - Alteration of data
(1) Anybody who unlawfully deletes, suppresses, renders useless, or alters data (Sec. 202a (2)) shall be sentenced to imprisonment not exceeding 2 years or to a fine.
(2) The attempt shall be punished.
3.3.5.2 The German Criminal Code also contains and offence of computer sabotage:
Sec. 303b - Computer sabotage
(1) Anybody who interferes with a data processing activity which is of vital importance to another enterprise, another business or a public authority by
1. committing an offence under Sec. 303a (1) or
2. destroying, damaging, rendering useless, removing or altering a data processing system or carrier shall be sentenced to imprisonment not exceeding five years or to a fine.
(2) The attempt shall be punished
3.3.5.3 Data includes data capable of being stored or transmitted electronically or magnetically or in any other manner that is not directly perceptible.[91]
3.3.5.4 The provisions of the German Criminal Code deal with the alteration of data in an abstract manner without associating the alteration of the data with the methods used to accomplish the alteration. This simplifies the definition of the offence an widens its scope.
3.3.6.1 As was mentioned earlier the Computer Fraud and Abuse Act 1986 inserted certain offences relating to misuse of computers in Title 18 of the United States Code, the Criminal Code of the United States:
§1030 Fraud and related activity in connection with computers
(a) Whoever--
(1) ... ;
(2) ... ;
(3) ... ;
(4) ... ;
(5) intentionally accesses a Federal interest computer without authorization and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby--
(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; or
(B) modifies or impairs, or potentially modifies or impairs the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or
(6) ... ;
shall be punished as provided in subsection (c) of this section.
3.3.6.2 This offence contains many more elements than those of Australia, the United Kingdom or Singapore, for example, and therefore has a much narrower scope. Firstly, the alteration of the data must be coupled with the unauthorised access of the computer on which the data in question is stored. Secondly, the data must be stored on a so-called federal interest computer. Lastly the alteration must have caused a loss to another person of at least $1000 within a period of one year, or must have affected the medical care of a person.
3.3.6.3 The fact that the unauthorised alteration of the data in question must be accomplished by means of unauthorised access to a computer severely limits the scope of this offence, especially since the data must be on the computer to which unauthorised access is obtained. This ignores the fact that a person may use a computer to which he or she has legitimate access to alter or destroy data. This provision is probably based on the premise that a person’s authority to access a computer ends when he or she uses that computer to commit unlawful acts such as the unauthorised alteration of data. However, this construction adds to the complexity of computer misuse offences. The two concepts of access to computers and alteration of the data on computers are best kept separate.
3.3.6.4 The elements of financial loss or of affecting the medical care of a person may address the issue of the seriousness of the offence under this provision.[92] By proving these elements the prosecution will show the serious nature of the actions in question. However, the inclusion of these elements in the definition of the offence immediately raises the question: What about other instances of alteration of critical data.
3.3.6.5 If the offence is defined in such a way that it addresses only actions with serious consequences, then one has to ensure that all consequences that are regarded as serious are enumerated in the definition of the offence. It would be very difficult to draft a provision along these lines that includes all instances where alteration of data is of particular concern. This approach is almost certain to result in glaring omissions where specific instances of alteration of data will escape punishment.
3.3.7.1 As was indicated earlier, the Council of Europe has recently published a draft Convention on Cyber-Crime.[93] The draft Convention will include provisions dealing with the unauthorised modification of computer data or software applications.
3.3.7.2. The draft Convention will oblige members of the Council of Europe to establish as criminal offences the intentional damaging, deletion, deterioration, alteration or suppression of computer data.[94] Computer data is defined widely and can include software applications.[95]
3.3.7.3. The draft Convention will also contain an obligation to criminalise the serious hindering of the functioning of a computer system by “inputting, [transmitting,] damaging, deleting, deteriorating, altering or suppressing computer data”.[96] The activities referred to in this provision do not entail the modification of data, but can have the same serious effects.
3.4.1.1 The Computer Misuse Act 1990 contains only one section dealing with powers of investigation:[97]
14 Search warrants for offences under section 1
(1) Where a circuit judge is satisfied by information on oath given by a constable that there are reasonable grounds for believing–
(a) that an offence under section 1 above has been or is about to be committed in any premises; and
(b) that evidence that such an offence has been or is about to be committed is in those premises;
he may issue a warrant authorising a constable to enter and search the premises, using such reasonable force as is necessary.
3.4.1.2 "Premises" in this provision refers to a physical spaces such as land, buildings, movable structures, vehicles, vessels, aircraft and hovercraft.[98] It is not intended to include the storage space of a computer. It seems therefore that although the search for computer in a physical location may be authorised by a search warrant, it is doubtful whether the search for specific information on that computer will be covered by such a warrant.
3.4.1.3 The Police and Criminal Evidence Act 1984 provides for, among other things, general powers of entry, search and seizure which can be executed after arrest:[99]
18 Entry and search after arrest
(1) Subject to the following provisions of this section, a constable may enter and search any premises occupied or controlled by a person who is under arrest for an arrestable offence, if he has reasonable grounds for suspecting that there is on the premises evidence, other than items subject to legal privilege, that relates –
(a) to that offence; or
(b) to some other arrestable offence which is connected with or similar to that offence.
(2) A constable may seize and retain anything for which he may search under subsection (1) above.
3.4.1.4 An investigating officer may furthermore make copies of anything which he or she has the power to seize.[100]
3.4.1.5 These provisions apply to the section 2 offence of the Computer Misuse Act 1990 (unauthorised access with the intent to commit a further crime). However, these powers can only be executed once an offence has been committed. Furthermore, the word "premises" refers to a physical space or location:[101]
23 Meaning of "premises" etc
In this Act–
"premises" includes any place and, in particular includes –
(a) any vehicle, vessel, aircraft or hovercraft;
(b) any offshore installation; and
(c) any tent or movable structure; and
"offshore installation" has the meaning given to it by section 1 of the Mineral Workings (Offshore Installations) Act 1971.
3.4.1.6 This interpretation clearly excludes the storage space of a computer from the meaning of a premises which may be entered and searched.
3.4.1.7 Another area of investigative powers is that of the interception of communication. The Computer Misuse Act 1990 contains no provisions to make this possible. The only legislation which provides for such powers is the Interception of Communications Act 1985:[102]
2 Warrants for interception
(1) Subject to the provisions of this section and section 3 below, the Secretary of State may issue a warrant requiring the person to whom it is addressed to intercept, in the course of their transmission by post or by means of a public telecommunication system, such communications as are described in the warrant; and such a warrant may also require the person to whom it is addressed to disclose the intercepted material to such persons and in such a manner as are described in the warrant.
(2) The Secretary of State shall not issue a warrant under this section unless he considers that the warrant is necessary–
(a) in the interests of national security;
(b) for the purpose of preventing or detecting serious crime; or
(c) for the purpose of safeguarding the economic well-being of the United Kingdom.
3.4.1.8 Against the background of this provision, which is aimed at protecting national security and the prevention or detection of serious offences, it is unlikely that a warrant for the interception of communication will be authorised with a view to the detection and investigation of the offences under the Computer Misuse Act 1990.[103] It is pointed out that the interception of communication is a potentially vital tool in the investigation and prosecution of unauthorised access to computers which cannot be effectively applied in respect of the Computer Misuse Act 1990.[104]
3.4.1.9 Apart from the problems relating to the investigation of computer-related offences there are also problems relating to the presence and complexity, not to mention the admissibility, of the evidence that may be involved.[105] The Computer Misuse Act 1990 does not contain any provisions regarding the admissibility of evidence, and this will be determined in accordance with the Police and Criminal Evidence Act 1984. Coupled with the problems relating to the formal admissibility of evidence, there are also problems relating to the reliability of evidence to prove that intrusions occurred and that they were committed by the accused.[106]
3.4.2.1 In order to facilitate the investigation of the offences of the Singapore Act, a police officer is entitled to have access to and inspect any computer which he or she has reasonable cause to suspect is used in connection with any of the offences created by the Singapore Act:[107]
14. Powers of police officer to investigate and require assistance.
In connection with the exercise of his powers of investigations under the Criminal Procedure Code, a police officer –
(a) shall be entitled at any time to have access to, and inspect and check the operation of, any computer and any associated apparatus or material which he has reasonable cause to suspect is or has been in use in connection with any offence under this Act; and
(b) may require –
(i) the person by whom or on whose behalf the police officer has reasonable cause to suspect the computer is or has been so used; or
(ii) any person having charge of, or otherwise concerned with the operation of, the computer, apparatus or material,
to provide him with such reasonable assistance as he may require for the purposes of paragraph (a).
3.4.2.2 The Singapore Act also provides for the admissibility of evidence in the form of computer output if it is shown that there is no reasonable ground for believing that the output is inaccurate because of improper use of the computer and that no reason exists to doubt or suspect the truth or reliability of the output, and that at all material times the computer was operating properly.[108]
3.4.3.1 The draft Convention of the Council of Europe contains a number of provisions dealing with procedures to assist in the investigation of computer-related crime. These provisions are mainly aimed at the gathering of evidence during the investigation phase of a criminal process.
3.4.3.2 In an article on search and seizure the draft Convention will create an obligation for Parties to the Convention to enact legislation that will empower their investigative authorities to search computer systems and the data stored therein, as well as other media in which computer data may be stored.[109] This provision is specifically aimed at allowing investigators access to the information stored on computer systems in the same way they would have access to physical premises. If South Africa were to incur such an obligation it would mean that provision would have to be made for a search warrant that authorises access to a computer and the information stored on it.
3.4.3.3 The draft Convention provides further that the mechanism by means of which the investigating authorities will be authorised to access a computer system should be wide enough also to authorise access to information stored in another place but which is available to the initial system.[110] In practice this would mean that a search warrant for a computer should also authorise access to remote locations which are accessible from the computer specified in the warrant and the information stored on them. The only caveat is that the remote location should also be subject to the territorial jurisdiction of the country in which the warrant is issued.
3.4.3.4 Apart from the search powers the draft Convention also provides for the seizure of computer data.[111] The methods that may be used to effect a seizure of information stored on a computer include:
3.4.3.5 The draft Convention takes into account that information stored on computers may be protected by passwords or similar measures. Consequently the draft Convention will oblige Parties to enact legislation empowering the relevant authorities to order a person who has knowledge of the functioning of a computer system, or measures applied to secure the information on the system, to provide all information required for a search and seizure to take place.[112]
3.4.3.6 The draft Convention takes into account that information stored on computers may be protected by passwords or similar measures. Consequently the draft Convention will oblige Parties to enact legislation empowering the relevant authorities to order a person who has knowledge of the functioning of a computer system, or measures applied to secure the information on the system, to provide all information required for a search and seizure to take place.[113]
3.4.3.7 The draft Convention also attempts to address the fact that the information stored on a computer may be of a temporary nature or may be particularly susceptible to modification.[114] This provision will require parties to the Convention to introduce measures enabling its competent authorities to order or otherwise obtain the expeditious preservation of information stored on a computer system.
3.5.1 From this discussion it is clear that there is little uniformity in the descriptions of the relevant offences among the various countries in which the actions of unauthorised access to computers and unauthorised modification of computer data or software applications have been criminalised. It is also clear that it is not sufficient to criminalise only these main offences. One must also introduce related offences which cover all the activities associated with hacking and damaging computer data or software applications.
3.5.2 Another interesting aspect to note is that although many countries have introduced offences to criminalise the relevant activities, not all have introduced special provisions relating to criminal procedure and evidence. This has been pointed out as a major stumbling-block in applying some of these provisions to the investigation and prosecution of the illegal activities.[115] The Council of Europe also seems to realise the importance of this aspect and is going a long way towards addressing it in the draft Convention.
[41] Section 76B(1) of the Australian Crimes Act.
[42] Section 76B(2)(a) of the Australian Crimes Act.
[43] Section 76B(2)(b) of the Australian Crimes Act.
[44] Section 76B(2)(b)(i) to (viii) of the Australian Crimes Act.
[45] Section 76B(2)(a) and (b) of the Australian Crimes Act.
[46] Section 76B(3) of the Australian Crimes Act.
[47] Section 1 of the Computer Misuse Act 1990.
[48] Section 1(3) of the Computer Misuse Act, 1990.
[49] Section 1(2) of the Computer Misuse Act 1990.
[50] Section 2 of the Computer Misuse Act 1990.
[51] Section 2(5) of the Computer Misuse Act 1990.
[52] Battcock The Computer Misuse Act 1990: 5 years on.
[53] Ibid.
[54] Reported in The Times, 18 March,1993.
[55] In R v Bedworth, supra, it was shown that the victims, including an organisation for the research and treatment of cancer, had suffered substantial financial losses.
[56] Charlesworth Legislating against Computer Misuse: The Trials and Tribulations of the Computer Misuse Act 1990.
[57] Section 3 of the Singapore Act.
[58] Section 4 of the Singapore Act.
[59] Section 4(2) of the Singapore Act.
[60] Section 6 of the Singapore Act.
[61] Section 45 of R.S. 1985 c.27 (1st Supp.) which inserted section 342.1 in the Canadian Criminal Code.
[62] Section 342.1(2) of the Canadian Criminal Code.
[63] Ibid.
[64] Section 19 of 1997, c18 introduced section 342.2 in the Canadian Criminal Code.
[65] Examples of such applications are so-called wardialers and trap door programs.
[66] Unofficial translation taken from http://www.pcug.co.uk/~drsolly/laws/germany.txt
[67] Section 202a(1) of the German StGB.
[68] Section 202a(2) of the German StGB
[69] Unofficial translation taken from http://www.pcug.co.uk/~drsolly/laws/germany.txt
[70] Sections 203 and 204 of the German StGB.
[71] 18 USC 1030(a)(1), (2) and (4).
[72] 18 USC 1030(a)(1) and (2).
[73] 18 USC 1030(a)(3).
[74] 18 USC 1030(a)(4).
[75] Article 2 of the draft Convention.
[76] Article 1 of the draft Convention.
[77] Article 6 of the draft Convention.
[78] Article 1 of the draft Convention.
[79] Article 6 of the draft Convention.
[80] Section 76C(a) of the Australian Crimes Act.
[81] Section 3 of the Computer Misuse Act 1990.
[82] Section 3(2) of the Computer Misuse Act 1990.
[83] Battcock The Computer Misuse Act 1990: 5 years on.
[84] Ibid.
[85] Section 5 of the Singapore Act.
[86] Section 5(3) of the Singapore Act.
[87] Section 430 of the Canadian Criminal Code.
[88] The planting of a so-called logic bomb will be an example of the actions covered by this offence.
[89] Section 430(5) of the Canadian Criminal Code.
[90] Section 342.1(2) of the Canadian Criminal Code.
[91] Section 202a(2) of the German StGB
[92] See the discussion concerning the UK Computer Misuse Act 1990 in paragraph 999 to 999 supra.
[93] See paragraph 999 supra.
[94] Article 4 of the draft Convention.
[95] Article 1 of the draft Convention.
[96] Article 5 of the draft Convention.
[97] Section 14 of the Computer Misuse Act 1990.
[98] Section 14(5) of the Computer Misuse Act 1990.
[99] Section 18 of the Police and Criminal Evidence Act 1984.
[100] Section 21(5) of the Police and Criminal Evidence Act 1984.
[101] Section 23 of the Police and Criminal Evidence Act 1984.
[102] Section 2 of the Interception of Communications Act 1985.
[103] Battcock The Computer Misuse Act 1990: 5 years on.
[104] Ibid.
[105] Ibid.
[106] Ibid.
[107] Section 14 of the Singapore Act.
[108] Section 10 of the Singapore Act.
[109] Article 14.1 of the draft Convention.
[110] Article 14.2 of the draft Convention.
[111] Article 14.4 of the draft Convention.
[112] Article 14.5 of the draft Convention.
[113] Article 14.5 of the draft Convention.
[114] Article 16 of the draft Convention.
[115] Battcock The Computer Misuse Act 1990: 5 years on.
SAFLII:
|
|
Terms of Use
|
Feedback
URL: http://www.saflii.org/za/other/zalc/dp/99/99-CHAPTER-3.html